Hello Jens, Thank you for your thorough response and the time you took to explore the issue.
I have looked into a solution similar to what you suggested. But, unfortunately, LDAP doesn't support wildcard searches on DN attributes [1]. And in my specific case, groups can evolve (new ones, deleted ones ..), so I cannot specify them all in advance in the configuration. One solution is to use the LDAP_MATCHING_RULE_IN_CHAIN [2] but we need to specify a single ancestry group ( not a wildcard ) to chain with and which is a parent to all the targeted groups. I am looking into that. I will keep you posted. Thank you again for your help and have an excellent week. [1] https://stackoverflow.com/questions/28975894/ldap-search-wildcards-in-memberof/28984362 [2] https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN Best regards, Moncef Le dim. 26 juil. 2020 à 14:26, Jens M. Kofoed <[email protected]> a écrit : > Dear Moncef > > I don't know if I have understood correctly what you would like to > achieve. But I will try: > What I understood is you have the following groups and users: > Group A: > member: Group 1 > member: Group 2 > Group B: > member: Group 2 > member: Group 3 > Group C: > member: Group 1 > member: Group 3 > Group 1: > member: User1 > member: User2 > Group 2: > member: User1 > member: User3 > Group 3: > > As I understand you would like NIFI to connect User1 and User3 to Group A > via nested groups. > From my knowledge NIFI is only able to connect users to groups via direct > attributes. If you do not have any attributes which can give you this > direct connection NIFI can not help you. > I have been reading different sites about ldap implementations. There are > many sites talking about nested groups in search filters, but this does not > help since this is not a filter but a question about which attributes can > connect a group to the user or vice versa. > > You have 2 options in NIFI to connect users and groups together. Either > you read an attribute at an user (User Group Name Attribute) where the > value should match a value in a group (User Group Name Attribute - > Referenced Group Attribute) or you read an attribute at a group (Group > Member Attribute) where the value should match the corresponding value at > an user (Group Member Attribute - Referenced User Attribute). > In Microsoft AD the attribute memberOf is automatically/dynamic calculated > all the time. I found one site mention that there should be another > attribute which included nested groups. If this is true you might be able > to use that field to accomplish your needs. > > In my own use of ldap in NIFI I have created new groups for each cluster. > something like this > ou=cluster01,ou=nifi,dc=domain,dc=com > cn=admins,ou=cluster01,ou=nifi,dc=domain,dc=com > cn=dfm,ou=cluster01,ou=nifi,dc=domain,dc=com > cn=operators,ou=cluster01,ou=nifi,dc=domain,dc=com > cn=teamA,ou=cluster01,ou=nifi,dc=domain,dc=com > cn=teamB,ou=cluster01,ou=nifi,dc=domain,dc=com > > ou=cluster02,ou=nifi,dc=domain,dc=com > cn=admins,ou=cluster02,ou=nifi,dc=domain,dc=com > cn=dfm,ou=cluster02,ou=nifi,dc=domain,dc=com > cn=operators,ou=cluster02,ou=nifi,dc=domain,dc=com > cn=teamA,ou=cluster02,ou=nifi,dc=domain,dc=com > cn=teamB,ou=cluster02,ou=nifi,dc=domain,dc=com > > > In my "User Search Filter" I have something like this: > (memberOf:cn=*,ou=cluster01,ou=nifi,dc=domain,dc=com) or > (|(memberOf:cn=admins,ou=cluster01,ou=nifi,dc=domain,dc=com)(cn=dfm,ou=cluster01,ou=nifi,dc=domain,dc=com)) > > "User Identity Attribute"= sAMAccountName > "User Group Name Attribute"=memberOf > > If you found out how to connect users via nested groups I would very much > like to know > regards > Jens > > Den