Re: Nested groups for LdapUserGroupProvider
>>> Den lør. 25. jul. 2020 kl. 10.37 skrev Moncef Abboud < >>> moncef.abbou...@gmail.com>: >>> >>>> Jens, thank you for your reply. That's my understanding as well and I >>>> am looking for a way around it. >>>> >>>> Mike, thank you. Do you believe that the commercial app (can you >>>> provide the name if possible?) uses NiFi's LdapUserGroupProivder or it has >>>> its own implementation? >>>> >>>> NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows >>>> retrieval of nested hierarchies (e.g. members of all subgroups of a group) >>>> but I am not sure it can help. >>>> >>>> Open to any suggestion. >>>> >>>> Thank you all. >>>> >>>> Le ven. 24 juil. 2020 à 21:25, Mike Sofen a écrit : >>>> >>>>> I don’t know how the nifi LDAP provider works specifically, but a >>>>> commercial data virtualization app we use is able to import LDAP groups >>>>> that contain multiple levels of nested groups. Our LDAP groups have an >>>>> owner, 1 or more supervisors and 1 or more members. >>>>> >>>>> >>>>> >>>>> The app can only see LDAP members, so the key for us was to point the >>>>> config settings to the correct spot within our LDAP forest…initially we >>>>> didn’t point it correctly and only saw first-level members, after a bit of >>>>> trial and error, finally got nested groups working, and we’ve tested down >>>>> 5 >>>>> levels of nesting. >>>>> >>>>> >>>>> >>>>> Mike Sofen >>>>> >>>>> >>>>> >>>>> *From:* Jens M. Kofoed >>>>> *Sent:* Friday, July 24, 2020 9:42 AM >>>>> *To:* users@nifi.apache.org >>>>> *Subject:* Re: Nested groups for LdapUserGroupProvider >>>>> >>>>> >>>>> >>>>> Hi >>>>> >>>>> >>>>> >>>>> From my knowledge and playing with ldap and nifi. Nifi “imports” users >>>>> and groups into nifi and nifi does not support groups in groups. >>>>> >>>>> In my setup it looks like it imports groups first. Next it imports >>>>> users. If a user is memberOf an imported group it will be connected to the >>>>> group in nifi. >>>>> >>>>> >>>>> >>>>> Regards >>>>> >>>>> Jens >>>>> >>>>> >>>>> Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende : >>>>> >>>>> From my limited knowledge of how the LDAP providers work, I'm not >>>>> aware of anything that would handle transitive group membership, but >>>>> others >>>>> may know more. >>>>> >>>>> >>>>> >>>>> On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud < >>>>> moncef.abbou...@gmail.com> wrote: >>>>> >>>>> Thank you for your reply Bryan. >>>>> >>>>> >>>>> >>>>> Yes, I understand that they are related. But I still don't see how to >>>>> address my nested groups problem since the configuration properties only >>>>> talk about direct relationships. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Le ven. 24 juil. 2020 à 17:08, Bryan Bende a >>>>> écrit : >>>>> >>>>> There are two different but related things... >>>>> >>>>> >>>>> >>>>> LdapIdentityProvider for authentication. >>>>> >>>>> >>>>> >>>>> >>>>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider >>>>> >>>>> >>>>> >>>>> LdapUserGroupProvider for authorization. >>>>> >>>>> >>>>> >>>>> >>>>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider >>>>> >>>>> >>>>> >>>>> On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud < >>>>>
Re: Nested groups for LdapUserGroupProvider
Dear Moncef I don't know if I have understood correctly what you would like to achieve. But I will try: What I understood is you have the following groups and users: Group A: member: Group 1 member: Group 2 Group B: member: Group 2 member: Group 3 Group C: member: Group 1 member: Group 3 Group 1: member: User1 member: User2 Group 2: member: User1 member: User3 Group 3: As I understand you would like NIFI to connect User1 and User3 to Group A via nested groups. >From my knowledge NIFI is only able to connect users to groups via direct attributes. If you do not have any attributes which can give you this direct connection NIFI can not help you. I have been reading different sites about ldap implementations. There are many sites talking about nested groups in search filters, but this does not help since this is not a filter but a question about which attributes can connect a group to the user or vice versa. You have 2 options in NIFI to connect users and groups together. Either you read an attribute at an user (User Group Name Attribute) where the value should match a value in a group (User Group Name Attribute - Referenced Group Attribute) or you read an attribute at a group (Group Member Attribute) where the value should match the corresponding value at an user (Group Member Attribute - Referenced User Attribute). In Microsoft AD the attribute memberOf is automatically/dynamic calculated all the time. I found one site mention that there should be another attribute which included nested groups. If this is true you might be able to use that field to accomplish your needs. In my own use of ldap in NIFI I have created new groups for each cluster. something like this ou=cluster01,ou=nifi,dc=domain,dc=com cn=admins,ou=cluster01,ou=nifi,dc=domain,dc=com cn=dfm,ou=cluster01,ou=nifi,dc=domain,dc=com cn=operators,ou=cluster01,ou=nifi,dc=domain,dc=com cn=teamA,ou=cluster01,ou=nifi,dc=domain,dc=com cn=teamB,ou=cluster01,ou=nifi,dc=domain,dc=com ou=cluster02,ou=nifi,dc=domain,dc=com cn=admins,ou=cluster02,ou=nifi,dc=domain,dc=com cn=dfm,ou=cluster02,ou=nifi,dc=domain,dc=com cn=operators,ou=cluster02,ou=nifi,dc=domain,dc=com cn=teamA,ou=cluster02,ou=nifi,dc=domain,dc=com cn=teamB,ou=cluster02,ou=nifi,dc=domain,dc=com In my "User Search Filter" I have something like this: (memberOf:cn=*,ou=cluster01,ou=nifi,dc=domain,dc=com) or (|(memberOf:cn=admins,ou=cluster01,ou=nifi,dc=domain,dc=com)(cn=dfm,ou=cluster01,ou=nifi,dc=domain,dc=com)) "User Identity Attribute"= sAMAccountName "User Group Name Attribute"=memberOf If you found out how to connect users via nested groups I would very much like to know regards Jens Den lør. 25. jul. 2020 kl. 21.47 skrev Moncef Abboud < moncef.abbou...