Hi Moncef! Thank you very much, it works! One more question (hope you don't mind :) ) I thought the process should find the membership and establishes it on NiFi as it find on LDAP. Example: I have the group: GGG_Group1 And that group has the following members: Gas Peter
I was expecting that NiFi shows: GGG_Group1 And lists also the users, indicating their membership. It's that the way it should work? Thanks in advance! Gaston. On Fri, Feb 12, 2021 at 2:50 PM Moncef Abboud <moncef.abbou...@gmail.com> wrote: > Hello Gaston, > > I see that you are using a wildcard in the "User Search Filter" property. > AD doesn't support wildcards on "member" and "memberof" attributes and thus > the ldap request to fetch users is returning an empty set. > > Hope this helps. Good luck. > > Moncef. > > Le ven. 12 févr. 2021 à 18:35, Mr. Spock <mgaspere...@gmail.com> a écrit : > >> Hi all! >> My name is Gaston and I'm a nifi newbie :) >> I'm triying to configure my nifi instance to authenticate users via ldap >> (MS AD) group membership. >> I've already secured my nifi instance. Also the authentication config is >> working, but only synchronizes LDAP groups. >> I've searched a lot, but still doesn't find where my error is. (I'm >> assuming that ldap groups should synchronize members and/or authorize their >> members according the policies defined on my nifi instance. >> My authorizer config is as follows: >> <authorizers> >> <userGroupProvider> >> <identifier>file-user-group-provider</identifier> >> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> >> <property name="Users File">./conf/users.xml</property> >> <property name="Legacy Authorized Users File"></property> >> </userGroupProvider> >> <userGroupProvider> >> <identifier>ldap-user-group-provider</identifier> >> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> >> <property name="Authentication Strategy">SIMPLE</property> >> >> <property name="Manager >> DN">CN=bindusr,OU=Users,DC=corporation,DC=corp</property> >> <property name="Manager Password">xxxxxxx</property> >> >> <property name="TLS - Keystore"></property> >> <property name="TLS - Keystore Password"></property> >> <property name="TLS - Keystore Type"></property> >> <property name="TLS - Truststore"></property> >> <property name="TLS - Truststore Password"></property> >> <property name="TLS - Truststore Type"></property> >> <property name="TLS - Client Auth"></property> >> <property name="TLS - Protocol"></property> >> <property name="TLS - Shutdown Gracefully"></property> >> >> <property name="Referral Strategy">FOLLOW</property> >> <property name="Connect Timeout">10 secs</property> >> <property name="Read Timeout">10 secs</property> >> >> <property name="Url">ldap://ldap1.corporate.corp:389 >> ldap://ldap2.corporate.corp:389</property> >> <property name="Page Size"></property> >> <property name="Sync Interval">30 mins</property> >> <property name="Group Membership - Enforce Case >> Sensitivity">false</property> >> >> <property name="User Search Base">DC=corporate,DC=corp</property> >> <property name="User Object Class">person</property> >> <property name="User Search Scope">SUBTREE</property> >> <!--property name="User Search >> Filter">(memberOf=CN=GGG100_OFM_Admin_CORP_PRO_REG,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp)</property--> >> <property name="User Search >> Filter">(memberOf=CN=*Integracion*,OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp)</property> >> <property name="User Identity Attribute">sAMAccountName</property> >> <property name="User Group Name Attribute">memberOf</property> >> <property name="User Group Name Attribute - Referenced Group >> Attribute"></property> >> >> <property name="Group Search >> Base">OU=Groups,OU=Central,OU=AR,DC=corporate,DC=corp</property> >> <property name="Group Object Class">group</property> >> <property name="Group Search Scope">SUBTREE</property> >> <property name="Group Search >> Filter">(cn=GGG_Centrify_Integracion*)</property> >> <property name="Group Name Attribute">name</property> >> <property name="Group Member Attribute">member</property> >> <property name="Group Member Attribute - Referenced User >> Attribute">memberOf</property> >> </userGroupProvider> >> <userGroupProvider> >> <identifier>composite-user-group-provider</identifier> >> >> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class> >> <property name="Configurable User Group >> Provider">file-user-group-provider</property> >> <property name="User Group Provider >> 1">ldap-user-group-provider</property> >> </userGroupProvider> >> <accessPolicyProvider> >> <identifier>file-access-policy-provider</identifier> >> >> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >> <property name="User Group >> Provider">composite-user-group-provider</property> >> <property name="Authorizations >> File">./conf/authorizations.xml</property> >> <!--property name="Initial Admin >> Identity">CN=xxx,OU=xxxxx,OU=Usuarios,OU=Argentina,DC=corporate,DC=corp</property--> >> <property name="Initial Admin Identity">CN=Gas, >> OU=ApacheNiFi</property> >> <property name="Legacy Authorized Users File"></property> >> >> <property name="Node Identity 1"></property> >> </accessPolicyProvider> >> <authorizer> >> <identifier>managed-authorizer</identifier> >> >> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> >> <property name="Access Policy >> Provider">file-access-policy-provider</property> >> </authorizer> >> </authorizers> >> >> Any help would be appreciated! >> > > > -- > Moncef ABBOUD >
