-- 参考：https://community.hortonworks.com/questions/1018/how-to-configure-ranger-usync-for-ldap-ssl.html
--      https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html
--      http://jamesbenson.weebly.com/blog/how-to-setup-apache-ranger-and-ldap
--      https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html

-- 若安装中遇到问题，欢迎加QQ群交流：661945126

-- 目标：LDAP 统一账号支持；
--      即将 Ranger, Ambari, Hue, Azkaban 等账号统一用 LDAP 账号支持；
--      这样：每次新来员工，我只需要用 FreeIPA 创建一次账号就可以给该用户各种平台提供登陆及权限支持。
--      避免了新来一个员工创建N次账号的繁琐操作。

ldapsearch -x -h ldaps://wfldap001.wanfeng.com -p 636 -D "uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com" -w bee56915hdp -b "dc=wanfeng,dc=com" uid=admin
ldapsearch -x -h ldaps://wfldap001.wanfeng.com -p 636 -D "uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com" -w bee56915hdp -b "dc=wanfeng,dc=com" uid=luoyoumou
ldapsearch -x -LLL -h wfldap001.wanfeng.com:389 -D "uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com" -w bee56915hdp -b 'dc=wanfeng,dc=com' 'cn=ranger'

cp /etc/pki/java/cacerts /usr/hdp/current/ranger-usersync/userSyncCAcerts
keytool -import -trustcacerts -alias MyLdap -file cert.pem -keystore /etc/pki/java/cacerts  -- 密码：changeit
ranger.usersync.truststore.file=/etc/pki/java/cacerts

--------------------------------------------------------------------------------------------------
-- 配置文件：
-- COMMON CONFIGS

-- COMMON CONFIGS:Sync Source:LDAP/AD
ranger.usersync.source.impl.class=org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.ldap.url=ldap://wfldap001.wanfeng.com:389  -- COMMON CONFIGS: LDAP/AD URL
ranger.usersync.ldap.binddn=uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com -- COMMON CONFIGS:Bind User
ranger.usersync.ldap.bindpassword=*********                -- COMMON CONFIGS:Bind User Password
ranger.usersync.ldap.deltasync=false                       -- COMMON CONFIGS:Incremental Sync
ranger.usersync.ldap.starttls=false                        -- COMMON CONFIGS:Enable LDAP STARTTLS
-- 上面的配置具体如下图所示：

-- USER CONFIGS
ranger.usersync.ldap.user.nameattribute=uid                -- USER CONFIGS:Username Attribute
ranger.usersync.ldap.user.objectclass=person               -- USER CONFIGS:User Object Class​
ranger.usersync.ldap.user.searchbase=dc=wanfeng,dc=com     -- USER CONFIGS:User Search Base
ranger.usersync.ldap.user.searchfilter=(member=cn=ranger,cn=groups,cn=compat,dc=wanfeng,dc=com) -- USER CONFIGS:User Search Filter
ranger.usersync.ldap.user.searchscope=sub                  -- USER CONFIGS:User Search Scope
ranger.usersync.ldap.user.groupnameattribute=member        -- USER CONFIGS:User Group Name Attribute
ranger.usersync.group.usermapsyncenabled=true              -- USER CONFIGS:Group User Map Sync
ranger.usersync.user.searchenabled=false                   -- USER CONFIGS:Enable User Search
-- 上面的配置具体如下图所示：

-- GROUP CONFIGS
ranger.usersync.group.searchenabled=true                   -- GROUP CONFIGS:Enable Group Sync
ranger.usersync.group.memberattributename=member           -- GROUP CONFIGS:Group Member Attribute
ranger.usersync.group.nameattribute=cn                     -- GROUP CONFIGS:Group Name Attribute
ranger.usersync.group.objectclass=posixGroup               -- GROUP CONFIGS:Group Object Class
ranger.usersync.group.searchbase=cn=groups,cn=accounts,dc=wanfeng,dc=com  -- GROUP CONFIGS:Group Search Base
ranger.usersync.group.searchfilter=(cn=ranger)             -- GROUP CONFIGS:Group Search Filter
ranger.usersync.group.search.first.enabled=true            -- GROUP CONFIGS:Enable Group Search First
-- 上面的配置具体如下图所示：