@gmail.com>: > Thank you for your reply Jens. > > Thank you for taking the time to look up the code and look through it. > > May I ask you for the way you would proceed if you had to solve > that problem? > > Best regards, > Moncef > > Le sam. 25 juil. 2020 à 13:23, Jens M. Kofoed a > écrit : > >> Hi >> >> I have been looking through the source code for LdapUserGroupProvider in >> nifi: >> https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java >> >> From what I can read, it does not search in nested groups. So nested >> groups is not implemented in nifi. >> >> regards >> Jens >> >> Den lør. 25. jul. 2020 kl. 10.37 skrev Moncef Abboud < >> moncef.abbou...@gmail.com>: >> >>> Jens, thank you for your reply. That's my understanding as well and I am >>> looking for a way around it. >>> >>> Mike, thank you. Do you believe that the commercial app (can you provide >>> the name if possible?) uses NiFi's LdapUserGroupProivder or it has its own >>> implementation? >>> >>> NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows retrieval >>> of nested hierarchies (e.g. members of all subgroups of a group) but I am >>> not sure it can help. >>> >>> Open to any suggestion. >>> >>> Thank you all. >>> >>> Le ven. 24 juil. 2020 à 21:25, Mike Sofen a écrit : >>> >>>> I don’t know how the nifi LDAP provider works specifically, but a >>>> commercial data virtualization app we use is able to import LDAP groups >>>> that contain multiple levels of nested groups. Our LDAP groups have an >>>> owner, 1 or more supervisors and 1 or more members. >>>> >>>> >>>> >>>> The app can only see LDAP members, so the key for us was to point the >>>
Re: Nested groups for LdapUserGroupProvider
Thank you for your reply Jens. Thank you for taking the time to look up the code and look through it. May I ask you for the way you would proceed if you had to solve that problem? Best regards, Moncef Le sam. 25 juil. 2020 à 13:23, Jens M. Kofoed a écrit : > Hi > > I have been looking through the source code for LdapUserGroupProvider in > nifi: > https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java > > From what I can read, it does not search in nested groups. So nested > groups is not implemented in nifi. > > regards > Jens > > Den lør. 25. jul. 2020 kl. 10.37 skrev Moncef Abboud < > moncef.abbou...@gmail.com>: > >> Jens, thank you for your reply. That's my understanding as well and I am >> looking for a way around it. >> >> Mike, thank you. Do you believe that the commercial app (can you provide >> the name if possible?) uses NiFi's LdapUserGroupProivder or it has its own >> implementation? >> >> NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows retrieval >> of nested hierarchies (e.g. members of all subgroups of a group) but I am >> not sure it can help. >> >> Open to any suggestion. >> >> Thank you all. >> >> Le ven. 24 juil. 2020 à 21:25, Mike Sofen a écrit : >> >>> I don’t know how the nifi LDAP provider works specifically, but a >>> commercial data virtualization app we use is able to import LDAP groups >>> that contain multiple levels of nested groups. Our LDAP groups have an >>> owner, 1 or more supervisors and 1 or more members. >>> >>> >>> >>> The app can only see LDAP members, so the key for us was to point the >>> config settings to the correct spot within our LDAP forest…initially we >>> didn’t point it correctly and only saw first-level members, after a bit of >>> trial and error, finally got nested groups working, and we’ve tested down 5 >>> levels of nesting. >>> >>> >>> >>> Mike Sofen >>> >>> >>> >>> *From:* Jens M. Kofoed >>> *Sent:* Friday, July 24, 2020 9:42 AM >>> *To:* users@nifi.apache.org >>> *Subject:* Re: Nested groups for LdapUserGroupProvider >>> >>> >>> >>> Hi >>> >>> >>> >>> From my knowledge and playing with ldap and nifi. Nifi “imports” users >>> and groups into nifi and nifi does not support groups in groups. >>> >>> In my setup it looks like it imports groups first. Next it imports >>> users. If a user is memberOf an imported group it will be connected to the >>> group in nifi. >>> >>> >>> >>> Regards >>> >>> Jens >>> >>> >>> Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende : >>> >>> From my limited knowledge of how the LDAP providers work, I'm not aware >>> of anything that would handle transitive group membership, but others may >>> know more. >>> >>> >>> >>> On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud < >>> moncef.abbou...