lør. 25. jul. 2020 kl. 21.47 skrev Moncef Abboud < > [email protected]>: > >> Thank you for your reply Jens. >> >> Thank you for taking the time to look up the code and look through it. >> >> May I ask you for the way you would proceed if you had to solve >> that problem? >> >> Best regards, >> Moncef >> >> Le sam. 25 juil. 2020 à 13:23, Jens M. Kofoed <[email protected]> a >> écrit : >> >>> Hi >>> >>> I have been looking through the source code for LdapUserGroupProvider in >>> nifi: >>> https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java >>> >>> From what I can read, it does not search in nested groups. So nested >>> groups is not implemented in nifi. >>> >>> regards >>> Jens >>> >>> Den lør. 25. jul. 2020 kl. 10.37 skrev Moncef Abboud < >>> [email protected]>: >>> >>>> Jens, thank you for your reply. That's my understanding as well and I >>>> am looking for a way around it. >>>> >>>> Mike, thank you. Do you believe that the commercial app (can you >>>> provide the name if possible?) uses NiFi's LdapUserGroupProivder or it has >>>> its own implementation? >>>> >>>> NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows >>>> retrieval of nested hierarchies (e.g. members of all subgroups of a group) >>>> but I am not sure it can help. >>>> >>>> Open to any suggestion. >>>> >>>> Thank you all. >>>> >>>> Le ven. 24 juil. 2020 à 21:25, Mike Sofen <[email protected]> a écrit : >>>> >>>>> I don’t know how the nifi LDAP provider works specifically, but a >>>>> commercial data virtualization app we use is able to import LDAP groups >>>>> that contain multiple levels of nested groups. Our LDAP groups have an >>>>> owner, 1 or more supervisors and 1 or more members. >>>>> >>>>> >>>>> >>>>> The app can only see LDAP members, so the key for us was to point the >>>>> config settings to the correct spot within our LDAP forest…initially we >>>>> didn’t point it correctly and only saw first-level members, after a bit of >>>>> trial and error, finally got nested groups working, and we’ve tested down >>>>> 5 >>>>> levels of nesting. >>>>> >>>>> >>>>> >>>>> Mike Sofen >>>>> >>>>> >>>>> >>>>> *From:* Jens M. Kofoed <[email protected]> >>>>> *Sent:* Friday, July 24, 2020 9:42 AM >>>>> *To:* [email protected] >>>>> *Subject:* Re: Nested groups for LdapUserGroupProvider >>>>> >>>>> >>>>> >>>>> Hi >>>>> >>>>> >>>>> >>>>> From my knowledge and playing with ldap and nifi. Nifi “imports” users >>>>> and groups into nifi and nifi does not support groups in groups. >>>>> >>>>> In my setup it looks like it imports groups first. Next it imports >>>>> users. If a user is memberOf an imported group it will be connected to the >>>>> group in nifi. >>>>> >>>>> >>>>> >>>>> Regards >>>>> >>>>> Jens >>>>> >>>>> >>>>> Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende <[email protected]>: >>>>> >>>>> From my limited knowledge of how the LDAP providers work, I'm not >>>>> aware of anything that would handle transitive group membership, but >>>>> others >>>>> may know more. >>>>> >>>>> >>>>> >>>>> On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud < >>>>> [email protected]> wrote: >>>>> >>>>> Thank you for your reply Bryan. >>>>> >>>>> >>>>> >>>>> Yes, I understand that they are related. But I still don't see how to >>>>> address my nested groups problem since the configuration properties only >>>>> talk about direct relationships. