Thank you for your reply Bryan. Yes, I understand that they are related. But I still don't see how to address my nested groups problem since the configuration properties only talk about direct relationships.
Le ven. 24 juil. 2020 à 17:08, Bryan Bende <[email protected]> a écrit : > There are two different but related things... > > LdapIdentityProvider for authentication. > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider > > LdapUserGroupProvider for authorization. > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider > > On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud <[email protected]> > wrote: > >> Hello Juan, >> >> Thank you for your response. I am not sure that I understand what you >> mean. I believe LdapProvider is used for authentication and doesn't have >> much to do with group memberships and authorization. >> >> Moncef >> >> Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < >> [email protected]> a écrit : >> >>> Maybe that scenario is not supported, but you can start playing with >>> that custom scenario. LDAP provider is configurable by XML >>> >>> <provider> >>> <identifier>*ldap-provider*</identifier> >>> <class>org.apache.nifi.ldap.LdapProvider</class> >>> >>> Juan >>> >>> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected]> >>> wrote: >>> >>>> Hello fellow NiFi Users, >>>> >>>> I am trying to configure authorization using the LdapUserGroupProvider. >>>> The documentation is clear : specify your "User Search Base" and "Group >>>> Search Base" and define membership either using "User Group Name >>>> Attribute" such as "memberOf" or the other way around using "Group Member >>>> Attribute" such as "member". All that is clear and works perfectly but my >>>> problems is as follows: >>>> >>>> I have two levels of groups in my directory e.g. >>>> >>>> GroupA contains Group1 and Group2 >>>> GroupB contains Group2 and Group3 >>>> GroupC contains Group1 and Group3 >>>> >>>> Group1 contains User1 and User2 >>>> Group2 contains User1 and User3 >>>> >>>> LDIF looks something like this: >>>> >>>> dn: CN=GroupA .... >>>> member: CN= Group1 .. >>>> member: CN= Group2 .. >>>> >>>> ----- >>>> dn: CN=Group1 .... >>>> member: CN=User1 .. >>>> member: CN=User2.. >>>> . >>>> memberOf: CN=GroupA ... >>>> memberOf: CN=GroupC ... >>>> >>>> ---- >>>> >>>> dn: CN=User1.... >>>> memberOf: CN=Group1 ... >>>> memberOf: CN=Group2 ... >>>> ------ >>>> >>>> No direct link between a user and a level 1 group (GroupA, GroupB..) >>>> >>>> I would like to note that groups of level 1 (GroupA, GroupB ..) are not >>>> in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >>>> >>>> The requirement is that the groups used to manage authorization and >>>> that should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and >>>> that users should be assigned to the groups containing their direct groups >>>> for instance User1 (who is a direct member of Group1 and Group2) should be >>>> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 >>>> groups (Group1, Group2..) must not show and must not be used directly in >>>> the UI but only as link between users and level 1 groups. >>>> >>>> So to sum up, NIFI should take into account only level1 groups and >>>> handle transitive memberships through level2 groups. >>>> >>>> Thank you in advance for your answers. >>>> >>>> Best Regards, >>>> Moncef >>>> >>> >> >> -- >> Moncef ABBOUD >> > -- Moncef ABBOUD
