THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Ranger 0.7 managed with Ambari
WARNING : That documentation was written for an old version of Ranger. Some of the options changed in the latest versions of Ranger (for e.g. Anonymous bind isn't supported anymore).
As you may want to create policies using the user groups defined in a LDAP, you have to synchronize Ranger to your LDAP. This will be done using UserSync, a component of Ranger designed to synchronize users from Unix or from LDAP.
To configure it to use LDAP, go to Ambari web application and in Ranger tab, go to Advanced usersync-properties and use the following configuration :
CRED_KEYSTORE_FILENAME : $JAVA_HOME/lib/security/cacerts ## be careful that your LDAP certificate is trusted by Java MIN_UNIX_USER_ID_TO_SYNC : 0 ## unlike Unix, you may want to synchronize all existing users SYNC_INTERVAL : 5 ## synchronizing users every 5 minutes seems to be a good value SYNC_LDAP_BIND_DN : cn=toto,ou=Users,ou=People,dc=Hadoop,dc=mutu,dc=Apache ## if you use an anonymous bind, this value is required, but will be ignored SYNC_LDAP_BIND_PASSWORD : totopassword ## if you use an anonymous bind, this value is required, but will be ignored. Though, it will not be encrypted SYNC_LDAP_URL : ldap://My_LDAP_host SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE : memberOf SYNC_LDAP_USER_NAME_ATTRIBUTE : cn SYNC_LDAP_USER_OBJECT_CLASS : person SYNC_LDAP_USER_SEARCH_BASE : ou=People,dc=Hadoop,dc=mutu,dc=Apache SYNC_LDAP_USER_SEARCH_FILTER : - SYNC_LDAP_USER_SEARCH_SCOPE : sub SYNC_LDAP_USERNAME_CASE_CONVERSION : lower SYNC_SOURCE : ldap
Then, if you want to use an anonymous bind, you have to add a line to a Ranger configuration file, authorizing the component to use anonymous authentication while connecting to the LDAP.
echo "ldapGroupSync.ldapAuthenticationMechanism=none" >> /etc/ranger/usersync/conf/unixauthservice.properties
Finally, restart Ranger. After rebooting, Ranger should synchronize with the LDAP. Keep in mind that this operation might take some time. For example, for about 5000 users the first synchronization takes a dozen minutes.
Ranger 2.4 managed manually
As you may want to create policies using the user groups defined in a LDAP, you have to synchronize Ranger to your LDAP. This will be done using UserSync, a component of Ranger designed to synchronize users from Unix or from LDAP.
To configure it to use LDAP, go to your install.properties file and use the following configuration :
SYNC_SOURCE = ldap
SYNC_INTERVAL = 5 ## defaults to 5 if SYNC_SOURCE is unix and to 360 if SYNC_SOURCE is ldap
SYNC_LDAP_URL = ldap://<your_ldap_url>:389
SYNC_LDAP_BIND_DN = CN=itsme,ou=LACL,ou=utilisateurs,dc=orga,dc=blabla,dc=org ## the user who will retrieve data from the LDAP. If you're using anonymous bind, you must set a value but it will be ignored by the LDAP
SYNC_LDAP_BIND_PASSWORD = ## do not put anything here if you want your bind to be anonymous
SYNC_LDAP_SEARCH_BASE = dc=orga,dc=blabla,dc=org ## root from where the users and group will be retrieved
SYNC_LDAP_USER_SEARCH_BASE = ou=LACL,ou=utilisateurs,dc=orga,dc=blabla,dc=org ## root from where the users will be retrieved
SYNC_LDAP_USER_SEARCH_SCOPE = sub
SYNC_LDAP_USER_OBJECT_CLASS = organizationalPerson ## type of entity that caracterises a person in the LDAP
SYNC_LDAP_USER_SEARCH_FILTER = (memberOf=CN=usr_outil_prd,OU=Outils,OU=Groupes,DC=blabla,DC=org) ## subfilter for the users to be retrieved
SYNC_LDAP_USER_NAME_ATTRIBUTE = name ## attribute that will be pulled as username
SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = postOfficeBox ## attribute(s) that will be used to create and sync the groups
Then, before launching the setup via setup.sh file, you must edit the setup.py file to replace lines 241 & 242 with the following :
if userType != 'ranger.usersync.ldap.ldapbindpassword':
print("[E] Blank password is not allowed for property " + userType + ",please enter valid password.")
sys.exit(1)