Re: Configure LDAP User & groups synchronize (NiFi 1.12.1)
Hello Gaston, I am glad it is working for you. Yes, the UI shows the users and the groups they are members of and also the groups and their members. After a second quick glance, I am noticing one possible problem with your conf. You have "memberof" as the value for the property "Group Member Attribute - Referenced User Attribute". >From the admin guide : Group Member Attribute - Referenced User Attribute : If blank, the value of the attribute defined in Group Member Attribute is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that the value of the attribute defined in Group Member Attribute is referencing (i.e. uid)... This means that you are trying to match the "Group Member Attribute" attribute ("member" in the conf) in your groups with the "Group Member Attribute - Referenced User Attribute" ("memberof" in the conf) attribute in users. Unless the member attributes of groups have values other than DNs, the "Group Member Attribute - Referenced User Attribute" property should be left empty. I also suggest setting the logging level to DEBUG for the LdapUserGroupProvider. This will give you insight to what is exactly happening. Hope this helps. Good luck. Moncef. Le mer. 17 févr. 2021 à 15:36, Mr. Spock a écrit : > Hi Moncef! Thank you very much, it works! > One more question (hope you don't mind :) ) > I thought the process should find the membership and establishes it on > NiFi as it find on LDAP. > Example: > I have the group: GGG_Group1 > And that group has the following members: > Gas > Peter > > I was expecting that NiFi shows: > GGG_Group1 > And lists also the users, indicating their membership. > It's that the way it should work? > > Thanks in advance! > > Gaston. > > On Fri, Feb 12, 2021 at 2:50 PM Moncef Abboud > wrote: > >> Hello Gaston, >> >> I see that you are using a wildcard in the "User Search Filter" >> property. AD doesn't support wildcards on "member" and "memberof" >> attributes and thus the ldap request to fetch users is returning an empty >> set. >> >> Hope this helps. Good luck. >> >> Moncef. >> >> Le ven. 12 févr. 2021 à 18:35, Mr. Spock a >> écrit : >> >>> Hi all! >>> My name is Gaston and I'm a nifi newbie :) >>> I'm triying to configure my nifi instance to authenticate users via ldap >>> (MS AD) group membership. >>> I've already secured my nifi instance. Also the authentication config is >>> working, but only synchronizes LDAP groups. >>> I've searched a lot, but still doesn't find where my error is. (I'm >>> assuming that ldap groups should synchronize members and/or authorize their >>> members according the policies defined on my nifi instance. >>> My authorizer config is as follows: >>> >>> >>> file-user-group-provider >>> >>> org.apache.nifi.authorization.FileUserGroupProvider >>> ./conf/users.xml >>> >>> >>> >>> ldap-user-group-provider >>> org.apache.nifi.ldap.tenants.LdapUserGroupProvider >>> SIMPLE >>> >>> CN=bindusr,OU=Users,DC=corporation,DC=corp >>> xxx >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> FOLLOW >>> 10 secs >>> 10 secs >>> >>> ldap://ldap1.corporate.corp:389 >>> ldap://ldap2.corporate.corp:389 >>> >>> 30 mins >>> false >>> >>> DC=corporate,DC=corp >>> person >>> SUBTREE >>> >>> (memberOf=CN=*Integracion*,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp) >>> sAMAccountName >>> memberOf >>> >>> >>> OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp >>> group >>> SUBTREE >>> (cn=GGG_Centrify_Integracion*) >>> name >>> member >>> memberOf >>> >>> >>> composite-user-group-provider >>> >>> org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider >>> file-user-group-provider >>> ldap-user-group-provider >>> >>> >>> file-access-policy-provider >>> >>> org.apache.nifi.authorization.FileAccessPolicyProvider >>> composite-user-group-provider >>> ./conf/authorizations.xml >>> >>> CN=Gas, >>> OU=ApacheNiFi >>> >>> >>> >>> >>> >>> managed-authorizer >>> >>> org.apache.nifi.authorization.StandardManagedAuthorizer >>> file-access-policy-provider >>> >>> >>> >>> Any help would be appreciated! >>> >> >> >> -- >> Moncef ABBOUD >> > -- Moncef ABBOUD
Re: Configure LDAP User & groups synchronize (NiFi 1.12.1)
Hi Moncef! Thank you very much, it works! One more question (hope you don't mind :) ) I thought the process should find the membership and establishes it on NiFi as it find on LDAP. Example: I have the group: GGG_Group1 And that group has the following members: Gas Peter I was expecting that NiFi shows: GGG_Group1 And lists also the users, indicating their membership. It's that the way it should work? Thanks in advance! Gaston. On Fri, Feb 12, 2021 at 2:50 PM Moncef Abboud wrote: > Hello Gaston, > > I see that you are using a wildcard in the "User Search Filter" property. > AD doesn't support wildcards on "member" and "memberof" attributes and thus > the ldap request to fetch users is returning an empty set. > > Hope this helps. Good luck. > > Moncef. > > Le ven. 12 févr. 2021 à 18:35, Mr. Spock a écrit : > >> Hi all! >> My name is Gaston and I'm a nifi newbie :) >> I'm triying to configure my nifi instance to authenticate users via ldap >> (MS AD) group membership. >> I've already secured my nifi instance. Also the authentication config is >> working, but