[
https://issues.apache.org/jira/browse/RANGER-5427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dhaval Shah updated RANGER-5427:
--------------------------------
Description:
h3. *Problem Description*
Active Directory (AD) groups containing *more than 1500 users* are *not fully
synchronized* into *Ranger Admin* when using the *RangerUserSync* service.
During LDAP sync, RangerUserSync retrieves only the first 1500 members of such
groups, resulting in *missing users* in Ranger admin.
h3. *Root Cause*
Active Directory enforces a hard limit ({*}MaxValRange = 1500{*}) on
multi-valued attributes such as {{{}member{}}}.
For groups with more than 1500 users, AD returns group members using
{*}range-based attributes{*}, for example:
{code:java}
member;range=0-1499{code}
RangerUserSync currently expects the standard {{member}} attribute and {*}does
not handle range-based member retrieval{*}, which causes incomplete group
membership resolution.
h3. *Example*
*Non-working (Large AD group):*
{code:java}
member;range=0-1499:
CN=1624070,OU=User,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=net{code}
{{ }}
*Working (Group with <1500 users):*
{code:java}
member: CN=<cn>,OU=Generic,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=net{code}
h3. *Solution / Fix*
A new configuration property has been introduced to support *large AD group
synchronization* using {*}range retrieval{*}.
*Property Name:*
{code:java}
ranger.usersync.ldap.largegroupsync{code}
{{ }}
*Default Value:* {{false}}
*Required Value to Fix the Issue:* {{true}}
This property must be enabled in the following file:
_{{ranger-ugsync-site.xml}}_
When _{{ranger.usersync.ldap.largegroupsync}}_ is set to {{{}true{}}}:
* RangerUserSync fetches group members *in batches of 1500*
* LDAP queries use range-based attributes:
{{member;range=0-1499member;range=1500-2999...}}
* Sync continues {*}until AD returns {{member;range=}}{*}{{{}-{*}{*}{}}},
indicating the final batch
* All users in large AD groups are successfully synced into Ranger Admin
was:
h3. *Problem Description*
Active Directory (AD) groups containing *more than 1500 users* are *not fully
synchronized* into *Ranger Admin* when using the *RangerUserSync* service.
During LDAP sync, RangerUserSync retrieves only the first 1500 members of such
groups, resulting in *missing users* in Ranger admin.
h3. *Root Cause*
Active Directory enforces a hard limit ({*}MaxValRange = 1500{*}) on
multi-valued attributes such as {{{}member{}}}.
For groups with more than 1500 users, AD returns group members using
{*}range-based attributes{*}, for example:
{code:java}
member;range=0-1499{code}
RangerUserSync currently expects the standard {{member}} attribute and {*}does
not handle range-based member retrieval{*}, which causes incomplete group
membership resolution.
h3. *Example*
*Non-working (Large AD group):*
{code:java}
member;range=0-1499:
CN=1624070,OU=User,OU=Accounts,OU=ITSC,DC=zone1,DC=scb,DC=net{code}
{{ }}
*Working (Group with <1500 users):*
{code:java}
member:
CN=g.edm.hasteapp.001,OU=Generic,OU=Accounts,OU=ITSC,DC=zone1,DC=scb,DC=net{code}
h3. *Solution / Fix*
A new configuration property has been introduced to support *large AD group
synchronization* using {*}range retrieval{*}.
*Property Name:*
{code:java}
ranger.usersync.ldap.largegroupsync{code}
{{ }}
*Default Value:* {{false}}
*Required Value to Fix the Issue:* {{true}}
This property must be enabled in the following file:
_{{ranger-ugsync-site.xml}}_
When _{{ranger.usersync.ldap.largegroupsync}}_ is set to {{{}true{}}}:
* RangerUserSync fetches group members *in batches of 1500*
* LDAP queries use range-based attributes:
{{member;range=0-1499member;range=1500-2999...}}
* Sync continues {*}until AD returns {{member;range=*-*}}{*}, indicating the
final batch
* All users in large AD groups are successfully synced into Ranger Admin
> AD Groups with 1500+ Users Fail to Sync into Ranger Admin via RangerUserSync
> ----------------------------------------------------------------------------
>
> Key: RANGER-5427
> URL: https://issues.apache.org/jira/browse/RANGER-5427
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Dhaval Shah
> Assignee: Dhaval Shah
> Priority: Major
>
> h3. *Problem Description*
> Active Directory (AD) groups containing *more than 1500 users* are *not fully
> synchronized* into *Ranger Admin* when using the *RangerUserSync* service.
> During LDAP sync, RangerUserSync retrieves only the first 1500 members of
> such groups, resulting in *missing users* in Ranger admin.
> h3. *Root Cause*
> Active Directory enforces a hard limit ({*}MaxValRange = 1500{*}) on
> multi-valued attributes such as {{{}member{}}}.
> For groups with more than 1500 users, AD returns group members using
> {*}range-based attributes{*}, for example:
>
> {code:java}
> member;range=0-1499{code}
> RangerUserSync currently expects the standard {{member}} attribute and
> {*}does not handle range-based member retrieval{*}, which causes incomplete
> group membership resolution.
> h3. *Example*
> *Non-working (Large AD group):*
>
> {code:java}
> member;range=0-1499:
> CN=1624070,OU=User,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=net{code}
> {{ }}
> *Working (Group with <1500 users):*
> {code:java}
> member: CN=<cn>,OU=Generic,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=net{code}
>
> h3. *Solution / Fix*
> A new configuration property has been introduced to support *large AD group
> synchronization* using {*}range retrieval{*}.
> *Property Name:*
> {code:java}
> ranger.usersync.ldap.largegroupsync{code}
> {{ }}
> *Default Value:* {{false}}
> *Required Value to Fix the Issue:* {{true}}
> This property must be enabled in the following file:
> _{{ranger-ugsync-site.xml}}_
> When _{{ranger.usersync.ldap.largegroupsync}}_ is set to {{{}true{}}}:
> * RangerUserSync fetches group members *in batches of 1500*
> * LDAP queries use range-based attributes:
>
> {{member;range=0-1499member;range=1500-2999...}}
> * Sync continues {*}until AD returns {{member;range=}}{*}{{{}-{*}{*}{}}},
> indicating the final batch
> * All users in large AD groups are successfully synced into Ranger Admin
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
