Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.2.0
-
None
-
None
Description
Hi team,
We have encounter an issue on Ranger usersync with ldap synchronization.
(We use a vip for ldap search and the SSL certificate of one node has been changed without updating it in the ranger truststore.)
The user search to retrieve users from Ldap failed (SSLHandshakeException) but the sync cycle continue assuming there are no retrieved users instead of failing for this cycle.
As we were on the delete cycle, account are considered deleted in Ranger and we have Access Denied for all Ranger requests.
We corrected our incident by updating our certificates but usersync's behavior remains dangerous.
Could it be possible to update LdapUserGroupBuilder.java to fail the current sync cycle if the user or group ldap search fail?
Thanks for your help,
Best Regards