Ok, I think I understand (my knowledge of LDAP is very weak). So it really depends on the configuration they're using how far you can go with LDAP here, but as a fall back you can identify a user with LDAP and then hard-code authorization statements with the file-based access control provider.
Sound right? Thanks, Mike On Tue, Nov 21, 2017 at 12:24 PM, Kevin Doran <[email protected]> wrote: > Hi Mike, > > > > I've configured NiFi 1.4.0 using LDAP-backed users and groups. The > LdapProvider, configured in login-identity-providers.xml and the > LdapUserGroupProvider, configured in authorizers.xml, both let you specify > a user search base and as user search filter, so depending on the structure > of your directory, that may be enough to limit authentication (and > therefore authorization) to a single group. If not, you might have to set > broader user search/filter parameters, and set access policies (e.g., using > a FileAccessPolicyProvider) to grant R/W policies to a particular group > identity after you've configured LDAP integration. > > > > Does that make sense? I hope this helps, feel free to post back to this > thread if you have any other questions configuring AD integration through > LDAP. > > > > Kevin > > > > *From: *Mike Thomsen <[email protected]> > *Reply-To: *<[email protected]> > *Date: *Tuesday, November 21, 2017 at 11:54 > *To: *<[email protected]> > *Subject: *NiFi and Active Directory > > > > Does anyone have any experience using AD as the backend for NiFi's > authentication and authorization? I've never had to work with it before, > but it seems like we can use it as either a LDAP provider or a Kerberos > implementation. Does anyone have any recommendations on how to do the > integration so that only specific users in a particular group can be > authorized to work with NiFi? > > > > Thanks, > > > > Mike >
