Hi @ryanth9893    Were you able to figure out this issue? I am also facing a similar problem.    ranger-admin.log   2021-06-16 09:13:19,417 [http-bio-6182-exec-3] INFO  org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:148) - Authentication with SHA-256 failed. Now trying with MD5. 2021-06-16 09:13:19,418 [http-bio-6182-exec-3] INFO  org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:86) - Login Unsuccessful:password123 | Ip Address:10.234.xx.xx | Bad Credentials 2021-06-16 09:13:19,419 [http-bio-6182-exec-3] DEBUG org.apache.ranger.common.db.JPABeanCallbacks (JPABeanCallbacks.java:45) - AddedByUserId is null or 0 and hence getting it from userSession for null 2021-06-16 09:13:19,419 [http-bio-6182-exec-3] DEBUG org.apache.ranger.common.db.JPABeanCallbacks (JPABeanCallbacks.java:62) - Security context not found for this request. Identity of originator of this change cannot be recorded 2021-06-16 09:13:19,429 [http-bio-6182-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint (RangerAuthenticationEntryPoint.java:82) - commence() X-Requested-With=null 2021-06-16 09:13:19,470 [http-bio-6182-exec-14] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:142) - JDBC Authentication failure: org.springframework.security.authentication.BadCredentialsException: Bad credentials         at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151)         at org.apache.ranger.security.handler.RangerAuthenticationProvider.getJDBCAuthentication(RangerAuthenticationProvider.java:604)     Below is the RangerUserSync.log. Keep getting "Credentials response from ranger is 401." 16 Jun 2021 09:51:46  WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials response from ranger is 401. 16 Jun 2021 09:51:46  WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials response from ranger is 401. 16 Jun 2021 09:51:46  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 175293790and currentDeltaSyncTime = 175293790 16 Jun 2021 09:51:46  WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials response from ranger is 401. 16 Jun 2021 09:51:46  WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials response from ranger is 401. 16 Jun 2021 09:51:46  WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials response from ranger is 401   if you have figured out the issue then can you please help?    ... View more

Hi,   Below are configuration for connecting Apache Ranger with LDAP/LDAPS. There's an important tool that will help to identify some settings in your AD AD Explorer - Windows Sysinternals | Microsoft Docs  This configuration will sync LDAP users and link them with their LDAP groups every 12 hour, so you later from Apache Ranger you can give permission based on LDAP groups as well.   For connecting using LDAPS, make sure you have the proper certificates added in the same server that contains the Ranger's UserSync service.   Configuration Name Configuration Value Comment ranger.usersync.source.impl.class org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder   ranger.usersync.sleeptimeinmillisbetweensynccycle 12 hour   ranger.usersync.ldap.url ldaps://myldapserver.example.com ldaps or ldap based on your LDAP security ranger.usersync.ldap.binddn myuser@example.com   ranger.usersync.ldap.ldapbindpassword mypassword   ranger.usersync.ldap.searchBase OU=hadoop,DC=example,DC=com you can browse your AD and check which OU you want to make Ranger sync ranger.usersync.ldap.user.searchbase OU=hadoop2,DC=example,DC=com;OU=hadoop,DC=example,DC=com you can browse your AD and check which OU you want to make Ranger sync, you can also add 2 OU and separate them with ; ranger.usersync.ldap.user.objectclass user double check the same  ranger.usersync.ldap.user.searchfilter (memberOf=CN=HADOOP_ACCESS,DC=example,DC=com) if you want to filter specific users to be synced in ranger and not your entire AD ranger.usersync.ldap.user.nameattribute sAMAccountName double check the same ranger.usersync.ldap.user.groupnameattribute memberOf double check the same ranger.usersync.user.searchenabled true   ranger.usersync.group.searchbase OU=hadoop,DC=example,DC=com you can browse your AD and check which OU you want to make Ranger sync ranger.usersync.group.objectclass group double check the same ranger.usersync.group.searchfilter (cn=hadoop_*) if you want to sync specific groups not all AD groups ranger.usersync.group.nameattribute cn double check the same ranger.usersync.group.memberattributename member double check the same ranger.usersync.group.search.first.enabled true   ranger.usersync.truststore.file /path/to/truststore-file   ranger.usersync.truststore.password TRUST_STORE_PASSWORD       There's some helpful links about how to construct complex LDAP search queries Search Filter Syntax - Win32 apps | Microsoft Docs   Best Regards,  ... View more