Skip to content

Ranger Usersync#

The following table contains the list of custom properties that can be configured for Ranger Usersync.

Property Description Values Default Value
USERSYNC_ENABLE Enable usersync module to sync users, groups, and/or roles from a directory (e.g., LDAP, AAD, SCIM) to Privacera and Ranger true
false
false
USERSYNC_INSTALL Instructs Privacera Manager to install Usersync components. Usually set by USERSYNC_ENABLE true
false
{{ IS_MASTER_NODE if USERSYNC_ENABLE == 'true' else 'false' }}
USERSYNC_IMAGE_NAME Docker image to pull for Usersync container/pod Set by Privacera release tag. May be overridden by <privacera_hub_url> for local dockerhub {{privacera_hub_url}}/ranger-usersync
USERSYNC_IMAGE_TAG Tag to use for specified release. Set by <RANGER_IMAGE_TAG> See above {{RANGER_IMAGE_TAG}}
USERSYNC_PID_DIR_PATH Please work with Technical Support if this needs to be changed Any valid PID path within the image /var/run/ranger
USERSYNC_RANGER_BASE_DIR Please work with Technical Support if this needs to be changed Base directory for Usersync install within the image /etc/ranger
USERSYNC_RANGER_URL URL for Usersync to connect to Apache Ranger APIs Defaults to HTTP or HTTPS depending upon <RANGER_SSL_ENABLE> {{RANGER_URL}}
USERSYNC_SOURCE Source type for user/group sync ldap
azuread
unix
unix
USERSYNC_SYNC_LDAP_URL Full URL for LDAP or LDAPS connection to directory server ldap://dir.ldap.us:389
ldaps://dir.ldap.us:636
(replace hostname and port with valid values for your directory)
(no default value)
USERSYNC_SYNC_LDAP_BIND_DN Distinguished name (dn) for user to connect and read from directory Example: CN=Bind User,OU=example,DC=ad,DC=example,DC=com (no default value)
USERSYNC_SYNC_LDAP_BIND_PASSWORD Password for user to connect and read from directory DoNotUseThisPassword2000 <PLEASE_CHANGE>
USERSYNC_SYNC_LDAP_SEARCH_BASE The base distinguished name (dn) used to search for all objects. Typically the root of the domain in the directory. Example: DC=ad,DC=example,DC=com (no default value)
USERSYNC_SYNC_LDAP_USER_SEARCH_BASE The base distinguished name (dn) used to search for users. Only users from below this point in the directory will be included in the user-first search. Typically a user's OU or similar. Multiple search bases mey be separated with a semicolon Single example:
OU=example_services,OU=example,DC=ad,DC=example,DC=com

Multiple example:
ou=ou1,dc=com,dc=example,dc=ad;ou=ou2,dc=com,dc=example,dc=ad
(no default value)
USERSYNC_SYNC_LDAP_DELTASYNC Turn on the "delta" sync, which uses the updated date in the directory to sync only changed or new objects to Privacera and Apache Ranger. true
false
true
USERSYNC_SYNC_LDAP_USER_SEARCH_SCOPE Sets the level to search within the directory. (Base only, One level, or full subtree) sub
one
base
sub
USERSYNC_SYNC_LDAP_OBJECT_CLASS User object class within the directory. Varies by directory. Typically person or organizationalPerson for Active Directory, inetOrgPerson for FreeIPA Examples:
top
person
inetOrgPerson
organizationalPerson
user
posixAccount
user
USERSYNC_SYNC_LDAP_USER_SEARCH_FILTER Valid LDAP search filter to limit the users returned and synced. May be used to filter for group memberships or other attributes. Return all users:
cn=*

