Hello Juan, Thank you for your response. I am not sure that I understand what you mean. I believe LdapProvider is used for authentication and doesn't have much to do with group memberships and authorization.
Moncef Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < [email protected]> a écrit : > Maybe that scenario is not supported, but you can start playing with that > custom scenario. LDAP provider is configurable by XML > > <provider> > <identifier>*ldap-provider*</identifier> > <class>org.apache.nifi.ldap.LdapProvider</class> > > Juan > > On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected]> > wrote: > >> Hello fellow NiFi Users, >> >> I am trying to configure authorization using the LdapUserGroupProvider. >> The documentation is clear : specify your "User Search Base" and "Group >> Search Base" and define membership either using "User Group Name >> Attribute" such as "memberOf" or the other way around using "Group Member >> Attribute" such as "member". All that is clear and works perfectly but my >> problems is as follows: >> >> I have two levels of groups in my directory e.g. >> >> GroupA contains Group1 and Group2 >> GroupB contains Group2 and Group3 >> GroupC contains Group1 and Group3 >> >> Group1 contains User1 and User2 >> Group2 contains User1 and User3 >> >> LDIF looks something like this: >> >> dn: CN=GroupA .... >> member: CN= Group1 .. >> member: CN= Group2 .. >> >> ----- >> dn: CN=Group1 .... >> member: CN=User1 .. >> member: CN=User2.. >> . >> memberOf: CN=GroupA ... >> memberOf: CN=GroupC ... >> >> ---- >> >> dn: CN=User1.... >> memberOf: CN=Group1 ... >> memberOf: CN=Group2 ... >> ------ >> >> No direct link between a user and a level 1 group (GroupA, GroupB..) >> >> I would like to note that groups of level 1 (GroupA, GroupB ..) are not >> in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >> >> The requirement is that the groups used to manage authorization and that >> should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that >> users should be assigned to the groups containing their direct groups for >> instance User1 (who is a direct member of Group1 and Group2) should be >> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 >> groups (Group1, Group2..) must not show and must not be used directly in >> the UI but only as link between users and level 1 groups. >> >> So to sum up, NIFI should take into account only level1 groups and handle >> transitive memberships through level2 groups. >> >> Thank you in advance for your answers. >> >> Best Regards, >> Moncef >> > -- Moncef ABBOUD
