Ranger Ldap Tool : Magic behind the scene

Recently I come across this command line Ldap connection tool, which is very useful while setting Ranger UserSync.

This tool collects minimal input from admin about the ldap/AD server and discovers various properties for users and groups in order to successfully pull only targeted Users and Groups from the Ldap/AD server.

Details

Ldap Connection check tool is a command line tool and can be run on any machine where Java is installed and Ldap/AD server access is available. This tool can be used to discover not only user sync related properties but also authentication properties if needed. It also generates ambari configuration properties as well as install properties for manual installation. User is also provided an option to discover both the user and group properties together or separately. As part of the tool, a template properties file is provided for the user to update the values specific to the setup.

Tool usage

In order to learn details on how to use the tool, the tool also provides an “help” option (-h) as follows:

usage: run.sh

-a ignore authentication properties

-d <arg> {all|users|groups}

-h show help.

-i <arg> Input file name

-o <arg> Output directory

-r <arg> {all|users|groups}

All these above parameters are optional.

  1. If “-i” (for input file) is not specified, the tool will fall back to CLI option for collecting values for mandatory properties
  2. if “-o” (for output directory) is not specified, the tool will write all the output files to the <install dir>/ranger-0.5.0-usersync/ldaptool/output directory
  3. if “-a” (for ignoring authentication) is not specified, the tool will discovery & verify authentication related properties.
  4. if “-d” (for discovering usersync properties) is not specified, the tool will default to discovering all the usersync related properties
  5. if “-r” (for retrieving users and/or groups) is not specified, the tool will fallback to “-d” option.

Example

 

 

Input properties

In order to discover the usersync and authentication related properties, tool collects some mandatory information as part of the input properties. These Mandatory properties include:

Mandatory properties include:

1.ranger.usersync.ldap.url (<ldap or ldaps>://<server ip/fqdn>:<port>

2.ranger.usersync.ldap.binddn (ldap user like AD user or ldap admin user)

3.ranger.usersync.ldap.bindpassword (user password or ldap admin password)

4. ranger.usersync.ldap.user.searchbase (Mandatory only for non AD environment)

5. ranger.usersync.ldap.user.searchfilter (Mandatory only for non AD environment)

6. ranger.admin.auth.sampleuser (Mandatory only for discovering authentication properties)

7. ranger.admin.auth.samplepassword (Mandatory only for discovering authentication properties)

This tool provides two options for collecting values for these mandatory properties:

  1. Modify the input.properties file provided as part of the tool installation and provide that file (with complete path as the command line argument while running the tool.
  2. Use CLI to input the values for these mandatory properties.

CLI option is provided to the user when the input file is not provided as the command line option (-i <arg>) while running the tool. Once the values are collected from the CLI, these values are stored in the input.properties file (in the conf dir of the installation folder) for later use.

Following is the CLI provided by the tool when input file is not specified:

Ldap url [ldap://ldap.example.com:389]:

Bind DN [cn=admin,ou=users,dc=example,dc=com]:

Bind Password:

User Search Base [ou=users,dc=example,dc=com]:

User Search Filter [cn=user1]:

Sample Authentication User [user1]:

Sample Authentication Password:

Note:- In order to use secure ldap, the java default truststore must be updated with the server’s self signed certificate or the CA certificate for validating the server connection. The truststore should be updated before running the tool.

 

My Hortonworks Comunity Article Ref : HCC Article

Leave a Reply

Your email address will not be published. Required fields are marked *