| ![[Important]](../common/images/admon/important.png) | Important | 
|---|---|
| To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD. | 
| ![[Note]](../common/images/admon/note.png) | Note | 
|---|---|
| You can use the LDAP Connection Check tool to determine User Sync settings for LDAP/AD. | 
Use the following steps to configure Ranger User Sync for LDAP/AD.
- On the Customize Services page, select the Ranger User Info tab. 
- Click Yes under Enable User Sync. 
- Use the Sync Source drop-down to select LDAP/AD. 
- Set the following properties on the Common Configs tab. - Table 3.7. LDAP/AD Common Configs - Property - Description - Default Value - Sample Values - LDAP/AD URL - Add URL depending upon LDAP/AD sync source - ldap://{host}:{port} - ldap://ldap.example.com:389 or ldaps://ldap.example.com:636 - Bind Anonymous - If Yes is selected, the Bind User and Bind User Password are not required. - NO - Bind User - The location of the groups file on the Linux server. - The full distinguished name (DN), including common name (CN), of an LDAP/AD user account that has privileges to search for users. The LDAP bind DN is used to connect to LDAP and query for users and groups. - cn=admin,dc=example,dc=com or [email protected] - Bind User Password - The password of the Bind User. 
  
- Set the following properties on the User Configs tab. - Table 3.8. LDAP/AD User Configs - Property - Description - Default Value - Sample Values - Group User Map Sync - Sync specific groups for users. - No - Yes - Username Attribute - The LDAP user name attribute. - sAMAccountName for AD, uid or cn for OpenLDAP - User Object Class - Object class to identify user entries. - person - top, person, organizationalPerson, user, or posixAccount - User Search Base - Search base for users. - cn=users,dc=example,dc=com - User Search Filter - Optional additional filter constraining the users selected for syncing. - Sample filter to retrieve all the users: cn=* - Sample filter to retrieve all the users who are members of groupA or groupB: (|(memberof=CN=GroupA,OU=groups,DC=example,DC=com)(memberof=CN=GroupB,OU=groups,DC=example,DC=com)) - User Search Scope - This value is used to limit user search to the depth from search base. - sub - base, one, or sub - User Group Name Attribute - Attribute from user entry whose values would be treated as group values to be pushed into the Policy Manager database. You can provide multiple attribute names separated by commas. - memberof,ismemberof - memberof, ismemberof, or gidNumber 
  
- Set the following properties on the Group Configs tab. - Table 3.9. LDAP/AD Group Configs - Property - Description - Default Value - Sample Values - Enable Group Sync - If Enable Group Sync is set to No, the group names the users belong to are derived from “User Group Name Attribute”. In this case no additional group filters are applied. - If Enable Group Sync is set to Yes, the groups the users belong to are retrieved from LDAP/AD using the following group-related attributes. - No - Yes - Group Member Attribute - The LDAP group member attribute name. - member - Group Name Attribute - The LDAP group name attribute. - distinguishedName for AD, cn for OpenLdap - Group Object Class - LDAP Group object class. - group, groupofnames, or posixGroup - Group Search Base - Search base for groups. - ou=groups,DC=example,DC=com - Group Search Filter - Optional additional filter constraining the groups selected for syncing. - Sample filter to retrieve all groups: cn=* - Sample filter to retrieve only the groups whose cn is Engineering or Sales: (|(cn=Engineering)(cn=Sales)) 
  


