WARNING : That documentation was written for an old version of Ranger. Some of the options changed in the latest versions of Ranger (for e.g. Anonymous bind isn't supported anymore).
As you may want to create policies using the user groups defined in a LDAP, you have to synchronize Ranger to your LDAP. This will be done using UserSync, a component of Ranger designed to synchronize users from Unix or from LDAP.
To configure it to use LDAP, go to Ambari web application and in Ranger tab, go to Advanced usersync-properties
and use the following configuration :
CRED_KEYSTORE_FILENAME : $JAVA_HOME/lib/security/cacerts ## be careful that your LDAP certificate is trusted by Java MIN_UNIX_USER_ID_TO_SYNC : 0 ## unlike Unix, you may want to synchronize all existing users SYNC_INTERVAL : 5 ## synchronizing users every 5 minutes seems to be a good value SYNC_LDAP_BIND_DN : cn=toto,ou=Users,ou=People,dc=Hadoop,dc=mutu,dc=Apache ## if you use an anonymous bind, this value is required, but will be ignored SYNC_LDAP_BIND_PASSWORD : totopassword ## if you use an anonymous bind, this value is required, but will be ignored. Though, it will not be encrypted SYNC_LDAP_URL : ldap://My_LDAP_host SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE : memberOf SYNC_LDAP_USER_NAME_ATTRIBUTE : cn SYNC_LDAP_USER_OBJECT_CLASS : person SYNC_LDAP_USER_SEARCH_BASE : ou=People,dc=Hadoop,dc=mutu,dc=Apache SYNC_LDAP_USER_SEARCH_FILTER : - SYNC_LDAP_USER_SEARCH_SCOPE : sub SYNC_LDAP_USERNAME_CASE_CONVERSION : lower SYNC_SOURCE : ldap
Then, if you want to use an anonymous bind, you have to add a line to a Ranger configuration file, authorizing the component to use anonymous authentication while connecting to the LDAP.
echo "ldapGroupSync.ldapAuthenticationMechanism=none" >> /etc/ranger/usersync/conf/unixauthservice.properties
Finally, restart Ranger. After rebooting, Ranger should synchronize with the LDAP. Keep in mind that this operation might take some time. For example, for about 5000 users the first synchronization takes a dozen minutes.