[jira] [Commented] (NIFI-8035) Handle nested LDAP groups in LdapUserGroupProvider

Fri, 31 May 2024 03:10:52 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-8035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17851022#comment-17851022
 ] 

Stephen Jeffrey Hindmarch commented on NIFI-8035:
-------------------------------------------------

I would be interested in seeing this issue considered again as it is impacting 
a current project of mine. It looks like the PR was ready to be merged but 
timed out due to lack of action. Is there a way it could be resurrected?

> Handle nested LDAP groups in LdapUserGroupProvider
> --------------------------------------------------
>
>                 Key: NIFI-8035
>                 URL: https://issues.apache.org/jira/browse/NIFI-8035
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 1.12.1
>            Reporter: Moncef ABBOUD
>            Priority: Major
>              Labels: authorization, ldap, security
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Nested LDAP groups are widely used in big organizations especially with 
> Active Directory. Microsoft's AGDLP recommendations rely on nested groups.
> Currently, the LdapUserGroupProvider retrieves users and groups separately. 
> Group memberships are inferred using 'Group Member Attribute' or 'User Group 
> Name Attribute'. It is also possible to construct users and groups relying 
> only on the groups and users entries respectively, this is done in case only 
> one of the "User Search Base" or "Group Search Base" is specified. 
> Microsoft AD (and others such asRed Hat/389 DS) provides support for nested 
> groups retrieval using special filters such as the 
> _LDAP_MATCHING_RULE_IN_CHAIN_ filter_._ With the current implementation, it 
> is not possible to use this filter since it relies on the user's DN being 
> part of the LDAP search filter which would require querying the LDAP server 
> per user. 
> Handling LDAP nested groups would provide much flexibility to organization 
> using Nifi and it would allow compliance with the AGDLP recommandations which 
> is not currently possible. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to