Hello Gaston, I see that you are using a wildcard in the "User Search Filter" property. AD doesn't support wildcards on "member" and "memberof" attributes and thus the ldap request to fetch users is returning an empty set.
Hope this helps. Good luck. Moncef. Le ven. 12 févr. 2021 à 18:35, Mr. Spock <[email protected]> a écrit : > Hi all! > My name is Gaston and I'm a nifi newbie :) > I'm triying to configure my nifi instance to authenticate users via ldap > (MS AD) group membership. > I've already secured my nifi instance. Also the authentication config is > working, but only synchronizes LDAP groups. > I've searched a lot, but still doesn't find where my error is. (I'm > assuming that ldap groups should synchronize members and/or authorize their > members according the policies defined on my nifi instance. > My authorizer config is as follows: > <authorizers> > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > <property name="Users File">./conf/users.xml</property> > <property name="Legacy Authorized Users File"></property> > </userGroupProvider> > <userGroupProvider> > <identifier>ldap-user-group-provider</identifier> > <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> > <property name="Authentication Strategy">SIMPLE</property> > > <property name="Manager > DN">CN=bindusr,OU=Users,DC=corporation,DC=corp</property> > <property name="Manager Password">xxxxxxx</property> > > <property name="TLS - Keystore"></property> > <property name="TLS - Keystore Password"></property> > <property name="TLS - Keystore Type"></property> > <property name="TLS - Truststore"></property> > <property name="TLS - Truststore Password"></property> > <property name="TLS - Truststore Type"></property> > <property name="TLS - Client Auth"></property> > <property name="TLS - Protocol"></property> > <property name="TLS - Shutdown Gracefully"></property> > > <property name="Referral Strategy">FOLLOW</property> > <property name="Connect Timeout">10 secs</property> > <property name="Read Timeout">10 secs</property> > > <property name="Url">ldap://ldap1.corporate.corp:389 > ldap://ldap2.corporate.corp:389</property> > <property name="Page Size"></property> > <property name="Sync Interval">30 mins</property> > <property name="Group Membership - Enforce Case > Sensitivity">false</property> > > <property name="User Search Base">DC=corporate,DC=corp</property> > <property name="User Object Class">person</property> > <property name="User Search Scope">SUBTREE</property> > <!--property name="User Search > Filter">(memberOf=CN=GGG100_OFM_Admin_CORP_PRO_REG,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp)</property--> > <property name="User Search > Filter">(memberOf=CN=*Integracion*,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp)</property> > <property name="User Identity Attribute">sAMAccountName</property> > <property name="User Group Name Attribute">memberOf</property> > <property name="User Group Name Attribute - Referenced Group > Attribute"></property> > > <property name="Group Search > Base">OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp</property> > <property name="Group Object Class">group</property> > <property name="Group Search Scope">SUBTREE</property> > <property name="Group Search > Filter">(cn=GGG_Centrify_Integracion*)</property> > <property name="Group Name Attribute">name</property> > <property name="Group Member Attribute">member</property> > <property name="Group Member Attribute - Referenced User > Attribute">memberOf</property> > </userGroupProvider> > <userGroupProvider> > <identifier>composite-user-group-provider</identifier> > > <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class> > <property name="Configurable User Group > Provider">file-user-group-provider</property> > <property name="User Group Provider > 1">ldap-user-group-provider</property> > </userGroupProvider> > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > <property name="User Group > Provider">composite-user-group-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <!--property name="Initial Admin > Identity">CN=xxx,OU=xxxxx,OU=Usuarios,OU=Argentina,DC=corporate,DC=corp</property--> > <property name="Initial Admin Identity">CN=Gas, > OU=ApacheNiFi</property> > <property name="Legacy Authorized Users File"></property> > > <property name="Node Identity 1"></property> > </accessPolicyProvider> > <authorizer> > <identifier>managed-authorizer</identifier> > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > </authorizers> > > Any help would be appreciated! > -- Moncef ABBOUD