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Le ven. 24 juil. 2020 à 17:08, Bryan Bende <[email protected]> a >>>>> écrit : >>>>> >>>>> There are two different but related things... >>>>> >>>>> >>>>> >>>>> LdapIdentityProvider for authentication. >>>>> >>>>> >>>>> >>>>> >>>>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider >>>>> >>>>> >>>>> >>>>> LdapUserGroupProvider for authorization. >>>>> >>>>> >>>>> >>>>> >>>>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider >>>>> >>>>> >>>>> >>>>> On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud < >>>>> [email protected]> wrote: >>>>> >>>>> Hello Juan, >>>>> >>>>> >>>>> >>>>> Thank you for your response. I am not sure that I understand what you >>>>> mean. I believe LdapProvider is used for authentication and doesn't have >>>>> much to do with group memberships and authorization. >>>>> >>>>> >>>>> >>>>> Moncef >>>>> >>>>> >>>>> >>>>> Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < >>>>> [email protected]> a écrit : >>>>> >>>>> Maybe that scenario is not supported, but you can start playing with >>>>> that custom scenario. LDAP provider is configurable by XML >>>>> >>>>> <provider> >>>>> >>>>> <identifier>*ldap-provider*</identifier> >>>>> >>>>> <class>org.apache.nifi.ldap.LdapProvider</class> >>>>> >>>>> Juan >>>>> >>>>> >>>>> >>>>> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud <[email protected]> >>>>> wrote: >>>>> >>>>> Hello fellow NiFi Users, >>>>> >>>>> >>>>> >>>>> I am trying to configure authorization using the >>>>> LdapUserGroupProvider. The documentation is clear : specify your "User >>>>> Search Base" and "Group Search Base" and define membership either using >>>>> "User Group Name Attribute" such as "memberOf" or the other way around >>>>> using "Group Member Attribute" such as "member". All that is clear and >>>>> works perfectly but my problems is as follows: >>>>> >>>>> >>>>> >>>>> I have two levels of groups in my directory e.g. >>>>> >>>>> >>>>> >>>>> GroupA contains Group1 and Group2 >>>>> >>>>> GroupB contains Group2 and Group3 >>>>> >>>>> GroupC contains Group1 and Group3 >>>>> >>>>> >>>>> >>>>> Group1 contains User1 and User2 >>>>> >>>>> Group2 contains User1 and User3 >>>>> >>>>> >>>>> >>>>> LDIF looks something like this: >>>>> >>>>> >>>>> >>>>> dn: CN=GroupA .... >>>>> member: CN= Group1 .. >>>>> member: CN= Group2 .. >>>>> >>>>> >>>>> >>>>> ----- >>>>> >>>>> dn: CN=Group1 .... >>>>> member: CN=User1 .. >>>>> member: CN=User2.. >>>>> >>>>> . >>>>> >>>>> memberOf: CN=GroupA ... >>>>> >>>>> memberOf: CN=GroupC ... >>>>> >>>>> >>>>> >>>>> ---- >>>>> >>>>> >>>>> >>>>> dn: CN=User1.... >>>>> >>>>> memberOf: CN=Group1 ... >>>>> >>>>> memberOf: CN=Group2 ... >>>>> >>>>> ------ >>>>> >>>>> >>>>> >>>>> No direct link between a user and a level 1 group (GroupA, GroupB..) >>>>> >>>>> >>>>> >>>>> I would like to note that groups of level 1 (GroupA, GroupB ..) are >>>>> not in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >>>>> >>>>> >>>>> >>>>> The requirement is that the groups used to manage authorization and >>>>> that should show in the NIFI UI are those of level 1 (GroupA, GroupB..) >>>>> and >>>>> that users should be assigned to the groups containing their direct groups >>>>> for instance User1 (who is a direct member of Group1 and Group2) should be >>>>> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 >>>>> groups (Group1, Group2..) must not show and must not be used directly in >>>>> the UI but only as link between users and level 1 groups. >>>>> >>>>> >>>>> >>>>> So to sum up, NIFI should take into account only level1 groups and >>>>> handle transitive memberships through level2 groups. >>>>> >>>>> >>>>> >>>>> Thank you in advance for your answers. >>>>> >>>>> >>>>> >>>>> Best Regards, >>>>> >>>>> Moncef >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Moncef ABBOUD >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Moncef ABBOUD >>>>> >>>>> >>>> >>>> -- >>>> Moncef ABBOUD >>>> >>> >> >> -- >> Moncef ABBOUD >> > -- Moncef ABBOUD