@gmail.com> wrote: >>> >>> Thank you for your reply Bryan. >>> >>> >>> >>> Yes, I understand that they are related. But I still don't see how to >>> address my nested groups problem since the configuration properties only >>> talk about direct relationships. >>> >>> >>> >>> >>> >>> >>> >>> Le ven. 24 juil. 2020 à 17:08, Bryan Bende a écrit : >>> >>> There are two different but related things... >>> >>> >>> >>> LdapIdentityProvider for authentication. >>> >>> >>> >>> >>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider >>> >>> >>> >>> LdapUserGroupProvider for authorization. >>> >>> >>> >>> >>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider >>> >>> >>> >>> On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud < >>> moncef.abbou...@gmail.com> wrote: >>> >>> Hello Juan, >>> >>> >>> >>> Thank you for your response. I am not sure that I understand what you >>> mean. I believe LdapProvider is used for authentication and doesn't ha
Re: Nested groups for LdapUserGroupProvider
Hi I have been looking through the source code for LdapUserGroupProvider in nifi: https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java >From what I can read, it does not search in nested groups. So nested groups is not implemented in nifi. regards Jens Den lør. 25. jul. 2020 kl. 10.37 skrev Moncef Abboud < moncef.abbou...@gmail.com>: > Jens, thank you for your reply. That's my understanding as well and I am > looking for a way around it. > > Mike, thank you. Do you believe that the commercial app (can you provide > the name if possible?) uses NiFi's LdapUserGroupProivder or it has its own > implementation? > > NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows retrieval > of nested hierarchies (e.g. members of all subgroups of a group) but I am > not sure it can help. > > Open to any suggestion. > > Thank you all. > > Le ven. 24 juil. 2020 à 21:25, Mike Sofen a écrit : > >> I don’t know how the nifi LDAP provider works specifically, but a >> commercial data virtualization app we use is able to import LDAP groups >> that contain multiple levels of nested groups. Our LDAP groups have an >> owner, 1 or more supervisors and 1 or more members. >> >> >> >> The app can only see LDAP members, so the key for us was to point the >> config settings to the correct spot within our LDAP forest…initially we >> didn’t point it correctly and only saw first-level members, after a bit of >> trial and error, finally got nested groups working, and we’ve tested down 5 >> levels of nesting. >> >> >> >> Mike Sofen >> >> >> >> *From:* Jens M. Kofoed >> *Sent:* Friday, July 24, 2020 9:42 AM >> *To:* users@nifi.apache.org >> *Subject:* Re: Nested groups for LdapUserGroupProvider >> >> >> >> Hi >> >> >> >> From my knowledge and playing with ldap and nifi. Nifi “imports” users >> and groups into nifi and nifi does not support groups in groups. >> >> In my setup it looks like it imports groups first. Next it imports users. >> If a user is memberOf an imported group it will be connected to the group >> in nifi. >> >> >> >> Regards >> >> Jens >> >> >> Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende : >> >> From my limited knowledge of how the LDAP providers work, I'm not aware >> of anything that would handle transitive group membership, but others may >> know more. >> >> >> >> On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud >> wrote: >> >> Thank you for your reply Bryan. >> >> >> >> Yes, I understand that they are related. But I still don't see how to >> address my nested groups problem since the configuration properties only >> talk about direct relationships. >> >> >> >> >> >> >> >> Le ven. 24 juil. 2020 à 17:08, Bryan Bende a écrit : >> >> There are two different but related things... >> >> >> >> LdapIdentityProvider for authentication. >> >> >> >> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider >> >> >> >> LdapUserGroupProvider for authorization. >> >> >> >> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider >> >> >> >> On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud >> wrote: >> >> Hello Juan, >> >> >> >> Thank you for your response. I am not sure that I understand what you >> mean. I believe LdapProvider is used for authentication and doesn't have >> much to do with group memberships and authorization. >> >> >> >> Moncef >> >> >> >> Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < >> gardellajuanpa...@gmail.com> a écrit : >> >> Maybe that scenario is not supported, but you can start playing with that >> custom scenario. LDAP provider is configurable by XML >> >> >> >> *ldap-provider* >> >> org.apache.nifi.ldap.LdapProvider >> >> Juan >> >> >> >> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud >> wrote: >> >> Hello fellow NiFi Users, >> >> >> >> I am trying to configure authorization using the LdapUserGroupProvider. >> The documentation is clear : specify your "User Search Base&qu
Re: Nested groups for LdapUserGroupProvider
