Hello Everyone,   I've recently installed Ranger on CDP Private Cloud Base 7.1.5. For usersync, I'm connecting to my organization AD. For some reason, the usersync is throwing SSLHandshakeException and is not working.   2021-04-10 13:41:28,715 ERROR org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: LdapUserGroupBuilder.getUsers() failed with exception: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: <AD Domain>:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]] at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getUsers(LdapUserGroupBuilder.java:435) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:325) at org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:100) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:55) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.CommunicationException: simple bind failed: <AD Domain>:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227) ... 6 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:808) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:75) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1093) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:450) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:423) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2895) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:152) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52) at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601) at javax.naming.spi.NamingManager.processURL(NamingManager.java:381) at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333) at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119) ... 9 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at sun.security.validator.Validator.validate(Validator.java:271) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636) ... 39 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 45 more 2021-04-10 13:41:28,718 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: LdapUserGroupBuilder.getUsers() user count: 0 2021-04-10 13:41:28,721 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: deltaSyncUserTime = 0 and highestdeltaSyncUserTime = 0 2021-04-10 13:41:28,721 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: deltaSyncGroupTime = 0 and highestdeltaSyncGroupTime = 0     I've imported the LDAPS Certificate to /usr/java/default/jre/lib/security/cacerts and the following property is set to this path. ranger.usersync.truststore.file = /usr/java/default/jre/lib/security/cacerts   The surprising thing is my usersync LDAP URL is set as follows: ranger.usersync.ldap.url = ldaps://<AD Domain Controller Server1>:636   but in the error I'm getting "simple bind failed: <AD Domain>:636".   With the same configuration for all other properties the Ranger Admin Authentication with AD works perfectly, but usersync is not happening.   Things I've already tried: From this link, I tried adding -Djavax.net.ssl.trustStore=/<path to the cacert> in ranger-usersync-services.sh file. From this link, I've tried adding ranger.usersync.sink.impl.class property in my config. Experimented with User search/Group Search settings. Kindly add your suggestions.   Thanks, Megh ... View more