only synchronizes LDAP groups. >> I've searched a lot, but still doesn't find where my error is. (I'm >> assuming that ldap groups should synchronize members and/or authorize their >> members according the policies defined on my nifi instance. >> My authorizer config is as follows: >> >> >> file-user-group-provider >> org.apache.nifi.authorization.FileUserGroupProvider >> ./conf/users.xml >> >> >> >> ldap-user-group-provider >> org.apache.nifi.ldap.tenants.LdapUserGroupProvider >> SIMPLE >> >> CN=bindusr,OU=Users,DC=corporation,DC=corp >> xxx >> >> >> >> >> >> >> >> >> >> >> >> FOLLOW >> 10 secs >> 10 secs >> >> ldap://ldap1.corporate.corp:389 >> ldap://ldap2.corporate.corp:389 >> >> 30 mins >> false >> >> DC=corporate,DC=corp >> person >> SUBTREE >> >> (memberOf=CN=*Integracion*,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp) >> sAMAccountName >> memberOf >> >> >> OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp >> group >> SUBTREE >> (cn=GGG_Centrify_Integracion*) >> name >> member >> memberOf >> >> >> composite-user-group-provider >> >> org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider >> file-user-group-provider >> ldap-user-group-provider >> >> >> file-access-policy-provider >> >> org.apache.nifi.authorization.FileAccessPolicyProvider >> composite-user-group-provider >> ./conf/authorizations.xml >> >> CN=Gas, >> OU=ApacheNiFi >> >> >> >> >> >> managed-authorizer >> >> org.apache.nifi.authorization.StandardManagedAuthorizer >> file-access-policy-provider >> >> >> >> Any help would be appreciated! >> > > > -- > Moncef ABBOUD >
Re: Configure LDAP User & groups synchronize (NiFi 1.12.1)
Hello Gaston, I see that you are using a wildcard in the "User Search Filter" property. AD doesn't support wildcards on "member" and "memberof" attributes and thus the ldap request to fetch users is returning an empty set. Hope this helps. Good luck. Moncef. Le ven. 12 févr. 2021 à 18:35, Mr. Spock a écrit : > Hi all! > My name is Gaston and I'm a nifi newbie :) > I'm triying to configure my nifi instance to authenticate users via ldap > (MS AD) group membership. > I've already secured my nifi instance. Also the authentication config is > working, but only synchronizes LDAP groups. > I've searched a lot, but still doesn't find where my error is. (I'm > assuming that ldap groups should synchronize members and/or authorize their > members according the policies defined on my nifi instance. > My authorizer config is as follows: > > > file-user-group-provider > org.apache.nifi.authorization.FileUserGroupProvider > ./conf/users.xml > > > > ldap-user-group-provider > org.apache.nifi.ldap.tenants.LdapUserGroupProvider > SIMPLE > > CN=bindusr,OU=Users,DC=corporation,DC=corp > xxx > > > > > > > > > > > > FOLLOW > 10 secs > 10 secs > > ldap://ldap1.corporate.corp:389 > ldap://ldap2.corporate.corp:389 > > 30 mins > false > > DC=corporate,DC=corp > person > SUBTREE > > (memberOf=CN=*Integracion*,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp) > sAMAccountName > memberOf > > > OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp > group > SUBTREE > (cn=GGG_Centrify_Integracion*) > name > member > memberOf > > > composite-user-group-provider > > org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider > file-user-group-provider > ldap-user-group-provider > > > file-access-policy-provider > > org.apache.nifi.authorization.FileAccessPolicyProvider > composite-user-group-provider > ./conf/authorizations.xml > > CN=Gas, > OU=ApacheNiFi > > > > > > managed-authorizer > > org.apache.nifi.authorization.StandardManagedAuthorizer > file-access-policy-provider > > > > Any help would be appreciated! > -- Moncef ABBOUD
Configure LDAP User & groups synchronize (NiFi 1.12.1)
Hi all! My name is Gaston and I'm a nifi newbie :) I'm triying to configure my nifi instance to authenticate users via ldap (MS AD) group membership. I've already secured my nifi instance. Also the authentication config is working, but only synchronizes LDAP groups. I've searched a lot, but still doesn't find where my error is. (I'm assuming that ldap groups should synchronize members and/or authorize their members according the policies defined on my nifi instance. My authorizer config is as follows: file-user-group-provider org.apache.nifi.authorization.FileUserGroupProvider ./conf/users.xml ldap-user-group-provider org.apache.nifi.ldap.tenants.LdapUserGroupProvider SIMPLE CN=bindusr,OU=Users,DC=corporation,DC=corp xxx FOLLOW 10 secs 10 secs ldap://ldap1.corporate.corp:389 ldap://ldap2.corporate.corp:389 30 mins false DC=corporate,DC=corp person SUBTREE (memberOf=CN=*Integracion*,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp) sAMAccountName memberOf OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp group SUBTREE (cn=GGG_Centrify_Integracion*) name member memberOf composite-user-group-provider org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider file-user-group-provider ldap-user-group-provider file-access-policy-provider org.apache.nifi.authorization.FileAccessPolicyProvider composite-user-group-provider ./conf/authorizations.xml CN=Gas, OU=ApacheNiFi managed-authorizer org.apache.nifi.authorization.StandardManagedAuthorizer file-access-policy-provider Any help would be appreciated!