I don’t know how the nifi LDAP provider works specifically, but a commercial data virtualization app we use is able to import LDAP groups that contain multiple levels of nested groups. Our LDAP groups have an owner, 1 or more supervisors and 1 or more members.
The app can only see LDAP members, so the key for us was to point the config settings to the correct spot within our LDAP forest…initially we didn’t point it correctly and only saw first-level members, after a bit of trial and error, finally got nested groups working, and we’ve tested down 5 levels of nesting. Mike Sofen From: Jens M. Kofoed <[email protected]> Sent: Friday, July 24, 2020 9:42 AM To: [email protected] Subject: Re: Nested groups for LdapUserGroupProvider Hi >From my knowledge and playing with ldap and nifi. Nifi “imports” users and >groups into nifi and nifi does not support groups in groups. In my setup it looks like it imports groups first. Next it imports users. If a user is memberOf an imported group it will be connected to the group in nifi. Regards Jens Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende <[email protected] <mailto:[email protected]> >: >From my limited knowledge of how the LDAP providers work, I'm not aware of >anything that would handle transitive group membership, but others may know >more. On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud <[email protected] <mailto:[email protected]> > wrote: Thank you for your reply Bryan. Yes, I understand that they are related. But I still don't see how to address my nested groups problem since the configuration properties only talk about direct relationships. Le ven. 24 juil. 2020 à 17:08, Bryan Bende <[email protected] <mailto:[email protected]> > a écrit : There are two different but related things... LdapIdentityProvider for authentication. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider LdapUserGroupProvider for authorization. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud <[email protected] <mailto:[email protected]> > wrote: Hello Juan, Thank you for your response. I am not sure that I understand what you mean. I believe LdapProvider is used for authentication and doesn't have much to do with group memberships and authorization. Moncef Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella <[email protected] <mailto:[email protected]> > a écrit : Maybe that scenario is not supported, but you can start playing with that custom scenario. LDAP provider is configurable by XML <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> Juan On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected] <mailto:[email protected]> > wrote: Hello fellow NiFi Users, I am trying to configure authorization using the LdapUserGroupProvider. The documentation is clear : specify your "User Search Base" and "Group Search Base" and define membership either using "User Group Name Attribute" such as "memberOf" or the other way around using "Group Member Attribute" such as "member". All that is clear and works perfectly but my problems is as follows: I have two levels of groups in my directory e.g. GroupA contains Group1 and Group2 GroupB contains Group2 and Group3 GroupC contains Group1 and Group3 Group1 contains User1 and User2 Group2 contains User1 and User3 LDIF looks something like this: dn: CN=GroupA .... member: CN= Group1 .. member: CN= Group2 .. ----- dn: CN=Group1 .... member: CN=User1 .. member: CN=User2.. . memberOf: CN=GroupA ... memberOf: CN=GroupC ... ---- dn: CN=User1.... memberOf: CN=Group1 ... memberOf: CN=Group2 ... ------ No direct link between a user and a level 1 group (GroupA, GroupB..) I would like to note that groups of level 1 (GroupA, GroupB ..) are not in the same branch in the DIT as those of level 2 (Group1, Group2 ..). The requirement is that the groups used to manage authorization and that should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that users should be assigned to the groups containing their direct groups for instance User1 (who is a direct member of Group1 and Group2) should be displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 groups (Group1, Group2..) must not show and must not be used directly in the UI but only as link between users and level 1 groups. So to sum up, NIFI should take into account only level1 groups and handle transitive memberships through level2 groups. Thank you in advance for your answers. Best Regards, Moncef -- Moncef ABBOUD -- Moncef ABBOUD
