Re: Unable to view LDAP group members

Thu, 16 Sep 2021 14:07:59 -0700 

Hello,

The ldap-user-group-provider does not require that you use both the user
sync and group sync to obtain the list of users and group associations from
your AD.
In your case, it may be best to only perform the group sync byu configuring
the properties as follows:

    <property name="User Search Base"></property>
    <property name="User Object Class"></property>
    <property name="User Search Scope">SUBTREE</property>   <--- leave this
set as it is a required property to be set even if user sync is not being
performed
    <property name="User Search Filter"></property>
    <property name="User Identity
Attribute">sAMAccountName</property>       <--- keep this set so that group
member attribute DNs returned during the group sync are not used to
identify the user.  Instead the user's sAMAccountName string will be used
    <property name="User Group Name Attribute"></property>
    <property name="User Group Name Attribute - Referenced Group
Attribute"></property>

    <property name="Group Search Base">DC=xxxxx,DC=com</property>
    <property name="Group Object Class">group</property>
    <property name="Group Search Scope">SUBTREE</property>
    <property name="Group Search Filter">(cn=NIFI*)</property>
    <property name="Group Name Attribute">sAMAccountName</property>
    <property name="Group Member Attribute">member</property>
    <property name="Group Member Attribute - Referenced User
Attribute"></property>


Hope this helps you get the list you are looking for.

Thanks,
Matt


On Mon, Sep 13, 2021 at 8:15 AM Samudrala, Vamshi Bhargav
<vsamu...@visa.com.invalid> wrote:

> Trying the Dev team for help.
>
> From: Samudrala, Vamshi Bhargav <vsamu...@visa.com>
> Date: Tuesday, 7 September 2021 at 12:24 AM
> To: us...@nifi.apache.org <us...@nifi.apache.org>
> Subject: Unable to view LDAP group members
> Hello there,
>
> I’ve set up NiFi to use our organization’s LDAP. I’m able to see the
> groups with the current configuration but I’m unable to see the members in
> it. I’m actually able to see the members when I specify the full group name
> but not with a regex. I’ve tried multiple combinations over the last few
> days but haven’t been able to get it working. Hoping to find the answers
> here.
>
> The conf that works:
>     <property name="User Search Base">DC=xxxxxx,DC=com</property>
>     <property name="User Object Class">person</property>
>     <property name="User Search Scope">SUBTREE</property>
>     <property name="User Search
> Filter">(memberOf=CN=NIFI_GROUP_NAME,OU=Groups,OU=ISO,DC=xxxxx,DC=com)</property>
>     <property name="User Identity Attribute">sAMAccountName</property>
>     <property name="User Group Name Attribute"></property>
>     <property name="User Group Name Attribute - Referenced Group
> Attribute"></property>
>
>     <property name="Group Search Base">DC=xxxxx,DC=com</property>
>     <property name="Group Object Class">group</property>
>     <property name="Group Search Scope">SUBTREE</property>
>     <property name="Group Search Filter">(cn=NIFI*)</property>
>     <property name="Group Name Attribute">sAMAccountName</property>
>     <property name="Group Member Attribute">member</property>
>     <property name="Group Member Attribute - Referenced User
> Attribute"></property>
>
>
> I see all the groups whose name start with NIFI. I see the group name in
> the users’ Member Of list and the users in the group’s Members list on the
> NiFi UI for the NIFI_GROUP_NAME group and not others. The below doesn’t
> work though. I want to see all the groups and members if the groups whose
> name starts with NIFI. The only change I made is in the User Search Filter
> and included a wildcard.
>
>
>     <property name="User Search Base">DC=xxxxxx,DC=com</property>
>     <property name="User Object Class">person</property>
>     <property name="User Search Scope">SUBTREE</property>
>     <property name="User Search
> Filter">(memberOf=CN=NIFI_*OU=Groups,OU=ISO,DC=xxxxx,DC=com)</property>
>     <property name="User Identity Attribute">sAMAccountName</property>
>     <property name="User Group Name Attribute"></property>
>     <property name="User Group Name Attribute - Referenced Group
> Attribute"></property>
>
>     <property name="Group Search Base">DC=xxxxx,DC=com</property>
>     <property name="Group Object Class">group</property>
>     <property name="Group Search Scope">SUBTREE</property>
>     <property name="Group Search Filter">(cn=NIFI*)</property>
>     <property name="Group Name Attribute">sAMAccountName</property>
>     <property name="Group Member Attribute">member</property>
>     <property name="Group Member Attribute - Referenced User
> Attribute"></property>
>
>
> I see the group names but not the members.
>
>
> Thanks,
> Vamshi
>

Reply via email to