Jens, thank you for your reply. That's my understanding as well and I am looking for a way around it.
Mike, thank you. Do you believe that the commercial app (can you provide the name if possible?) uses NiFi's LdapUserGroupProivder or it has its own implementation? NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows retrieval of nested hierarchies (e.g. members of all subgroups of a group) but I am not sure it can help. Open to any suggestion. Thank you all. Le ven. 24 juil. 2020 à 21:25, Mike Sofen <[email protected]> a écrit : > I don’t know how the nifi LDAP provider works specifically, but a > commercial data virtualization app we use is able to import LDAP groups > that contain multiple levels of nested groups. Our LDAP groups have an > owner, 1 or more supervisors and 1 or more members. > > > > The app can only see LDAP members, so the key for us was to point the > config settings to the correct spot within our LDAP forest…initially we > didn’t point it correctly and only saw first-level members, after a bit of > trial and error, finally got nested groups working, and we’ve tested down 5 > levels of nesting. > > > > Mike Sofen > > > > *From:* Jens M. Kofoed <[email protected]> > *Sent:* Friday, July 24, 2020 9:42 AM > *To:* [email protected] > *Subject:* Re: Nested groups for LdapUserGroupProvider > > > > Hi > > > > From my knowledge and playing with ldap and nifi. Nifi “imports” users and > groups into nifi and nifi does not support groups in groups. > > In my setup it looks like it imports groups first. Next it imports users. > If a user is memberOf an imported group it will be connected to the group > in nifi. > > > > Regards > > Jens > > > Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende <[email protected]>: > > From my limited knowledge of how the LDAP providers work, I'm not aware of > anything that would handle transitive group membership, but others may know > more. > > > > On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud <[email protected]> > wrote: > > Thank you for your reply Bryan. > > > > Yes, I understand that they are related. But I still don't see how to > address my nested groups problem since the configuration properties only > talk about direct relationships. > > > > > > > > Le ven. 24 juil. 2020 à 17:08, Bryan Bende <[email protected]> a écrit : > > There are two different but related things... > > > > LdapIdentityProvider for authentication. > > > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider > > > > LdapUserGroupProvider for authorization. > > > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider > > > > On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud <[email protected]> > wrote: > > Hello Juan, > > > > Thank you for your response. I am not sure that I understand what you > mean. I believe LdapProvider is used for authentication and doesn't have > much to do with group memberships and authorization. > > > > Moncef > > > > Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < > [email protected]> a écrit : > > Maybe that scenario is not supported, but you can start playing with that > custom scenario. LDAP provider is configurable by XML > > <provider> > > <identifier>*ldap-provider*</identifier> > > <class>org.apache.nifi.ldap.LdapProvider</class> > > Juan > > > > On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected]> > wrote: > > Hello fellow NiFi Users, > > > > I am trying to configure authorization using the LdapUserGroupProvider. > The documentation is clear : specify your "User Search Base" and "Group > Search Base" and define membership either using "User Group Name > Attribute" such as "memberOf" or the other way around using "Group Member > Attribute" such as "member". All that is clear and works perfectly but my > problems is as follows: > > > > I have two levels of groups in my directory e.g. > > > > GroupA contains Group1 and Group2 > > GroupB contains Group2 and Group3 > > GroupC contains Group1 and Group3 > > > > Group1 contains User1 and User2 > > Group2 contains User1 and User3 > > > > LDIF looks something like this: > > > > dn: CN=GroupA .... > member: CN= Group1 .. > member: CN= Group2 .. > > > > ----- > > dn: CN=Group1 .... > member: CN=User1 .. > member: CN=User2.. > > . > > memberOf: CN=GroupA ... > > memberOf: CN=GroupC ... > > > > ---- > > > > dn: CN=User1.... > > memberOf: CN=Group1 ... > > memberOf: CN=Group2 ... > > ------ > > > > No direct link between a user and a level 1 group (GroupA, GroupB..) > > > > I would like to note that groups of level 1 (GroupA, GroupB ..) are not in > the same branch in the DIT as those of level 2 (Group1, Group2 ..). > > > > The requirement is that the groups used to manage authorization and that > should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that > users should be assigned to the groups containing their direct groups for > instance User1 (who is a direct member of Group1 and Group2) should be > displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 > groups (Group1, Group2..) must not show and must not be used directly in > the UI but only as link between users and level 1 groups. > > > > So to sum up, NIFI should take into account only level1 groups and handle > transitive memberships through level2 groups. > > > > Thank you in advance for your answers. > > > > Best Regards, > > Moncef > > > > -- > > Moncef ABBOUD > > > > -- > > Moncef ABBOUD > > -- Moncef ABBOUD
