Hi I have been looking through the source code for LdapUserGroupProvider in nifi: https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java
>From what I can read, it does not search in nested groups. So nested groups is not implemented in nifi. regards Jens Den lør. 25. jul. 2020 kl. 10.37 skrev Moncef Abboud < [email protected]>: > Jens, thank you for your reply. That's my understanding as well and I am > looking for a way around it. > > Mike, thank you. Do you believe that the commercial app (can you provide > the name if possible?) uses NiFi's LdapUserGroupProivder or it has its own > implementation? > > NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows retrieval > of nested hierarchies (e.g. members of all subgroups of a group) but I am > not sure it can help. > > Open to any suggestion. > > Thank you all. > > Le ven. 24 juil. 2020 à 21:25, Mike Sofen <[email protected]> a écrit : > >> I don’t know how the nifi LDAP provider works specifically, but a >> commercial data virtualization app we use is able to import LDAP groups >> that contain multiple levels of nested groups. Our LDAP groups have an >> owner, 1 or more supervisors and 1 or more members. >> >> >> >> The app can only see LDAP members, so the key for us was to point the >> config settings to the correct spot within our LDAP forest…initially we >> didn’t point it correctly and only saw first-level members, after a bit of >> trial and error, finally got nested groups working, and we’ve tested down 5 >> levels of nesting. >> >> >> >> Mike Sofen >> >> >> >> *From:* Jens M. Kofoed <[email protected]> >> *Sent:* Friday, July 24, 2020 9:42 AM >> *To:* [email protected] >> *Subject:* Re: Nested groups for LdapUserGroupProvider >> >> >> >> Hi >> >> >> >> From my knowledge and playing with ldap and nifi. Nifi “imports” users >> and groups into nifi and nifi does not support groups in groups. >> >> In my setup it looks like it imports groups first. Next it imports users. >> If a user is memberOf an imported group it will be connected to the group >> in nifi. >> >> >> >> Regards >> >> Jens >> >> >> Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende <[email protected]>: >> >> From my limited knowledge of how the LDAP providers work, I'm not aware >> of anything that would handle transitive group membership, but others may >> know more. >> >> >> >> On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud <[email protected]> >> wrote: >> >> Thank you for your reply Bryan. >> >> >> >> Yes, I understand that they are related. But I still don't see how to >> address my nested groups problem since the configuration properties only >> talk about direct relationships. >> >> >> >> >> >> >> >> Le ven. 24 juil. 2020 à 17:08, Bryan Bende <[email protected]> a écrit : >> >> There are two different but related things... >> >> >> >> LdapIdentityProvider for authentication. >> >> >> >> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider >> >> >> >> LdapUserGroupProvider for authorization. >> >> >> >> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider >> >> >> >> On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud <[email protected]> >> wrote: >> >> Hello Juan, >> >> >> >> Thank you for your response. I am not sure that I understand what you >> mean. I believe LdapProvider is used for authentication and doesn't have >> much to do with group memberships and authorization. >> >> >> >> Moncef >> >> >> >> Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < >> [email protected]> a écrit : >> >> Maybe that scenario is not supported, but you can start playing with that >> custom scenario. LDAP provider is configurable by XML >> >> <provider> >> >> <identifier>*ldap-provider*</identifier> >> >> <class>org.apache.nifi.ldap.LdapProvider</class> >> >> Juan >> >> >> >> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected]> >> wrote: >> >> Hello fellow NiFi Users, >> >> >> >> I am trying to configure authorization using the LdapUserGroupProvider. >> The documentation is clear : specify your "User Search Base" and "Group >> Search Base" and define membership either using "User Group Name >> Attribute" such as "memberOf" or the other way around using "Group Member >> Attribute" such as "member". All that is clear and works perfectly but my >> problems is as follows: >> >> >> >> I have two levels of groups in my directory e.g. >> >> >> >> GroupA contains Group1 and Group2 >> >> GroupB contains Group2 and Group3 >> >> GroupC contains Group1 and Group3 >> >> >> >> Group1 contains User1 and User2 >> >> Group2 contains User1 and User3 >> >> >> >> LDIF looks something like this: >> >> >> >> dn: CN=GroupA .... >> member: CN= Group1 .. >> member: CN= Group2 .. >> >> >> >> ----- >> >> dn: CN=Group1 .... >> member: CN=User1 .. >> member: CN=User2.. >> >> . >> >> memberOf: CN=GroupA ... >> >> memberOf: CN=GroupC ... >> >> >> >> ---- >> >> >> >> dn: CN=User1.... >> >> memberOf: CN=Group1 ... >> >> memberOf: CN=Group2 ... >> >> ------ >> >> >> >> No direct link between a user and a level 1 group (GroupA, GroupB..) >> >> >> >> I would like to note that groups of level 1 (GroupA, GroupB ..) are not >> in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >> >> >> >> The requirement is that the groups used to manage authorization and that >> should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that >> users should be assigned to the groups containing their direct groups for >> instance User1 (who is a direct member of Group1 and Group2) should be >> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 >> groups (Group1, Group2..) must not show and must not be used directly in >> the UI but only as link between users and level 1 groups. >> >> >> >> So to sum up, NIFI should take into account only level1 groups and handle >> transitive memberships through level2 groups. >> >> >> >> Thank you in advance for your answers. >> >> >> >> Best Regards, >> >> Moncef >> >> >> >> -- >> >> Moncef ABBOUD >> >> >> >> -- >> >> Moncef ABBOUD >> >> > > -- > Moncef ABBOUD >
