Jim Williams created NIFI-5636:
----------------------------------
Summary: Use LDAP objectGUID/entryUUID for Binding Users/Groups
Key: NIFI-5636
URL: https://issues.apache.org/jira/browse/NIFI-5636
Project: Apache NiFi
Issue Type: Improvement
Components: Security
Affects Versions: 1.7.1
Environment: N/A
Reporter: Jim Williams
With respect to the ‘Identity Strategy’, there is room for improvement in Nifi…
When the strategy “USE_DN” is chosen, things should work fine until the point
that the directory structure is changed and users get new DNs. Then the
mappings would be broken.
Then the strategy “USE_USERNAME” is chosen, the issue with changing DNs is
avoided, but two issues are introduced:
– The directory must be guaranteed to be free of duplicate usernames or one
mapping will potentially refer to more than one user.
– In the case of a user deleted and another person being added with the same
username, it is possible that the new user will unintentionally be given access.
It might be worthwhile to introduce a third strategy (let’s call it
“USE_UUID”). The third strategy should define not only the “USE_UUID” setting
but also provide a setting for an LDAP user object attribute which is unique,
immutable, and never re-used. For instance, there is the Active Directory
‘objectGUID’ attribute or the OpenLDAP ‘entryUUID’ attribute.
Microsoft has some information about the objectGUID attribute
here:[https://docs.microsoft.com/en-us/windows/desktop/ad/using-objectguid-to-bind-to-an-object]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