Jens, thank you for your reply. That's my understanding as well and I am looking for a way around it. Mike, thank you. Do you believe that the commercial app (can you provide the name if possible?) uses NiFi's LdapUserGroupProivder or it has its own implementation? NB: I am looking into LDAP_MATCHING_RULE_IN_CHAIN which allows retrieval of nested hierarchies (e.g. members of all subgroups of a group) but I am not sure it can help. Open to any suggestion. Thank you all. Le ven. 24 juil. 2020 à 21:25, Mike Sofen a écrit : > I don’t know how the nifi LDAP provider works specifically, but a > commercial data virtualization app we use is able to import LDAP groups > that contain multiple levels of nested groups. Our LDAP groups have an > owner, 1 or more supervisors and 1 or more members. > > > > The app can only see LDAP members, so the key for us was to point the > config settings to the correct spot within our LDAP forest…initially we > didn’t point it correctly and only saw first-level members, after a bit of > trial and error, finally got nested groups working, and we’ve tested down 5 > levels of nesting. > > > > Mike Sofen > > > > *From:* Jens M. Kofoed > *Sent:* Friday, July 24, 2020 9:42 AM > *To:* users@nifi.apache.org > *Subject:* Re: Nested groups for LdapUserGroupProvider > > > > Hi > > > > From my knowledge and playing with ldap and nifi. Nifi “imports” users and > groups into nifi and nifi does not support groups in groups. > > In my setup it looks like it imports groups first. Next it imports users. > If a user is memberOf an imported group it will be connected to the group > in nifi. > > > > Regards > > Jens > > > Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende : > > From my limited knowledge of how the LDAP providers work, I'm not aware of > anything that would handle transitive group membership, but others may know > more. > > > > On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud > wrote: > > Thank you for your reply Bryan. > > > > Yes, I understand that they are related. But I still don't see how to > address my nested groups problem since the configuration properties only > talk about direct relationships. > > > > > > > > Le ven. 24 juil. 2020 à 17:08, Bryan Bende a écrit : > > There are two different but related things... > > > > LdapIdentityProvider for authentication. > > > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider > > > > LdapUserGroupProvider for authorization. > > > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider > > > > On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud > wrote: > > Hello Juan, > > > > Thank you for your response. I am not sure that I understand what you > mean. I believe LdapProvider is used for authentication and doesn't have > much to do with group memberships and authorization. > > > > Moncef > > > > Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < > gardellajuanpa...@gmail.com> a écrit : > > Maybe that scenario is not supported, but you can start playing with that > custom scenario. LDAP provider is configurable by XML > > > > *ldap-provider* > > org.apache.nifi.ldap.LdapProvider > > Juan > > > > On Fri, 24 Jul 2020 at 08:20, Moncef Abboud > wrote: > > Hello fellow NiFi Users, > > > > I am trying to configure authorization using the LdapUserGroupProvider. > The documentation is clear : specify your "User Search Base" and "Group > Search Base" and define membership either using "User Group Name > Attribute" such as "memberOf" or the other way around using "Group Member > Attribute" such as "member". All that is clear and works perfectly but my > problems is as follows: > > > > I have two levels of groups in my directory e.g. > > > > GroupA contains Group1 and Group2 > > GroupB contains Group2 and Group3 > > GroupC contains Group1 and Group3 > > > > Group1 contains User1 and User2 > > Group2 contains User1 and User3 > > > > LDIF looks something like this: > > > > dn: CN=GroupA > member: CN= Group1 .. > member: CN= Group2 .. > > > > - > > dn: CN=Group1 > member: CN=User1 .. > member: CN=User2.. > > . > > memberOf: CN=GroupA ... > > memberOf: CN=GroupC ... > > > > > > > > dn: CN=User1 > > memberOf: CN=Group1 ... > > memberOf: CN=Group2 ... > > -
RE: Nested groups for LdapUserGroupProvider
I don’t know how the nifi LDAP provider works specifically, but a commercial data virtualization app we use is able to import LDAP groups that contain multiple levels of nested groups. Our LDAP groups have an owner, 1 or more supervisors and 1 or more members. The app can only see LDAP members, so the key for us was to point the config settings to the correct spot within our LDAP forest…initially we didn’t point it correctly and only saw first-level members, after a bit of trial and error, finally got nested groups working, and we’ve tested down 5 levels of nesting. Mike Sofen From: Jens M. Kofoed Sent: Friday, July 24, 2020 9:42 AM To: users@nifi.apache.org Subject: Re: Nested groups for LdapUserGroupProvider Hi >From my knowledge and playing with ldap and nifi. Nifi “imports” users and >groups into nifi and nifi does not support groups in groups. In my setup it looks like it imports groups first. Next it imports users. If a user is memberOf an imported group it will be connected to the group in nifi. Regards Jens Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende mailto:bbe...@gmail.com> >: >From my limited knowledge of how the LDAP providers work, I'm not aware of >anything that would handle transitive group membership, but others may know >more. On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud mailto:moncef.abbou...