We came across a similar issue and our solution was to create a custom synchronization script which replaces the standard LDAP sync process. We define a "super-group" whose members are all groups that are visible/relevant to Hadoop. This is helpful for several reasons: It limits the group selection in Ranger itself It limits the users that are pulled into Ranger - only members of one of the relevant groups will be visible to Ranger It limits the amount of data that needs to be transfered during synchronization. (We have around 50k users in our Active Directory.) It gives us an efficient filter for LDAP queries. (We cannot filter by base DN because of AD policy.) The synchronization process knows only the DN of the super-group - it fetches that one LDAP entry; from there it determines the members, which are the authorization groups, and then the members of each authorization group, which are th authorized users.
... View more