-- 其他配置详细如下（如果与上面有冲突，以上面为准）

ranger.ldap.user.searchfilter=(uid={0})
ranger.ldap.user.dnpattern=uid={0},ou=users,dc=wanfeng,dc=com
ranger.ldap.url=ldap://wfldap001.wanfeng.com:389
ranger.ldap.referral=ignore 
ranger.ldap.group.roleattribute=uid 
ranger.ldap.bind.password=*****
ranger.ldap.bind.dn={{ranger_ug_ldap_bind_dn}} -- 不修改
ranger.ldap.base.dn=dc=wanfeng,dc=com
ranger.ldap.group.searchfilter=(cn=ranger)
ranger.ldap.group.searchbase={{ranger_ug_ldap_group_searchbase}}  -- 不修改

ranger.usersync.group.memberattributename=member
ranger.usersync.group.nameattribute=cn
ranger.usersync.group.objectclass=posixGroup
ranger.usersync.group.searchbase=dc=wanfeng,dc=com
ranger.usersync.group.searchenabled=true
ranger.usersync.group.searchscope=sub
ranger.usersync.group.usermapsyncenabled=false
ranger.usersync.ldap.user.groupnameattribute=member
ranger.usersync.ldap.user.searchscope=sub
ranger.usersync.ldap.user.searchbase=dc=wanfeng,dc=com
ranger.usersync.ldap.user.objectclass=person
ranger.usersync.ldap.user.nameattribute=uid
ranger.usersync.ldap.url=ldap://wfldap001.wanfeng.com:389
ranger.usersync.ldap.searchBase=dc=wanfeng,dc=com
ranger.usersync.ldap.referral=ignore
ranger.usersync.ldap.ldapbindpassword=*****
ranger.usersync.ldap.groupname.caseconversion=none
ranger.usersync.ldap.binddn=uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com
ranger.usersync.ldap.bindalias=ranger.usersync.ldap.bindalias
ranger.usersync.source.impl.class=org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
ranger.usersync.sink.impl.class=org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder

--------------------------------------------------------------------------------------------------
-- 如果报错：ERROR CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/hdp/current/ranger-usersync/conf/mytruststore.jks]
-- 参考：https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html

-- 我的
cd /usr/hdp/current/ranger-usersync/
$JAVA_HOME/bin/keytool -import -trustcacerts -alias root \
-file /etc/ipa/ca.crt \
-keystore /usr/hdp/current/ranger-usersync/conf/mytruststore.jks

--------------------------------------------------------------------------------------------------
-- 四、创建 bigdata组，并添加用户

ipa group-add ambari --desc ambari
ipa group-add ranger --desc ranger

ipa user-add xujunyang --first=xu --last=junyang
ipa user-add luoyoumou --first=youmou --last=luo
ipa user-add xiayi --first=xia --last=yi
ipa user-add wangyan --first=wang --last=yan
ipa user-add tangkaige --first=tang --last=kaige
ipa user-add zhangzhongyan --first=zhang --last=zhongyan

ipa user-add lichunliang --first=li --last=chunliang
ipa user-add caojian --first=cao --last=jian

ipa user-add bigdata --first=big --last=data
ipa user-add rec --first=rec --last=rec

ipa group-add-member ambari --users=xujunyang
ipa group-add-member ambari --users=luoyoumou

ipa group-add-member ranger --users=xiayi
ipa group-add-member ranger --users=wangyan
ipa group-add-member ranger --users=tangkaige
ipa group-add-member ranger --users=zhangzhongyan

-- 想要的效果：
-- 1. 只有 ranger 组的用户才自动导入 ranger （也就是以下四个用户)

memberUid: tangkaige
memberUid: xiayi
memberUid: wangyan
memberUid: zhangzhongyan

--------------------------------------------------------------------------------------------------

[[email protected] tmp]# ldapsearch -x -LLL -h wfldap001.wanfeng.com:389 -D "uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com" -w bee56915hdp -b 'dc=wanfeng,dc=com' 'cn=ranger'
dn: cn=ranger,cn=groups,cn=compat,dc=wanfeng,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 1757400031
memberUid: tangkaige
memberUid: xiayi
memberUid: wangyan
memberUid: zhangzhongyan
ipaAnchorUUID:: OklQQTp3YW5mZW5nLmNvbToxNGFkZTlhMi05MzI1LTExZTgtYjAzNi0wODAwMj
 cwMjg2Y2U=
cn: ranger

dn: cn=ranger,cn=groups,cn=accounts,dc=wanfeng,dc=com
member: uid=tangkaige,cn=users,cn=accounts,dc=wanfeng,dc=com
member: uid=xiayi,cn=users,cn=accounts,dc=wanfeng,dc=com
member: uid=wangyan,cn=users,cn=accounts,dc=wanfeng,dc=com
member: uid=zhangzhongyan,cn=users,cn=accounts,dc=wanfeng,dc=com
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: ranger
description: ranger
ipaUniqueID: 14ade9a2-9325-11e8-b036-0800270286ce
gidNumber: 1757400031

-- 修改完配置，重启 Ranger 相关服务，将看到 /var/log/ranger/usersync/usersync.log 文件最后部分打印输出类似如下图：

-- 最后：Ranger 的用户管理界面也能看到这四个用户了：

-- 一切确认OK以后，最后可以设置将 ranger.usersync.ldap.deltasync=true