需要 ttr-release 版本 >= 2.2.3

Ambari 3.0.0 + Free IPA 统一认证体系 本文示例环境：Kylin V10 SP3 x86，Realm = TEST.COM

一、现象复现：服务已启动，但用户未同步

Ranger Usersync 服务启动后，Ranger Admin 侧未出现 FreeIPA 的用户与组数据。

1、查看 Usersync 日志

[root@dev2 usersync]# cat usersync-dev2.test.com-ranger.log 
15 Feb 2026 00:08:17  INFO o.a.r.a.UnixAuthenticationService [main] - Starting User Sync Service!
15 Feb 2026 00:08:17  INFO o.a.r.a.UnixAuthenticationService [main] - Start : startUnixUserGroupSyncProcess 
15 Feb 2026 00:08:17  INFO o.a.r.a.UnixAuthenticationService [main] - UnixUserSyncThread started
15 Feb 2026 00:08:17  INFO o.a.r.a.UnixAuthenticationService [main] - creating UserSyncMetricsProducer thread with default metrics location : /var/log/ranger/usersync
15 Feb 2026 00:08:17  INFO o.a.r.a.UnixAuthenticationService [main] -  Ranger userSync metrics is not enabled
15 Feb 2026 00:08:17  INFO o.a.r.u.c.UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value.
15 Feb 2026 00:08:17  INFO o.a.r.u.AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex
15 Feb 2026 00:08:17  INFO o.a.r.u.AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex
15 Feb 2026 00:08:17  INFO o.a.r.u.UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
15 Feb 2026 00:08:17  WARN o.a.h.u.NativeCodeLoader [UnixUserSyncThread] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
15 Feb 2026 00:08:18  INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/dev2.test.com@TEST.COM and keytab = /etc/security/keytabs/rangerusersync.service.keytab
15 Feb 2026 00:08:19  INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - valid cookie saved 
15 Feb 2026 00:08:19  INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - PolicyMgrUserGroupBuilder.buildGroupList(): No. of groups retrieved from ranger admin 1
15 Feb 2026 00:08:19  INFO o.a.r.u.p.PolicyMgrUserGroupBuilder [UnixUserSyncThread] - PolicyMgrUserGroupBuilder.buildUserList(): No. of users retrieved from ranger admin = 6
15 Feb 2026 00:08:19  INFO o.a.r.u.UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
15 Feb 2026 00:08:19  INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
15 Feb 2026 00:08:20  INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with --  ldapUrl: ldaps://ipa.test.com:636,  ldapBindDn: uid=rangerbind,cn=users,cn=accounts,dc=test,dc=com,  ldapBindPassword: ***** ,  ldapAuthenticationMechanism: simple,  searchBase: cn=users,cn=accounts,dc=test,dc=com,  userSearchBase: [cn=users,cn=accounts,dc=test,dc=com],  userSearchScope: 2,  userObjectClass: inetOrgPerson,  userSearchFilter: (uid=*),  extendedUserSearchFilter: null,  userNameAttribute: uid,  userSearchAttributes: [uid, uSNChanged, memberof, ismemberof, modifytimestamp, objectid, userurincipaluame],  userGroupNameAttributeSet: [memberof, ismemberof],  otherUserAttributes: [userurincipaluame],  pagedResultsEnabled: true,  pagedResultsSize: 500,  groupSearchEnabled: true,  groupSearchBase: [cn=groups,cn=accounts,dc=test,dc=com],  groupSearchScope: 2,  groupObjectClass: groupOfNames,  groupSearchFilter: (cn=*),  extendedGroupSearchFilter: (&null(|(member={0})(member={1}))),  extendedAllGroupsSearchFilter: null,  groupMemberAttributeName: member,  groupNameAttribute: cn, groupSearchAttributes: [uSNChanged, displayname, member, cn, modifytimestamp, objectid], groupSearchFirstEnabled: true, userSearchEnabled: true,  ldapReferral: ignore
15 Feb 2026 00:08:20  INFO o.a.r.u.UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
15 Feb 2026 00:08:20  INFO o.a.r.l.p.LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder updateSink started
15 Feb 2026 00:08:20 ERROR o.a.r.l.p.CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/bigtop/current/ranger-usersync/conf/mytruststore.jks]
15 Feb 2026 00:08:20 ERROR o.a.r.u.UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: 
javax.naming.CommunicationException: ipa.test.com:636
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:228)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:196)
        at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getGroups(LdapUserGroupBuilder.java:688)
        at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:380)
        at org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:101)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:56)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException: null
        at org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory.createSocket(CustomSSLSocketFactory.java:139)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:340)
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
        ... 18 common frames omitted
15 Feb 2026 00:08:22  INFO o.a.r.a.UnixAuthenticationService [main] - Enabling Unix Auth Service!
[root@dev2 usersync]# 

2、关键错误判定

关键行	判定结论
ldapUrl: ldaps://ipa.test.com:636	已明确走 LDAPS
Unable to obtain keystore	Truststore 文件缺失
CommunicationException: ipa.test.com:636	SSL 初始化失败

二、根因解释：LDAPS 必须有“组件证书”

Usersync 对接 FreeIPA LDAP 时，如果 URL 使用：

• ldap://（389）：不加密（生产不推荐）
• ldaps://（636）：加密，必须信任 CA

1、LDAPS 与 Truststore 的关系

项目	说明
FreeIPA CA	签发 LDAP Server 证书
Usersync JVM	需要信任 CA
Truststore	JVM 信任的 CA 存放位置

核心点

Usersync 的 LDAPS 不是“系统证书”生效，而是 JVM truststore 生效。

回到日志端，已经能够明确看到“证书缺失”这一层面的提示。

Ambari端，也给出了路径，如下图所示：

三、制作并导入组件证书（Truststore）

此处采用统一规范路径与别名，方便后续在 Ranger Admin / Knox 等组件复用。

1、组件证书规范

项目	推荐值
truststore 路径	/usr/bigtop/current/ranger-usersync/conf/mytruststore.jks
alias	ipa-ca
storepass	changeit
CA 证书来源	/etc/ipa/ca.crt
文件属主	ranger:ranger
权限	0640

规范化收益

路径固定 + alias 固定，可以直接沉淀为自动化脚本，避免每次临时排查时“手工改路径”引入二次问题。

处理办法可参考

Ranger Usersync 证书快速导入（FreeIPA LDAPS）

四、重启服务并闭环验证

1、重启 Usersync

systemctl restart ranger-usersync

2、验证日志是否恢复正常

关键判断点：

判断项	成功标志
truststore 是否可读	不再出现 Unable to obtain keystore
LDAPS 是否可连	不再出现 CommunicationException: 636
同步是否完成	日志出现用户/组同步统计