How to integrate Ranger with LDAP

In this blog post we will see how to integrate Ranger with LDAP.

 

Ranger

 

What is Ranger ?

Ranger is an open-source utility to control authorization for different Hadoop components such as Hdfs, Hive, Hbase, Yarn etc. in a centralized way. Apache Ranger also keeps auditing information related to these Hadoop components which can be useful for tracking purpose.

 

What is LDAP?

LDAP stands for light weight directory access protocol. LDAP is an application protocol used over an IP network to manage and access the distributed directory information service. The primary purpose of a directory service is to provide a systematic set of records, usually organized in a hierarchical structure

 

I’m assuming that you have already installed openldap server, if not then please follow this link to install openldap on Centos 6.X/RHEL 6.x ( Please skip the ssl part while installing openldap from given link )

Note – For your reference I have attached my slapd.conf file, please download it from here.

 

Setup Environment:

HDP Version: 2.3.2

Ambari Version: 2.1.2

Ranger Version: 0.5.0.2.3

Openldap Version: 2.4.40-7.el6_7.x86_64

 

Below are the configuration changes that we need to make in order to implement LDAP authentication for Ranger.

Note – I’m adding changes according to my slapd.conf file, you might need to modify your configurations according to your openldap settings.

 

Step 1: Login to Ambari UI, Select Ranger Service and goto configuration tab.

 

Step 2: Under “Ranger Settings” section select authentication method as “LDAP”

 

Screen Shot 2016-02-12 at 5.52.45 PM

 

Step3: Under “LDAP Settings” section add below configuration properties

 

ranger.ldap.user.searchfilter = (uid={0})
ranger.ldap.user.dnpattern = cn=Manager,dc=example,dc=com
ranger.ldap.url = ldap://<ip-address-of-openldap-server>:389
ranger.ldap.referral = ignore
ranger.ldap.group.roleattribute = uid
ranger.ldap.bind.password = *****     <-- Admin password of openldap
ranger.ldap.bind.dn = cn=Manager,dc=example,dc=com
ranger.ldap.base.dn = dc=example,dc=com

 

Screen Shot 2016-02-12 at 5.52.51 PM

 

Step 4: Under “Advanced ranger-admin-site” section set below properties

 

ranger.ldap.group.searchfilter = (member=uid={0},ou=users,dc=example,dc=com)
ranger.ldap.group.searchbase = dc=example,dc=com

 

Screen Shot 2016-02-14 at 1.19.28 AM

 

Step 5: Under “Advanced ranger-ugsync-site” section set below properties

 

ranger.usersync.ldap.username.caseconversion = none
ranger.usersync.group.memberattributename = member
ranger.usersync.group.nameattribute = cn
ranger.usersync.group.objectclass = groupofnames
ranger.usersync.group.searchbase = dc=example,dc=com
ranger.usersync.group.searchenabled = false
ranger.usersync.group.searchscope = sub
ranger.usersync.group.usermapsyncenabled = false
ranger.usersync.ldap.user.searchscope = sub
ranger.usersync.ldap.user.searchbase= ou=users,dc=example,dc=com
ranger.usersync.ldap.user.objectclass = person
ranger.usersync.ldap.user.nameattribute = uid
ranger.usersync.ldap.url = ldap://<ip-address-of-openldap-server>:389
ranger.usersync.ldap.searchBase = dc=example,dc=com
ranger.usersync.ldap.referral = ignore
ranger.usersync.ldap.ldapbindpassword = *****   <-- openldap admin password
ranger.usersync.ldap.groupname.caseconversion = none
ranger.usersync.ldap.binddn = cn=Manager,dc=example,dc=com
ranger.usersync.ldap.bindalias = ranger.usersync.ldap.bindalias
ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.sink.impl.class = org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder

 

Screenshot “Advanced ranger-usersync-site” – 1

 

Screen Shot 2016-02-12 at 5.53.56 PM

 

 

Screenshot “Advanced ranger-usersync-site” – 2

 

 

Screen Shot 2016-02-12 at 5.54.05 PM

 

 

Screenshot “Advanced ranger-usersync-site” – 3

 

Screen Shot 2016-02-12 at 5.54.15 PM

 

Step 6: Save the all above configuration changes and restart all the affected services from Ambari UI

 

Step 7: Login to Ranger UI using admin account and check if all the LDAP users are synced by ranger usersync process. if for some reason you cannot see openldap users in Ranger UI then you need to check the usersync daemon’s log and need to figure out what went wrong.

 

Note – You should see below lines in usersync logs in order to ensure that your openldap users are getting synced correctly in ranger.

 

12 Feb 2016 11:15:08 INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://172.25.17.3:389, ldapBindDn: cn=Manager,dc=example,dc=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=example,dc=com, userSearchBase: ou=users,dc=example,dc=com, userSearchScope: 2, userObjectClass: person, userSearchFilter: , extendedUserSearchFilter: (objectclass=person), userNameAttribute: uid, userSearchAttributes: [uid, ismemberof, memberof], userGroupNameAttributeSet: [ismemberof, memberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: dc=example,dc=com, groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: , extendedGroupSearchFilter: (&(objectclass=groupofnames)(member={0})), extendedAllGroupsSearchFilter: (&(objectclass=groupofnames)), groupMemberAttributeName: member, groupNameAttribute: cn, groupUserMapSyncEnabled: false, ldapReferral: ignore
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: student1, groupList: []
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: student2, groupList: []
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.updateSink() completed with user count: 2
12 Feb 2016 11:15:08 INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink

 

Step 8: Now try to login to Ranger UI via any openldap user and you should be able to get in :)

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

7 comments

  • Saurabh

    Hi Kuldeep,

    I am facing this problem since long time and not able to integrate ldap with Rnager. Can you please help me to get it done.
    I am getting below error.
    ERROR UserGroupSync [UnixUserSyncThread] – Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
    javax.naming.CommunicationException: ad.lowes.com:389 [Root exception is java.net.UnknownHostException: ad.lowes.com]
    at com.sun.jndi.ldap.Connection.(Connection.java:226)
    at com.sun.jndi.ldap.LdapClient.(LdapClient.java:136)
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1608)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698)
    at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:316)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
    at javax.naming.InitialContext.init(InitialContext.java:242)
    at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:153)
    at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:190)
    at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:304)
    at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
    at java.lang.Thread.run(Thread.java:745)

  • Kaly

    Thanks Kuldeep,
    This is so cool. Perfectly Works.
    Just wanted a question, how to minimize ldap sync process, its taking 1 hour to sync ldap user. Please reply.

  • Kaly

    Thanks Kuldeep,
    This is so cool. Perfectly Works.
    Just wanted to know, how to minimize ldap sync process, its taking 1 hour to sync ldap user. Please reply.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>