You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Sailaja Polavarapu (Jira)" <ji...@apache.org> on 2022/03/09 02:00:02 UTC

[jira] [Updated] (RANGER-3630) Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter

     [ https://issues.apache.org/jira/browse/RANGER-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sailaja Polavarapu updated RANGER-3630:
---------------------------------------
    Fix Version/s: 3.0.0

> Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-3630
>                 URL: https://issues.apache.org/jira/browse/RANGER-3630
>             Project: Ranger
>          Issue Type: New Feature
>          Components: Ranger, usersync
>            Reporter: Sailaja Polavarapu
>            Assignee: Sailaja Polavarapu
>            Priority: Major
>             Fix For: 3.0.0
>
>         Attachments: 0001-RANGER-3630-Added-code-to-support-wildcards-group-sh.patch, RANGER-3630_proposal.pdf
>
>
> Ranger Usersync provides multiple configuration properties to sync users & groups from AD/LDAP. One of the key configuration properties is the User Search filter (ranger.usersync.ldap.user.searchfilter). Currently, the value of user search filter must be a valid ldap search filter and is used by ranger usersync “as is” to limit the no. of users to be sync’d from AD/LDAP. 
> Example values include:
>  # samaccountname=*  
>  ** Syncs all users from a given user search base
>  # (|(memberof=CN=finance,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop Groups,dc=apache,dc=org))
>  ** Sync users that are members of finance, eng_dev, and eng_testing groups
> According to [Microsoft documentation|https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx], the wildcard character * is not allowed when the <AD Attribute> is a DN attribute. Examples of DN attributes are distinguishedName, manager, directReports, member, and memberOf. If users need to be sync'd from multiple Active Directory groups with memberOf filters, this value can quickly become a long string of OR concatenated group DNs. A single misplaced character in this cryptic string results in all users failing to sync. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)