How to integrate Ranger with LDAP
In this blog post we will see how to integrate Ranger with LDAP.
What is Ranger ?
Ranger is an open-source utility to control authorization for different Hadoop components such as Hdfs, Hive, Hbase, Yarn etc. in a centralized way. Apache Ranger also keeps auditing information related to these Hadoop components which can be useful for tracking purpose.
What is LDAP?
LDAP stands for light weight directory access protocol. LDAP is an application protocol used over an IP network to manage and access the distributed directory information service. The primary purpose of a directory service is to provide a systematic set of records, usually organized in a hierarchical structure
I’m assuming that you have already installed openldap server, if not then please follow this link to install openldap on Centos 6.X/RHEL 6.x ( Please skip the ssl part while installing openldap from given link )
Note – For your reference I have attached my slapd.conf file, please download it from here.
Setup Environment:
HDP Version: 2.3.2
Ambari Version: 2.1.2
Ranger Version: 0.5.0.2.3
Openldap Version: 2.4.40-7.el6_7.x86_64
Below are the configuration changes that we need to make in order to implement LDAP authentication for Ranger.
Note – I’m adding changes according to my slapd.conf file, you might need to modify your configurations according to your openldap settings.
Step 1: Login to Ambari UI, Select Ranger Service and goto configuration tab.
Step 2: Under “Ranger Settings” section select authentication method as “LDAP”
Step3: Under “LDAP Settings” section add below configuration properties
ranger.ldap.user.searchfilter = (uid={0})
ranger.ldap.user.dnpattern = cn=Manager,dc=example,dc=com
ranger.ldap.url = ldap://<ip-address-of-openldap-server>:389
ranger.ldap.referral = ignore
ranger.ldap.group.roleattribute = uid
ranger.ldap.bind.password = ***** <-- Admin password of openldap
ranger.ldap.bind.dn = cn=Manager,dc=example,dc=com
ranger.ldap.base.dn = dc=example,dc=com
Step 4: Under “Advanced ranger-admin-site” section set below properties
ranger.ldap.group.searchfilter = (member=uid={0},ou=users,dc=example,dc=com)
ranger.ldap.group.searchbase = dc=example,dc=com
Step 5: Under “Advanced ranger-ugsync-site” section set below properties
ranger.usersync.ldap.username.caseconversion = none
ranger.usersync.group.memberattributename = member
ranger.usersync.group.nameattribute = cn
ranger.usersync.group.objectclass = groupofnames
ranger.usersync.group.searchbase = dc=example,dc=com
ranger.usersync.group.searchenabled = false
ranger.usersync.group.searchscope = sub
ranger.usersync.group.usermapsyncenabled = false
ranger.usersync.ldap.user.searchscope = sub
ranger.usersync.ldap.user.searchbase= ou=users,dc=example,dc=com
ranger.usersync.ldap.user.objectclass = person
ranger.usersync.ldap.user.nameattribute = uid
ranger.usersync.ldap.url = ldap://<ip-address-of-openldap-server>:389
ranger.usersync.ldap.searchBase = dc=example,dc=com
ranger.usersync.ldap.referral = ignore
ranger.usersync.ldap.ldapbindpassword = ***** <-- openldap admin password
ranger.usersync.ldap.groupname.caseconversion = none
ranger.usersync.ldap.binddn = cn=Manager,dc=example,dc=com
ranger.usersync.ldap.bindalias = ranger.usersync.ldap.bindalias
ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.sink.impl.class = org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
Screenshot “Advanced ranger-usersync-site” – 1
Screenshot “Advanced ranger-usersync-site” – 2
Screenshot “Advanced ranger-usersync-site” – 3
Step 6: Save the all above configuration changes and restart all the affected services from Ambari UI
Step 7: Login to Ranger UI using admin account and check if all the LDAP users are synced by ranger usersync process. if for some reason you cannot see openldap users in Ranger UI then you need to check the usersync daemon’s log and need to figure out what went wrong.
Note – You should see below lines in usersync logs in order to ensure that your openldap users are getting synced correctly in ranger.
12 Feb 2016 11:15:08 INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://172.25.17.3:389, ldapBindDn: cn=Manager,dc=example,dc=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=example,dc=com, userSearchBase: ou=users,dc=example,dc=com, userSearchScope: 2, userObjectClass: person, userSearchFilter: , extendedUserSearchFilter: (objectclass=person), userNameAttribute: uid, userSearchAttributes: [uid, ismemberof, memberof], userGroupNameAttributeSet: [ismemberof, memberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: dc=example,dc=com, groupSearchScope: 2, groupObjectClass: groupofnames, groupSearchFilter: , extendedGroupSearchFilter: (&(objectclass=groupofnames)(member={0})), extendedAllGroupsSearchFilter: (&(objectclass=groupofnames)), groupMemberAttributeName: member, groupNameAttribute: cn, groupUserMapSyncEnabled: false, ldapReferral: ignore
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: student1, groupList: []
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: student2, groupList: []
12 Feb 2016 11:15:08 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.updateSink() completed with user count: 2
12 Feb 2016 11:15:08 INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink
Step 8: Now try to login to Ranger UI via any openldap user and you should be able to get in 
by 