Return members of Administrators and DBA groups:
(|(memberof=CN=Analysts,OU=groups,DC=example,DC=com)(memberof=CN=DBA,OU=groups,DC=example,DC=com))
(no default value)
USERSYNC_SYNC_LDAP_USER_NAME_ATTRIBUTE LDAP attribute to map to Privacera user name. samAccountName for Active Directory

uid
cn
cn
USERSYNC_SYNC_LDAP_USER_EMAIL_ADDRESS_ATTRIBUTE LDAP attribute to map to Email address in Privacera mail
UPN
mail
USERSYNC_SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE Attribute used to identify groups to which a user belongs memberof
ismemberof
gidNumber
primaryGroupID
memberof,ismemberof
USERSYNC_SYNC_LDAP_USER_OTHER_ATTRIBUTES LDAP user attributes that needs to be mapped to Ranger user entity (user attributes that are mapped by default). It can then used for access control in Ranger.
In this property, you can assign those additional attributes.
To assign multiple attributes, use comma-separated values.
cn
badPasswordTime
logonCount
cn,badPasswordTime,logonCount
USERSYNC_SYNC_GROUP_OTHER_ATTRIBUTES: LDAP group attributes that needs to be mapped to Ranger group entity (group attributes that are mapped by default). It can then used for access control in Ranger.
In this property, you can assign those additional attributes.
To assign multiple attributes, use comma-separated values.
cn
groupType
cn,groupType
USERSYNC_SYNC_LDAP_GROUP_HIERARCHY_LEVELS Property to determine the depth of how many groups to be considered in a nested group structure (a group within a group) for syncing users in Ranger.

By default, Ranger syncs all the users belonging to its immediate group, and does not sync them to any other group in a nested group structure.

Use this property if you want to sync/to add users of a group to its parent group or any sub-group.

Consider the following LDAP nested group structure, where user 1 is a member of sub-group 2.

  • Group A
    • Sub-group 1
      • Sub-group 2
        • user 1

If 0 is set as the value, it applies the default behaviour.

If 2 is set as the value, then user 1 becomes a member of its current group (Sub-group 2), and the groups above (Sub-group 1 and Group A)

Be aware that there is a performance impact with deep hierarchies (greater than 2)
A valid integer 0 or greater 0
USERSYNC_SYNC_LDAP_SSL_ENABLED     FALSE
USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS     FALSE
USERSYNC_SYNC_LDAP_SSL_TRUSTSTORE_FILE     client_usersync_ldaps_truststore.jks
USERSYNC_SYNC_LDAP_SSL_TRUSTSTORE_TYPE     jks
USERSYNC_SYNC_LDAP_SSL_TRUSTSTORE_PASSWORD     dwNdzqXsLEX83
USERSYNC_SYNC_LDAP_SSL_AUTO_GEN_TRUSTSTORE_FILE Privacera Manager can create a certificate automatically with a certain name and type. In this property, give a name for the certificate. client_usersync_ldaps_truststore.cer OR client_usersync_ldaps_truststore.jks OR client_usersync_ldaps_truststore.p12 client_usersync_ldaps_truststore.cer
USERSYNC_SYNC_LDAP_SSL_AUTO_GEN_TRUSTSTORE_TYPE Privacera Manager can create a certificate automatically of a specific type. In this property, give a type for the certificate. cer, jks, p12 cer
USERSYNC_SYNC_LDAP_USERNAME_CASE_CONVERSION

Property to change the LDAP username case.

If value is set to lower, then any username with uppercase would be changed to lowercase.

lower, upper lower
USERSYNC_SYNC_LDAP_GROUPNAME_CASE_CONVERSION

Property to change the LDAP group name case.

If value is set to lower, then any group name with uppercase would be changed to lowercase.

