【FreeIPA】Ambari 安装 Ranger 并配置 FreeIPA + LDAP——[Step2]制作 Ranger Usersync 证书并应用组件
本文介绍了Ambari 3.0.0与Free IPA统一认证体系集成时出现的用户同步问题。当Ranger Usersync服务启动后,Ranger Admin侧未出现FreeIPA的用户数据。通过分析日志发现,问题源于SSL证书配置错误,导致LDAP连接失败(错误提示"Unable to obtain keystore")。日志显示系统尝试从指定路径获取信任库文件失败,最终抛出
·
目前 Kerberos 章节已经推出 FreeIPA 方案,欢迎有需要的查阅,本站也将完成内容迁移。Ttbigdata——Ambari Kerberos 大全 
需要 ttr-release 版本 >= 2.2.3
Ambari 3.0.0 + Free IPA 统一认证体系
本文示例环境:Kylin V10 SP3 x86,Realm = TEST.COM
一、现象复现:服务已启动,但用户未同步
Ranger Usersync 服务启动后,Ranger Admin 侧未出现 FreeIPA 的用户与组数据。
1、查看 Usersync 日志
[root@dev2 usersync]# cat usersync-dev2.test.com-ranger.log
15 Feb 2026 00:08:17 INFO o.a.r.a.UnixAuthenticationService [main] - Starting User Sync Service!
15 Feb 2026 00:08:17 INFO o.a.r.a.UnixAuthenticationService [main] - Start : startUnixUserGroupSyncProcess
15 Feb 2026 00:08:17 INFO o.a.r.a.UnixAuthenticationService [main] - UnixUserSyncThread started
15 Feb 2026 00:08:17 INFO o.a.r.a.UnixAuthenticationService [main] - creating UserSyncMetricsProducer thread with default metrics location : /var/log/ranger/usersync
15 Feb 2026 00:08:17 INFO o.a.r.a.UnixAuthenticationService [main] - Ranger userSync metrics is not enabled
15 Feb 2026 00:08:17 INFO o.a.r.u.c.UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value.
15 Feb 2026 00:08:17 INFO o.a.r.u.AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex
15 Feb 2026 00:08:17 INFO o.a.r.u.AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex
15 Feb 2026 00:08:17 INFO o.a.r.u.UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
15 Feb 2026 00:08:17 WARN o.a.h.u.NativeCodeLoader [UnixUserSyncThread] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
15 Feb 2026 00:08:18 INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/dev2.test.com@TEST.COM and keytab = /etc/security/keytabs/rangerusersync.service.keytab
15 Feb 2026 00:08:19 INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - valid cookie saved
15 Feb 2026 00:08:19 INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - PolicyMgrUserGroupBuilder.buildGroupList(): No. of groups retrieved from ranger admin 1
15 Feb 2026 00:08:19 INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - PolicyMgrUserGroupBuilder.buildUserList(): No. of users retrieved from ranger admin = 6
15 Feb 2026 00:08:19 INFO o.a.r.u.UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
15 Feb 2026 00:08:19 INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
15 Feb 2026 00:08:20 INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldaps://ipa.test.com:636, ldapBindDn: uid=rangerbind,cn=users,cn=accounts,dc=test,dc=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: cn=users,cn=accounts,dc=test,dc=com, userSearchBase: [cn=users,cn=accounts,dc=test,dc=com], userSearchScope: 2, userObjectClass: inetOrgPerson, userSearchFilter: (uid=*), extendedUserSearchFilter: null, userNameAttribute: uid, userSearchAttributes: [uid, uSNChanged, memberof, ismemberof, modifytimestamp, objectid, userurincipaluame], userGroupNameAttributeSet: [memberof, ismemberof], otherUserAttributes: [userurincipaluame], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [cn=groups,cn=accounts,dc=test,dc=com], groupSearchScope: 2, groupObjectClass: groupOfNames, groupSearchFilter: (cn=*), extendedGroupSearchFilter: (&null(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, userSearchEnabled: true, ldapReferral: ignore
15 Feb 2026 00:08:20 INFO o.a.r.u.UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
15 Feb 2026 00:08:20 INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder updateSink started
15 Feb 2026 00:08:20 ERROR o.a.r.l.p.CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/bigtop/current/ranger-usersync/conf/mytruststore.jks]
15 Feb 2026 00:08:20 ERROR o.a.r.u.UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
javax.naming.CommunicationException: ipa.test.com:636
at com.sun.jndi.ldap.Connection.<init>(Connection.java:228)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:196)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getGroups(LdapUserGroupBuilder.java:688)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:380)
at org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:101)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:56)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException: null
at org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory.createSocket(CustomSSLSocketFactory.java:139)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:340)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
... 18 common frames omitted
15 Feb 2026 00:08:22 INFO o.a.r.a.UnixAuthenticationService [main] - Enabling Unix Auth Service!
[root@dev2 usersync]#
2、关键错误判定
| 关键行 | 判定结论 |
|---|---|
ldapUrl: ldaps://ipa.test.com:636 |
已明确走 LDAPS |
Unable to obtain keystore |
Truststore 文件缺失 |
CommunicationException: ipa.test.com:636 |
SSL 初始化失败 |
二、根因解释:LDAPS 必须有“组件证书”
Usersync 对接 FreeIPA LDAP 时,如果 URL 使用:
ldap://(389):不加密(生产不推荐)ldaps://(636):加密,必须信任 CA
1、LDAPS 与 Truststore 的关系
| 项目 | 说明 |
|---|---|
| FreeIPA CA | 签发 LDAP Server 证书 |
| Usersync JVM | 需要信任 CA |
| Truststore | JVM 信任的 CA 存放位置 |
核心点
Usersync 的 LDAPS 不是“系统证书”生效,而是 JVM truststore 生效。
回到日志端,已经能够明确看到“证书缺失”这一层面的提示。
Ambari端,也给出了路径,如下图所示:
三、制作并导入组件证书(Truststore)
此处采用统一规范路径与别名,方便后续在 Ranger Admin / Knox 等组件复用。
1、组件证书规范
| 项目 | 推荐值 |
|---|---|
| truststore 路径 | /usr/bigtop/current/ranger-usersync/conf/mytruststore.jks |
| alias | ipa-ca |
| storepass | changeit |
| CA 证书来源 | /etc/ipa/ca.crt |
| 文件属主 | ranger:ranger |
| 权限 | 0640 |
规范化收益
路径固定 + alias 固定,可以直接沉淀为自动化脚本,避免每次临时排查时“手工改路径”引入二次问题。
四、重启服务并闭环验证
1、重启 Usersync
systemctl restart ranger-usersync
2、验证日志是否恢复正常
关键判断点:
| 判断项 | 成功标志 |
|---|---|
| truststore 是否可读 | 不再出现 Unable to obtain keystore |
| LDAPS 是否可连 | 不再出现 CommunicationException: 636 |
| 同步是否完成 | 日志出现用户/组同步统计 |
有“AI”的1024 = 2048,欢迎大家加入2048 AI社区
更多推荐
4
0- 0
已为社区贡献6条内容
所有评论(0)