[
https://issues.apache.org/jira/browse/NIFI-8201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Koeck updated NIFI-8201:
-----------------------------
Description:
Our *{{Group Search Scope}}* parameter within the
*{{ldap-user-group-provider}}* user group provider is set to *{{SUBTREE}}.*
However user authorization only works for user profiles directly located within
the {{*Group Search Base*}} OU level. NiFi behaves as if {{*Group Search
Scope*}} is set to *{{ONE_LEVEL}}*.
This results in the following exception in case the to-be-authorized user
profile is located within a sub-OU of the {{*Group Search Base*}} parameter:
{code:java}
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[] does not
have permission to access the requested resource. Unknown user with identity
'myuser'. Returning Forbidden response.{code}
The above mentioned behavior was observed with NiFi version 1.11.4 and 1.12.1
and was also verified by another Apache NiFi Slack user (see threads below):
* [https://apachenifi.slack.com/archives/C0L9VCD47/p1608638026275800]
* [https://apachenifi.slack.com/archives/C0L9VCD47/p1604920271147200]
was:
Our *{{Group Search Scope}}* parameter within the
*{{ldap-user-group-provider}}* user group provider is set to *{{SUBTREE}}.*
However user authorization only works for user profiles directly located within
the {{*Group Search Base*}} OU level. NiFi behaves as if I would have set
{{*Group Search Scope*}} to *{{ONE_LEVEL}}.*
This results in the following exception in case the to-be-authorized user
profile is located within a sub-OU of the {{*Group Search Base*}} parameter:
{code:java}
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[] does not
have permission to access the requested resource. Unknown user with identity
'myuser'. Returning Forbidden response.{code}
The above mentioned behavior was observed with NiFi version 1.11.4 and 1.12.1
and was also verified by another Apache NiFi Slack user (see threads below):
* [https://apachenifi.slack.com/archives/C0L9VCD47/p1608638026275800]
* [https://apachenifi.slack.com/archives/C0L9VCD47/p1604920271147200]
> LdapUserGroupProvider Group Search Scope SUBTREE setting does not search
> directory tree
> ---------------------------------------------------------------------------------------
>
> Key: NIFI-8201
> URL: https://issues.apache.org/jira/browse/NIFI-8201
> Project: Apache NiFi
> Issue Type: Bug
> Components: Configuration
> Affects Versions: 1.11.4, 1.12.1
> Environment: OS: Windows Server 2012 R2, LDAP Server: Microsoft
> Active Directory
> Reporter: Karl Koeck
> Priority: Major
>
> Our *{{Group Search Scope}}* parameter within the
> *{{ldap-user-group-provider}}* user group provider is set to *{{SUBTREE}}.*
> However user authorization only works for user profiles directly located
> within the {{*Group Search Base*}} OU level. NiFi behaves as if {{*Group
> Search Scope*}} is set to *{{ONE_LEVEL}}*.
> This results in the following exception in case the to-be-authorized user
> profile is located within a sub-OU of the {{*Group Search Base*}} parameter:
> {code:java}
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[] does not
> have permission to access the requested resource. Unknown user with identity
> 'myuser'. Returning Forbidden response.{code}
>
> The above mentioned behavior was observed with NiFi version 1.11.4 and 1.12.1
> and was also verified by another Apache NiFi Slack user (see threads below):
> * [https://apachenifi.slack.com/archives/C0L9VCD47/p1608638026275800]
> * [https://apachenifi.slack.com/archives/C0L9VCD47/p1604920271147200]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
