You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Sailaja Polavarapu (JIRA)" <ji...@apache.org> on 2015/11/24 19:55:11 UTC
[jira] [Commented] (RANGER-742) Ranger usersync fails after syncing
500 users from AD or ldap server when paged results is enabled.
[ https://issues.apache.org/jira/browse/RANGER-742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15025102#comment-15025102 ]
Sailaja Polavarapu commented on RANGER-742:
-------------------------------------------
Root cause analysis:
=======================
1. First we perform user search operation.
2. While processing each user search result, if group search and usermapsyncenabled are enabled, then we perform group search for that user (to compute group memberships). Note:- Here user search session is still alive from the server side. But from usersync perspective, the ldapContext handler of user search is replaced by ldapContext of group search.
3. When pagedresultsenabled and if the no. of users retrieved is more the pagedresults size, then the server (both openldap & AD) sends a cookie for the user search ldapContext (which should be sent back by usersync in subsequent search requests). But as in step2, since the user search ldapContext is overwritten, user sync is not able to get the cookie and not sending it in the subsequent search requests.
Possible workarounds:
=======================
1. For AD case, we can disable group search flag (ranger.usersync.group.searchenabled=false) while configuring usersync. Since we are anyway getting all the groups from "memberof" attribute of the user, group information is not lost. In general AD has two way mapping of users and groups i.e., all the groups the user is associated with are available from the "memberof" attribute of user as well as all the user that are associated with a group are available from "member" attribute of the group.
2. For Openldap case, we can disable paged results (ranger.usersync.pagedresultsenabled=false) while configuring usersync. In general, Openldap doesn't have memberof attribute configured by default. Hence group information cannot be retrieved from user search. The only way to get the group information for the user is to search the group with "member" attribute.
> Ranger usersync fails after syncing 500 users from AD or ldap server when paged results is enabled.
> ---------------------------------------------------------------------------------------------------
>
> Key: RANGER-742
> URL: https://issues.apache.org/jira/browse/RANGER-742
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Reporter: Sailaja Polavarapu
>
> When Usersync is configured with AD/Ldap as the sync source, it fails to sync the users after 500 users. Following is the exception from usersync:
> 24 Nov 2015 12:04:31 INFO LdapUserGroupBuilder UnixUserSyncThread - Updating user count: 500, userName: user0499, groupList: group05
> 24 Nov 2015 12:04:31 ERROR UserGroupSync UnixUserSyncThread - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
> javax.naming.CommunicationException: LDAP: error code 2 - paged results cookie is invalid; remaining name 'dc=qe,dc=hortonworks,dc=com'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
> at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
> at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
> at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:310)
> at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)