There are two different but related things... LdapIdentityProvider for authentication.
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider LdapUserGroupProvider for authorization. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud <[email protected]> wrote: > Hello Juan, > > Thank you for your response. I am not sure that I understand what you > mean. I believe LdapProvider is used for authentication and doesn't have > much to do with group memberships and authorization. > > Moncef > > Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < > [email protected]> a écrit : > >> Maybe that scenario is not supported, but you can start playing with that >> custom scenario. LDAP provider is configurable by XML >> >> <provider> >> <identifier>*ldap-provider*</identifier> >> <class>org.apache.nifi.ldap.LdapProvider</class> >> >> Juan >> >> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected]> >> wrote: >> >>> Hello fellow NiFi Users, >>> >>> I am trying to configure authorization using the LdapUserGroupProvider. >>> The documentation is clear : specify your "User Search Base" and "Group >>> Search Base" and define membership either using "User Group Name >>> Attribute" such as "memberOf" or the other way around using "Group Member >>> Attribute" such as "member". All that is clear and works perfectly but my >>> problems is as follows: >>> >>> I have two levels of groups in my directory e.g. >>> >>> GroupA contains Group1 and Group2 >>> GroupB contains Group2 and Group3 >>> GroupC contains Group1 and Group3 >>> >>> Group1 contains User1 and User2 >>> Group2 contains User1 and User3 >>> >>> LDIF looks something like this: >>> >>> dn: CN=GroupA .... >>> member: CN= Group1 .. >>> member: CN= Group2 .. >>> >>> ----- >>> dn: CN=Group1 .... >>> member: CN=User1 .. >>> member: CN=User2.. >>> . >>> memberOf: CN=GroupA ... >>> memberOf: CN=GroupC ... >>> >>> ---- >>> >>> dn: CN=User1.... >>> memberOf: CN=Group1 ... >>> memberOf: CN=Group2 ... >>> ------ >>> >>> No direct link between a user and a level 1 group (GroupA, GroupB..) >>> >>> I would like to note that groups of level 1 (GroupA, GroupB ..) are not >>> in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >>> >>> The requirement is that the groups used to manage authorization and that >>> should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that >>> users should be assigned to the groups containing their direct groups for >>> instance User1 (who is a direct member of Group1 and Group2) should be >>> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 >>> groups (Group1, Group2..) must not show and must not be used directly in >>> the UI but only as link between users and level 1 groups. >>> >>> So to sum up, NIFI should take into account only level1 groups and >>> handle transitive memberships through level2 groups. >>> >>> Thank you in advance for your answers. >>> >>> Best Regards, >>> Moncef >>> >> > > -- > Moncef ABBOUD >