@gmail.com> > wrote: Thank you for your reply Bryan. Yes, I understand that they are related. But I still don't see how to address my nested groups problem since the configuration properties only talk about direct relationships. Le ven. 24 juil. 2020 à 17:08, Bryan Bende mailto:bbe...@gmail.com> > a écrit : There are two different but related things... LdapIdentityProvider for authentication. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider LdapUserGroupProvider for authorization. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud mailto:moncef.abbou...@gmail.com> > wrote: Hello Juan, Thank you for your response. I am not sure that I understand what you mean. I believe LdapProvider is used for authentication and doesn't have much to do with group memberships and authorization. Moncef Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella mailto:gardellajuanpa...@gmail.com> > a écrit : Maybe that scenario is not supported, but you can start playing with that custom scenario. LDAP provider is configurable by XML ldap-provider org.apache.nifi.ldap.LdapProvider Juan On Fri, 24 Jul 2020 at 08:20, Moncef Abboud mailto:moncef.abbou...@gmail.com> > wrote: Hello fellow NiFi Users, I am trying to configure authorization using the LdapUserGroupProvider. The documentation is clear : specify your "User Search Base" and "Group Search Base" and define membership either using "User Group Name Attribute" such as "memberOf" or the other way around using "Group Member Attribute" such as "member". All that is clear and works perfectly but my problems is as follows: I have two levels of groups in my directory e.g. GroupA contains Group1 and Group2 GroupB contains Group2 and Group3 GroupC contains Group1 and Group3 Group1 contains User1 and User2 Group2 contains User1 and User3 LDIF looks something like this: dn: CN=GroupA member: CN= Group1 .. member: CN= Group2 .. - dn: CN=Group1 member: CN=User1 .. member: CN=User2.. . memberOf: CN=GroupA ... memberOf: CN=GroupC ... dn: CN=User1 memberOf: CN=Group1 ... memberOf: CN=Group2 ... -- No direct link between a user and a level 1 group (GroupA, GroupB..) I would like to note that groups of level 1 (GroupA, GroupB ..) are not in the same branch in the DIT as those of level 2 (Group1, Group2 ..). The requirement is that the groups used to manage authorization and that should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that users should be assigned to the groups containing their direct groups for instance User1 (who is a direct member of Group1 and Group2) should be displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 groups (Group1, Group2..) must not show and must not be used directly in the UI but only as link between users and level 1 groups. So to sum up, NIFI should take into account only level1 groups and handle transitive memberships through level2 groups. Thank you in advance for your answers. Best Regards, Moncef -- Moncef ABBOUD -- Moncef ABBOUD
Re: Nested groups for LdapUserGroupProvider
Hi From my knowledge and playing with ldap and nifi. Nifi “imports” users and groups into nifi and nifi does not support groups in groups. In my setup it looks like it imports groups first. Next it imports users. If a user is memberOf an imported group it will be connected to the group in nifi. Regards Jens > Den 24. jul. 2020 kl. 17.41 skrev Bryan Bende : > > From my limited knowledge of how the LDAP providers work, I'm not aware of > anything that would handle transitive group membership, but others may know > more. > >> On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud >> wrote: >> Thank you for your reply Bryan. >> >> Yes, I understand that they are related. But I still don't see how to >> address my nested groups problem since the configuration properties only >> talk about direct relationships. >> >> >> >>> Le ven. 24 juil. 2020 à 17:08, Bryan Bende a écrit : >>> There are two different but related things... >>> >>> LdapIdentityProvider for authentication. >>> >>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider >>> >>> LdapUserGroupProvider for authorization. >>> >>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider >>> On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud wrote: Hello Juan, Thank you for your response. I am not sure that I understand what you mean. I believe LdapProvider is used for authentication and doesn't have much to do with group memberships and authorization. Moncef > Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella > a écrit : > Maybe that scenario is not supported, but you can start playing with that > custom scenario. LDAP provider is configurable by XML > > ldap-provider > org.apache.nifi.ldap.LdapProvider > Juan > >> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud >> wrote: >> Hello fellow NiFi Users, >> >> I am trying to configure authorization using the LdapUserGroupProvider. >> The documentation is clear : specify your "User Search Base" and "Group >> Search Base" and define membership either using "User Group Name >> Attribute" such as "memberOf" or the other way around using "Group >> Member Attribute" such as "member". All that is clear and works >> perfectly but my problems is as follows: >> >> I have two levels of groups in my directory e.g. >> >> GroupA contains Group1 and Group2 >> GroupB contains Group2 and Group3 >> GroupC contains Group1 and Group3 >> >> Group1 contains User1 and User2 >> Group2 contains User1 and User3 >> >> LDIF looks something like this: >> >> dn: CN=GroupA >> member: CN= Group1 .. >> member: CN= Group2 .. >> >> - >> dn: CN=Group1 >> member: CN=User1 .. >> member: CN=User2.. >> . >> memberOf: CN=GroupA ... >> memberOf: CN=GroupC ... >> >> >> >> dn: CN=User1 >> memberOf: CN=Group1 ... >> memberOf: CN=Group2 ... >> -- >> >> No direct link between a user and a level 1 group (GroupA, GroupB..) >> >> I would like to note that groups of level 1 (GroupA, GroupB ..) are not >> in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >> >> The requirement is that the groups used to manage authorization and that >> should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and >> that users should be assigned to the groups containing their direct >> groups for instance User1 (who is a direct member of Group1 and Group2) >> should be displayed as a member of groups (GroupA, GroupB and GroupC). >> And level 2 groups (Group1, Group2..) must not show and must not be used >> directly in the UI but only as link between users and level 1 groups. >> >> So to sum up, NIFI should take into account only level1 groups and >> handle transitive memberships through level2 groups. >> >> Thank you in advance for your answers. >> >> Best Regards, >> Moncef -- Moncef ABBOUD >> >> >> -- >> Moncef ABBOUD
Re: Nested groups for LdapUserGroupProvider
>From my limited knowledge of how the LDAP providers work, I'm not aware of anything that would handle transitive group membership, but others may know more. On Fri, Jul 24, 2020 at 11:18 AM Moncef Abboud wrote: > Thank you for your reply Bryan. > > Yes, I understand that they are related. But I still don't see how to > address my nested groups problem since the configuration properties only > talk about direct relationships. > > > > Le ven. 24 juil. 2020 à 17:08, Bryan Bende a écrit : > >> There are two different but related things... >> >> LdapIdentityProvider for authentication. >> >> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider >> >> LdapUserGroupProvider for authorization. >> >> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider >> >> On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud >> wrote: >> >>> Hello Juan, >>> >>> Thank you for your response. I am not sure that I understand what you >>> mean. I believe LdapProvider is used for authentication and doesn't have >>> much to do with group memberships and authorization. >>> >>> Moncef >>> >>> Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < >>> gardellajuanpa...@gmail.com> a écrit : >>> Maybe that scenario is not supported, but you can start playing with that custom scenario. LDAP provider is configurable by XML *ldap-provider* org.apache.nifi.ldap.LdapProvider Juan On Fri, 24 Jul 2020 at 08:20, Moncef Abboud wrote: > Hello fellow NiFi Users, > > I am trying to configure authorization using the > LdapUserGroupProvider. The documentation is clear : specify your "User > Search Base" and "Group Search Base" and define membership either using > "User Group Name Attribute" such as "memberOf" or the other way around > using "Group Member Attribute" such as "member". All that is clear and > works perfectly but my problems is as follows: > > I have two levels of groups in my directory e.g. > > GroupA contains Group1 and Group2 > GroupB contains Group2 and Group3 > GroupC contains Group1 and Group3 > > Group1 contains User1 and User2 > Group2 contains User1 and User3 > > LDIF looks something like this: > > dn: CN=GroupA > member: CN= Group1 .. > member: CN= Group2 .. > > - > dn: CN=Group1 > member: CN=User1 .. > member: CN=User2.. > . > memberOf: CN=GroupA ... > memberOf: CN=GroupC ... > > > > dn: CN=User1 > memberOf: CN=Group1 ... > memberOf: CN=Group2 ... > -- > > No direct link between a user and a level 1 group (GroupA, GroupB..) > > I would like to note that groups of level 1 (GroupA, GroupB ..) are > not in the same branch in the DIT as those of level 2 (Group1, Group2 ..). > > The requirement is that the groups used to manage authorization and > that should show in the NIFI UI are those of level 1 (GroupA, GroupB..) > and > that users should be assigned to the groups containing their direct groups > for instance User1 (who is a direct member of Group1 and Group2) should be > displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 > groups (Group1, Group2..) must not show and must not be used directly in > the UI but only as link between users and level 1 groups. > > So to sum up, NIFI should take into account only level1 groups and > handle transitive memberships through level2 groups. > > Thank you in advance for your answers. > > Best Regards, > Moncef > >>> >>> -- >>> Moncef ABBOUD >>> >> > > -- > Moncef ABBOUD >
Re: Nested groups for LdapUserGroupProvider
