I have integrated Ranger with AD. There was a mistake in configuration, in Group Name Attribute I have given DistinguishedName instead of just cn. Which resulted in synchronization of all the groups with fully distinguished names. Now that I have changed that attribute to CN, It is syncing group names but the old group names(groups with full distinguished names) are still mapped to users. Is there a way to delete them? I think ranger sync should take care of that. isn't it ?
rangersync doesn't automatically remove deleted groups (but I agree with you it should - hopefully a feature we can see in a future release)
For the time being, you can delete your users and groups using either the API or the scripts attached in the following answer thread:
Hope that helps
Currently Ranger usersync doesn't remove de-provisioned users (Users who have been either removed or inactivated in the LDAP server) automatically. This feature is still not available in Ranger.
And this issue was already raised under RANGER-980, which is still unresolved.
Current solution available is "Remove these de-provisioned users using either Ranger WebUI, Ranger API’s or Ranger Database".