Yes, that is correct. You can set authorization policies to a group identity or a user identity, where those identities are loaded from the LDAP directory and kept in sync.
From: Mike Thomsen <mikerthom...@gmail.com> Reply-To: <users@nifi.apache.org> Date: Tuesday, November 21, 2017 at 13:06 To: <users@nifi.apache.org> Subject: Re: NiFi and Active Directory Ok, I think I understand (my knowledge of LDAP is very weak). So it really depends on the configuration they're using how far you can go with LDAP here, but as a fall back you can identify a user with LDAP and then hard-code authorization statements with the file-based access control provider. Sound right? Thanks, Mike On Tue, Nov 21, 2017 at 12:24 PM, Kevin Doran <kdoran.apa...@gmail.com> wrote: Hi Mike, I've configured NiFi 1.4.0 using LDAP-backed users and groups. The LdapProvider, configured in login-identity-providers.xml and the LdapUserGroupProvider, configured in authorizers.xml, both let you specify a user search base and as user search filter, so depending on the structure of your directory, that may be enough to limit authentication (and therefore authorization) to a single group. If not, you might have to set broader user search/filter parameters, and set access policies (e.g., using a FileAccessPolicyProvider) to grant R/W policies to a particular group identity after you've configured LDAP integration. Does that make sense? I hope this helps, feel free to post back to this thread if you have any other questions configuring AD integration through LDAP. Kevin From: Mike Thomsen <mikerthom...@gmail.com> Reply-To: <users@nifi.apache.org> Date: Tuesday, November 21, 2017 at 11:54 To: <users@nifi.apache.org> Subject: NiFi and Active Directory Does anyone have any experience using AD as the backend for NiFi's authentication and authorization? I've never had to work with it before, but it seems like we can use it as either a LDAP provider or a Kerberos implementation. Does anyone have any recommendations on how to do the integration so that only specific users in a particular group can be authorized to work with NiFi? Thanks, Mike