lower, upper lower
USERSYNC_SYNC_GROUP_SEARCH_ENABLED     FALSE
USERSYNC_SYNC_GROUP_SEARCH_FIRST_ENABLED     FALSE
USERSYNC_SYNC_GROUP_USER_MAP_SYNC_ENABLED     TRUE
USERSYNC_SYNC_GROUPUSERS_PAGED_SIZE By default, Ranger UserSync will sync a maximum of 1500 users from each group (depending on the LDAP version).
If you want to sync LDAP users above this maximum, set a page size limit. Ranger UserSync will sync the users from the LDAP server based on the page size limit.
  500
USERSYNC_CRED_KEYSTORE_FILENAME     /etc/ranger/usersync/conf/rangerusersync.jceks
USERSYNC_AUTH_SSL_ENABLED     {{ENABLE_SSL}}
USERSYNC_AUTH_SSL_KEYSTORE_FILE     /etc/ranger/usersync/conf/cert/unixauthservice.jks
USERSYNC_AUTH_SSL_KEYSTORE_PASSWORD     UnIx529p
USERSYNC_AUTH_SSL_TRUSTSTORE_FILE     /etc/ranger/usersync/conf/{{PRIVACERA_GLOBAL_TRUSTSTORE_FILENAME}}
USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD     {{PRIVACERA_GLOBAL_TRUSTSTORE_PASSWORD}}
USERSYNC_SYNC_AZUREAD_USERNAME_RETRIVAL_FROM     userPrincipalName
USERSYNC_SYNC_AZUREAD_EMAIL_RETRIVAL_FROM     userPrincipalName
USERSYNC_SYNC_AZUREAD_GROUP_RETRIVAL_FROM     displayName
SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_ENABLED     FALSE
SYNC_AZUREAD_USER_SERVICE_PRINCIPAL_USERNAME_RETRIVAL_FROM     appId
USERSYNC_RANGER_USERSYNC_COOKIE     FALSE
USERSYNC_ENCRYPT_SECRETS     {{GLOBAL_ENCRYPT_SECRETS}}
USERSYNC_SECRETS_FILE     /etc/ranger/usersync/conf/ranger-usersync{{GLOBAL_SECRETS_FILE_SUFFIX}}
USERSYNC_SECRETS_KEYSTORE_PASSWORD     {{GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD}}
Memory Variables
USERSYNC_HEAP_MIN_MEMORY_MB Minimum Java Heap memory in MB used by Ranger Usersync. For example, USERSYNC_HEAP_MIN_MEMORY_MB: "1024"  
USERSYNC_HEAP_MIN_MEMORY Minimum Java Heap memory used by Ranger Usersync. Setting this value will override USERSYNC_HEAP_MIN_MEMORY_MB. For example, USERSYNC_HEAP_MIN_MEMORY: "1g"  
USERSYNC_HEAP_MAX_MEMORY_MB Maximum Java Heap memory in MB used by Ranger Usersync. For example, USERSYNC_HEAP_MAX_MEMORY_MB: "1024"  
USERSYNC_HEAP_MAX_MEMORY Maximum Java Heap memory used by Ranger Usersync. Setting this value will override USERSYNC_HEAP_MAX_MEMORY_MB.  For example, USERSYNC_HEAP_MAX_MEMORY: "1g"  
USERSYNC_K8S_MEM_REQUESTS_MB Minimum amount of Kubernetes memory in MB to be requested by Ranger Usersync. For example, USERSYNC_K8S_MEM_REQUESTS_MB: "1024"  
USERSYNC_K8S_MEM_REQUESTS Minimum amount of Kubernetes memory to be used by Ranger Usersync. Setting this value will override USERSYNC_K8S_MEM_REQUESTS_MB.   For example, USERSYNC_K8S_MEM_REQUESTS: "1G"  
USERSYNC_K8S_MEM_LIMITS_MB Maximum amount of Kubernetes memory in MB to be requested by Ranger Usersync. For example, USERSYNC_K8S_MEM_LIMITS_MB: "1024"  
USERSYNC_K8S_MEM_LIMITS Maximum amount of Kubernetes memory to be used by Ranger Usersync. Setting this value will override USERSYNC_K8S_MEM_LIMITS_MB.  For example, USERSYNC_K8S_MEM_LIMITS: "1G"  
USERSYNC_CPU_MIN Minimum amount of Kubernetes CPU to be requested by Ranger Usersync.  For example, USERSYNC_CPU_MIN: "0.5"  
USERSYNC_CPU_MAX Maximum amount of Kubernetes CPU to be used by Ranger Usersync.  For example, USERSYNC_CPU_MAX: "0.5"  
USERSYNC_K8S_CPU_REQUESTS     {{ USERSYNC_CPU_MIN }}
USERSYNC_K8S_CPU_LIMITS     {{ USERSYNC_CPU_MAX }}
USERSYNC_HELM_CHART_VERSION     {{PRIVACERA_HELM_CHART_VERSION}}

Last update: September 23, 2021