我正在使用 Ranger 2.2 版并尝试从 LDAP 同步用户。我已应用组过滤器来检索属于 groupA 和 groupB: 的所有用户。在第一次运行期间,所有用户(groupA、groupB 的一部分)都从 LDAP 同步。但是当我向用户添加新组时,新组没有得到更新。
案例 1:groupA 和 groupB 的所有用户都在同步。
user1 belongs to groupA , groupB
user2 belongs to groupA
user3 belongs to groupA, groupB
案例 2:将 user2 添加到 groupB 在这种情况下,新组没有同步到 user2。
附上 ranger-ugsync-site.xml 以供参考。
<configuration>
<property>
<name>ranger.usersync.credstore.filename</name>
<value>../ranger/usersync/conf/rangerusersync.jceks</value>
</property>
<property>
<name>ranger.usersync.enabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.group.memberattributename</name>
<value>member</value>
</property>
<property>
<name>ranger.usersync.group.nameattribute</name>
<value>sAMAccountName</value>
</property>
<property>
<name>ranger.usersync.group.objectclass</name>
<value>group</value>
</property>
<property>
<name>ranger.usersync.group.searchbase</name>
<value>dc=example,dc=com</value>
</property>
<property>
<name>ranger.usersync.group.searchenabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.group.searchfilter</name>
<value>(|(CN=group1)(CN=group2))</value>
</property>
<property>
<name>ranger.usersync.group.searchscope</name>
<value>sub</value>
</property>
<property>
<name>ranger.usersync.ldap.binddn</name>
<value>cn=adadmin,cn=Users, dc=example,dc=com</value>
</property>
<property>
<name>ranger.usersync.ldap.groupname.caseconversion</name>
<value>upper</value>
</property>
<property>
<name>ranger.usersync.ldap.ldapbindpassword</name>
<value>_</value>
</property>
<property>
<name>ranger.usersync.ldap.searchBase</name>
<value>dc=example,dc=com</value>
</property>
<property>
<name>ranger.usersync.ldap.url</name>
<value>ldap://hostname:3269</value>
</property>
<property>
<name>ranger.usersync.ldap.deltasync</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.ldap.user.groupnameattribute</name>
<value>memberof,ismemberof</value>
</property>
<property>
<name>ranger.usersync.ldap.user.nameattribute</name>
<value>sAMAccountName</value>
</property>
<property>
<name>ranger.usersync.ldap.user.objectclass</name>
<value>person</value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchbase</name>
<value>ou=users, dc=example, dc=com</value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchfilter</name>
<value>''</value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchscope</name>
<value>sub</value>
</property>
<property>
<name>ranger.usersync.ldap.username.caseconversion</name>
<value>upper</value>
</property>
<property>
<name>ranger.usersync.logdir</name>
<value>logs</value>
</property>
<property>
<name>ranger.usersync.pagedresultsenabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.pagedresultssize</name>
<value />
</property>
<property>
<name>ranger.usersync.policymanager.baseURL</name>
<value>http://<hostname>:6080</value>
</property>
<property>
<name>ranger.usersync.policymanager.maxrecordsperapicall</name>
<value>1000</value>
</property>
<property>
<name>ranger.usersync.policymanager.mockrun</name>
<value>false</value>
</property>
<property>
<name>ranger.usersync.port</name>
<value>5151</value>
</property>
<property>
<name>ranger.usersync.sink.impl.class</name>
<value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value>
</property>
<property>
<name>ranger.usersync.sleeptimeinmillisbetweensynccycle</name>
<value>3600000</value>
</property>
<property>
<name>ranger.usersync.source.impl.class</name>
<value>org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder</value>
</property>
<property>
<name>ranger.usersync.ssl</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.unix.minUserId</name>
<value>500</value>
</property>
<property>
<name>ranger.usersync.unix.minGroupId</name>
<value>500</value>
</property>
<property>
<name>ranger.usersync.keystore.file</name>
<value>../ranger/usersync/conf/cert/unixauthservice.jks</value>
</property>
<property>
<name>ranger.usersync.truststore.file</name>
<value />
</property>
<property>
<name>ranger.usersync.sync.source</name>
<value>ldap</value>
</property>
<property>
<name>ranger.usersync.ldap.referral</name>
<value>ignore</value>
</property>
<property>
<name>ranger.usersync.kerberos.principal</name>
<value />
</property>
<property>
<name>ranger.usersync.kerberos.keytab</name>
<value />
</property>
<property>
<name>ranger.usersync.keystore.password</name>
<value>_</value>
</property>
<property>
<name>ranger.usersync.truststore.password</name>
<value>_</value>
</property>
<property>
<name>ranger.usersync.role.assignment.list.delimiter</name>
<value>&</value>
</property>
<property>
<name>ranger.usersync.users.groups.assignment.list.delimiter</name>
<value>:</value>
</property>
<property>
<name>ranger.usersync.username.groupname.assignment.list.delimiter</name>
<value>,</value>
</property>
<property>
<name>ranger.usersync.group.based.role.assignment.rules</name>
<value />
</property>
%