Thank you for your reply Bryan. Yes, I understand that they are related. But I still don't see how to address my nested groups problem since the configuration properties only talk about direct relationships. Le ven. 24 juil. 2020 à 17:08, Bryan Bende a écrit : > There are two different but related things... > > LdapIdentityProvider for authentication. > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider > > LdapUserGroupProvider for authorization. > > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider > > On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud > wrote: > >> Hello Juan, >> >> Thank you for your response. I am not sure that I understand what you >> mean. I believe LdapProvider is used for authentication and doesn't have >> much to do with group memberships and authorization. >> >> Moncef >> >> Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < >> gardellajuanpa...@gmail.com> a écrit : >> >>> Maybe that scenario is not supported, but you can start playing with >>> that custom scenario. LDAP provider is configurable by XML >>> >>> >>> *ldap-provider* >>> org.apache.nifi.ldap.LdapProvider >>> >>> Juan >>> >>> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud >>> wrote: >>> Hello fellow NiFi Users, I am trying to configure authorization using the LdapUserGroupProvider. The documentation is clear : specify your "User Search Base" and "Group Search Base" and define membership either using "User Group Name Attribute" such as "memberOf" or the other way around using "Group Member Attribute" such as "member". All that is clear and works perfectly but my problems is as follows: I have two levels of groups in my directory e.g. GroupA contains Group1 and Group2 GroupB contains Group2 and Group3 GroupC contains Group1 and Group3 Group1 contains User1 and User2 Group2 contains User1 and User3 LDIF looks something like this: dn: CN=GroupA member: CN= Group1 .. member: CN= Group2 .. - dn: CN=Group1 member: CN=User1 .. member: CN=User2.. . memberOf: CN=GroupA ... memberOf: CN=GroupC ... dn: CN=User1 memberOf: CN=Group1 ... memberOf: CN=Group2 ... -- No direct link between a user and a level 1 group (GroupA, GroupB..) I would like to note that groups of level 1 (GroupA, GroupB ..) are not in the same branch in the DIT as those of level 2 (Group1, Group2 ..). The requirement is that the groups used to manage authorization and that should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that users should be assigned to the groups containing their direct groups for instance User1 (who is a direct member of Group1 and Group2) should be displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 groups (Group1, Group2..) must not show and must not be used directly in the UI but only as link between users and level 1 groups. So to sum up, NIFI should take into account only level1 groups and handle transitive memberships through level2 groups. Thank you in advance for your answers. Best Regards, Moncef >>> >> >> -- >> Moncef ABBOUD >> > -- Moncef ABBOUD
Re: Nested groups for LdapUserGroupProvider
There are two different but related things... LdapIdentityProvider for authentication. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider LdapUserGroupProvider for authorization. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider On Fri, Jul 24, 2020 at 11:03 AM Moncef Abboud wrote: > Hello Juan, > > Thank you for your response. I am not sure that I understand what you > mean. I believe LdapProvider is used for authentication and doesn't have > much to do with group memberships and authorization. > > Moncef > > Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < > gardellajuanpa...@gmail.com> a écrit : > >> Maybe that scenario is not supported, but you can start playing with that >> custom scenario. LDAP provider is configurable by XML >> >> >> *ldap-provider* >> org.apache.nifi.ldap.LdapProvider >> >> Juan >> >> On Fri, 24 Jul 2020 at 08:20, Moncef Abboud >> wrote: >> >>> Hello fellow NiFi Users, >>> >>> I am trying to configure authorization using the LdapUserGroupProvider. >>> The documentation is clear : specify your "User Search Base" and "Group >>> Search Base" and define membership either using "User Group Name >>> Attribute" such as "memberOf" or the other way around using "Group Member >>> Attribute" such as "member". All that is clear and works perfectly but my >>> problems is as follows: >>> >>> I have two levels of groups in my directory e.g. >>> >>> GroupA contains Group1 and Group2 >>> GroupB contains Group2 and Group3 >>> GroupC contains Group1 and Group3 >>> >>> Group1 contains User1 and User2 >>> Group2 contains User1 and User3 >>> >>> LDIF looks something like this: >>> >>> dn: CN=GroupA >>> member: CN= Group1 .. >>> member: CN= Group2 .. >>> >>> - >>> dn: CN=Group1 >>> member: CN=User1 .. >>> member: CN=User2.. >>> . >>> memberOf: CN=GroupA ... >>> memberOf: CN=GroupC ... >>> >>> >>> >>> dn: CN=User1 >>> memberOf: CN=Group1 ... >>> memberOf: CN=Group2 ... >>> -- >>> >>> No direct link between a user and a level 1 group (GroupA, GroupB..) >>> >>> I would like to note that groups of level 1 (GroupA, GroupB ..) are not >>> in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >>> >>> The requirement is that the groups used to manage authorization and that >>> should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that >>> users should be assigned to the groups containing their direct groups for >>> instance User1 (who is a direct member of Group1 and Group2) should be >>> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 >>> groups (Group1, Group2..) must not show and must not be used directly in >>> the UI but only as link between users and level 1 groups. >>> >>> So to sum up, NIFI should take into account only level1 groups and >>> handle transitive memberships through level2 groups. >>> >>> Thank you in advance for your answers. >>> >>> Best Regards, >>> Moncef >>> >> > > -- > Moncef ABBOUD >
