[jira] [Created] (RANGER-5427) AD Groups with 1500+ Users Fail to Sync into Ranger Admin via RangerUserSync

Thu, 18 Dec 2025 07:25:07 -0800 

Dhaval Shah created RANGER-5427:
-----------------------------------

             Summary: AD Groups with 1500+ Users Fail to Sync into Ranger Admin 
via RangerUserSync
                 Key: RANGER-5427
                 URL: https://issues.apache.org/jira/browse/RANGER-5427
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Dhaval Shah
            Assignee: Dhaval Shah


h3. *Problem Description*

Active Directory (AD) groups containing *more than 1500 users* are *not fully 
synchronized* into *Ranger Admin* when using the *RangerUserSync* service.

During LDAP sync, RangerUserSync retrieves only the first 1500 members of such 
groups, resulting in *missing users* in Ranger admin.
h3. *Root Cause*

Active Directory enforces a hard limit ({*}MaxValRange = 1500{*}) on 
multi-valued attributes such as {{{}member{}}}.

For groups with more than 1500 users, AD returns group members using 
{*}range-based attributes{*}, for example:
 
{code:java}
member;range=0-1499{code}
RangerUserSync currently expects the standard {{member}} attribute and {*}does 
not handle range-based member retrieval{*}, which causes incomplete group 
membership resolution.
h3. *Example*

*Non-working (Large AD group):*
 
{code:java}
member;range=0-1499: 
CN=1624070,OU=User,OU=Accounts,OU=ITSC,DC=zone1,DC=scb,DC=net{code}
{{ }}
*Working (Group with <1500 users):*
{code:java}
member: 
CN=g.edm.hasteapp.001,OU=Generic,OU=Accounts,OU=ITSC,DC=zone1,DC=scb,DC=net{code}
 
h3. *Solution / Fix*

A new configuration property has been introduced to support *large AD group 
synchronization* using {*}range retrieval{*}.

*Property Name:*
{code:java}
ranger.usersync.ldap.largegroupsync{code}
{{ }}
*Default Value:* {{false}}

*Required Value to Fix the Issue:* {{true}}

This property must be enabled in the following file: 
_{{ranger-ugsync-site.xml}}_

When _{{ranger.usersync.ldap.largegroupsync}}_ is set to {{{}true{}}}:
 * RangerUserSync fetches group members *in batches of 1500*

 * LDAP queries use range-based attributes:
 
{{member;range=0-1499member;range=1500-2999...}}
 * Sync continues {*}until AD returns {{member;range=*-*}}{*}, indicating the 
final batch

 * All users in large AD groups are successfully synced into Ranger Admin



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to