[
https://issues.apache.org/jira/browse/NIFI-8035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17855664#comment-17855664
]
David Handermann commented on NIFI-8035:
----------------------------------------
[~Steve Hindmarch] If you are familiar with the changes, you could submit a new
pull request for subsequent review.
> Handle nested LDAP groups in LdapUserGroupProvider
> --------------------------------------------------
>
> Key: NIFI-8035
> URL: https://issues.apache.org/jira/browse/NIFI-8035
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Security
> Affects Versions: 1.12.1
> Reporter: Moncef ABBOUD
> Priority: Major
> Labels: authorization, ldap, security
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Nested LDAP groups are widely used in big organizations especially with
> Active Directory. Microsoft's AGDLP recommendations rely on nested groups.
> Currently, the LdapUserGroupProvider retrieves users and groups separately.
> Group memberships are inferred using 'Group Member Attribute' or 'User Group
> Name Attribute'. It is also possible to construct users and groups relying
> only on the groups and users entries respectively, this is done in case only
> one of the "User Search Base" or "Group Search Base" is specified.
> Microsoft AD (and others such asRed Hat/389 DS) provides support for nested
> groups retrieval using special filters such as the
> _LDAP_MATCHING_RULE_IN_CHAIN_ filter_._ With the current implementation, it
> is not possible to use this filter since it relies on the user's DN being
> part of the LDAP search filter which would require querying the LDAP server
> per user.
> Handling LDAP nested groups would provide much flexibility to organization
> using Nifi and it would allow compliance with the AGDLP recommandations which
> is not currently possible.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