Re: Nested groups for LdapUserGroupProvider
Hello Juan, Thank you for your response. I am not sure that I understand what you mean. I believe LdapProvider is used for authentication and doesn't have much to do with group memberships and authorization. Moncef Le ven. 24 juil. 2020 à 16:55, Juan Pablo Gardella < gardellajuanpa...@gmail.com> a écrit : > Maybe that scenario is not supported, but you can start playing with that > custom scenario. LDAP provider is configurable by XML > > > *ldap-provider* > org.apache.nifi.ldap.LdapProvider > > Juan > > On Fri, 24 Jul 2020 at 08:20, Moncef Abboud > wrote: > >> Hello fellow NiFi Users, >> >> I am trying to configure authorization using the LdapUserGroupProvider. >> The documentation is clear : specify your "User Search Base" and "Group >> Search Base" and define membership either using "User Group Name >> Attribute" such as "memberOf" or the other way around using "Group Member >> Attribute" such as "member". All that is clear and works perfectly but my >> problems is as follows: >> >> I have two levels of groups in my directory e.g. >> >> GroupA contains Group1 and Group2 >> GroupB contains Group2 and Group3 >> GroupC contains Group1 and Group3 >> >> Group1 contains User1 and User2 >> Group2 contains User1 and User3 >> >> LDIF looks something like this: >> >> dn: CN=GroupA >> member: CN= Group1 .. >> member: CN= Group2 .. >> >> - >> dn: CN=Group1 >> member: CN=User1 .. >> member: CN=User2.. >> . >> memberOf: CN=GroupA ... >> memberOf: CN=GroupC ... >> >> >> >> dn: CN=User1 >> memberOf: CN=Group1 ... >> memberOf: CN=Group2 ... >> -- >> >> No direct link between a user and a level 1 group (GroupA, GroupB..) >> >> I would like to note that groups of level 1 (GroupA, GroupB ..) are not >> in the same branch in the DIT as those of level 2 (Group1, Group2 ..). >> >> The requirement is that the groups used to manage authorization and that >> should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that >> users should be assigned to the groups containing their direct groups for >> instance User1 (who is a direct member of Group1 and Group2) should be >> displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 >> groups (Group1, Group2..) must not show and must not be used directly in >> the UI but only as link between users and level 1 groups. >> >> So to sum up, NIFI should take into account only level1 groups and handle >> transitive memberships through level2 groups. >> >> Thank you in advance for your answers. >> >> Best Regards, >> Moncef >> > -- Moncef ABBOUD
Re: Nested groups for LdapUserGroupProvider
Maybe that scenario is not supported, but you can start playing with that custom scenario. LDAP provider is configurable by XML *ldap-provider* org.apache.nifi.ldap.LdapProvider Juan On Fri, 24 Jul 2020 at 08:20, Moncef Abboud wrote: > Hello fellow NiFi Users, > > I am trying to configure authorization using the LdapUserGroupProvider. > The documentation is clear : specify your "User Search Base" and "Group > Search Base" and define membership either using "User Group Name > Attribute" such as "memberOf" or the other way around using "Group Member > Attribute" such as "member". All that is clear and works perfectly but my > problems is as follows: > > I have two levels of groups in my directory e.g. > > GroupA contains Group1 and Group2 > GroupB contains Group2 and Group3 > GroupC contains Group1 and Group3 > > Group1 contains User1 and User2 > Group2 contains User1 and User3 > > LDIF looks something like this: > > dn: CN=GroupA > member: CN= Group1 .. > member: CN= Group2 .. > > - > dn: CN=Group1 > member: CN=User1 .. > member: CN=User2.. > . > memberOf: CN=GroupA ... > memberOf: CN=GroupC ... > > > > dn: CN=User1 > memberOf: CN=Group1 ... > memberOf: CN=Group2 ... > -- > > No direct link between a user and a level 1 group (GroupA, GroupB..) > > I would like to note that groups of level 1 (GroupA, GroupB ..) are not in > the same branch in the DIT as those of level 2 (Group1, Group2 ..). > > The requirement is that the groups used to manage authorization and that > should show in the NIFI UI are those of level 1 (GroupA, GroupB..) and that > users should be assigned to the groups containing their direct groups for > instance User1 (who is a direct member of Group1 and Group2) should be > displayed as a member of groups (GroupA, GroupB and GroupC). And level 2 > groups (Group1, Group2..) must not show and must not be used directly in > the UI but only as link between users and level 1 groups. > > So to sum up, NIFI should take into account only level1 groups and handle > transitive memberships through level2 groups. > > Thank you in advance for your answers. > > Best Regards, > Moncef >