Moncef ABBOUD created NIFI-8035:
-----------------------------------
Summary: Handle nested LDAP groups in LdapUserGroupProvider
Key: NIFI-8035
URL: https://issues.apache.org/jira/browse/NIFI-8035
Project: Apache NiFi
Issue Type: Improvement
Components: Security
Affects Versions: 1.12.1
Reporter: Moncef ABBOUD
Fix For: 1.12.1
Nested LDAP groups are widely used in big organizations especially with Active
Directory. Microsoft's AGDLP recommendations rely on nested groups.
Currently, the LdapUserGroupProvider retrieves users and groups separately.
Group memberships are inferred using 'Group Member Attribute' or 'User Group
Name Attribute'. It is also possible to construct users and groups relying only
on the groups and users entries respectively, this is done in case only one of
the "User Search Base" or "Group Search Base" is specified.
Microsoft AD (and others such asRed Hat/389 DS) provides support for nested
groups retrieval using special filters such as the
_LDAP_MATCHING_RULE_IN_CHAIN_ filter_._ With the current implementation, it is
not possible to use this filter since it relies on the user's DN being part of
the LDAP search filter which would require querying the LDAP server per user.
Handling LDAP nested groups would provide much flexibility to organization
using Nifi and it would allow compliance with the AGDLP recommandations which
is not currently possible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
