[PR] RANGER-5427 : AD Groups with 1500+ Users Fail to Sync into Ranger Admin via RangerUserSync [ranger]

Fri, 22 May 2026 08:11:01 -0700 


dhavalshah9131 opened a new pull request, #966:
URL: https://github.com/apache/ranger/pull/966

   …
   ## What changes were proposed in this pull request?
   RANGER-5427 : AD Groups with 1500+ Users Fail to Sync into Ranger Admin via 
RangerUserSync
   **Problem Description**
   Active Directory (AD) groups containing **more than 1500** users are **not 
fully synchronized** into **Ranger Admin** when using the **RangerUserSync** 
service.
   
   During LDAP sync, RangerUserSync retrieves only the first 1500 members of 
such groups, resulting in **missing users** in Ranger admin.
   
   **Root Cause**
   Active Directory enforces a hard limit **(MaxValRange = 1500)** on 
multi-valued attributes such as member.
   
   For groups with more than 1500 users, AD returns group members using 
**range-based attributes**, for example:
    
   `member;range=0-1499`
   RangerUserSync currently expects the standard member attribute and **does 
not handle range-based member retrieval**, which causes incomplete group 
membership resolution.
   
   **Example**
   **Non-working (Large AD group):**
    
   `member;range=0-1499: 
CN=1624070,OU=User,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=net`
    
   **Working (Group with <1500 users):**
   
   `member: CN=<cn>,OU=Generic,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=net`
    
   
   **Solution / Fix**
   A new configuration property has been introduced to support large AD group 
synchronization using range retrieval.
   
   Property Name:
   
   `ranger.usersync.ldap.largegroupsync`
    
   **Default Value:** false
   
   **Required Value to Fix the Issue:** true
   
   This property must be enabled and added in the following file: 
_ranger-ugsync-site.xml_
   
   When ranger.usersync.ldap.largegroupsync is set to true:
   
   RangerUserSync fetches group members **in batches of 1500**
   LDAP queries use range-based attributes:
    
   member;range=0-1499member;range=1500-2999...
   Sync continues **until AD returns member;range=-**, indicating the final 
batch
   All users in large AD groups are successfully synced into Ranger Admin
   
   
   ## How was this patch tested?
   => Build successfully with unit tests
   => Manual testing
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to