mcgilman commented on issue #3602: NIFI-5839 Applied identity mapping to user lookups and group members URL: https://github.com/apache/nifi/pull/3602#issuecomment-522155731 @dtmo Thanks for creating this PR! I recently ran into the same problem and was going to post a PR (it's not quite ready yet) with a slightly different solution when I came across this. I took a slightly different approach and wanted to discuss here. While we could leverage the user/group mappings to transform the values for this use case within the `LdapUserGroupProvider`, the mappings are meant to be applied to the identities and names that come out of a given (any) provider and the identity of the user upon authentication. The comparison happening in this scenario is happening within the `LdapUserGroupProvider` only. The value that associates a user with a group and/or a group with a user comes from an attribute in the group or user respectively. The directory server will not be performing any mappings to associate these two entries. The reason why this is problematic today is that the directory servers may or may not enforce case. I would like to suggest that we do not use the mappings to transform the values to support this scenario. If a user did not care to map the user identities or group names, but the did have this problem, they would need to create mapping entries in `nifi.properties` just to support their `LdapUserGroupProvider` configuration. This could potentially affect other providers (if configured to possibly use a composite provider) and when users authenticate. I would like to consider introducing a new property for the `LdapUserGroupProvider` that can conditionally set whether group membership decisions are case sensitive or not. This should hopefully lessen the already confusion configuration and limit the potential effects of this change. I should have a PR ready for consideration soon. When I do, I'll link it here. Thanks.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
