Re: Nested groups for LdapUserGroupProvider

Fri, 24 Jul 2020 07:54:11 -0700 

Maybe that scenario is not supported, but you can start playing with that
custom scenario. LDAP provider is configurable by XML

<provider>
        <identifier>*ldap-provider*</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>

Juan

On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected]>
wrote:

> Hello fellow NiFi Users,
>
> I am trying to configure authorization using the LdapUserGroupProvider.
> The documentation is clear : specify your "User Search Base" and "Group
> Search Base"  and define membership either using  "User Group Name
> Attribute" such as "memberOf" or the other way around using "Group Member
> Attribute" such as "member". All that is clear and works perfectly but my
> problems is as follows:
>
> I have two levels of groups in my directory e.g.
>
> GroupA contains Group1 and Group2
> GroupB contains Group2 and Group3
> GroupC contains Group1 and Group3
>
> Group1 contains User1 and User2
> Group2 contains User1 and User3
>
>  LDIF looks something like this:
>
> dn: CN=GroupA ....
> member: CN= Group1 ..
> member: CN= Group2 ..
>
> -----
> dn: CN=Group1 ....
> member: CN=User1 ..
> member: CN=User2..
> .
> memberOf: CN=GroupA ...
> memberOf: CN=GroupC ...
>
> ----
>
> dn: CN=User1....
> memberOf: CN=Group1 ...
> memberOf: CN=Group2 ...
> ------
>
> No direct link between a user and a level 1 group (GroupA, GroupB..)
>
> I would like to note that groups of level 1 (GroupA, GroupB ..) are not in
> the same branch in the DIT as those of level 2 (Group1, Group2 ..).
>
> The requirement is that the groups used to manage authorization and that
> should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that
> users should be assigned to the groups containing their direct groups for
> instance User1 (who is a direct member of Group1 and Group2) should be
> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2
> groups (Group1, Group2..) must not show and must not be used directly in
> the UI but only as link between users and level 1 groups.
>
> So to sum up, NIFI should take into account only level1 groups and handle
> transitive memberships through level2 groups.
>
> Thank you in advance for your answers.
>
> Best Regards,
> Moncef
>

Reply via email to