Support Questions

mslnrd · ‎01-31-2025

Is there anywhere I can find what types of filters I can use in the "User Search Filter" or the Group one? I am trying to widdle down the amount of objects that are populated from LDAP into my Users.

In my AD Server, users are in 2 different OU's. So, for example, I'll have users in ou=Admin Accounts,ou=Domain Admins,dc=my,dc=network,dc=com but I'll also have users in ou=Regular Users,ou=Testers,dc=my,dc=network,dc=com. And the only way to really pull both are to have my base search set to dc=my,dc=network,dc=com. Doing this pulls computer accounts and all users, even users that would never need access (like service type accounts).

I can filter out the computer accounts by using this filter:

(objectCategory=cn=Person,cn=Schema,cn=Configuration,dc=my,dc=network,dc=com)

But I'd like to also filter out the accounts, or OU's that aren't needed. Or, if possible just use the 2 NiFi groups I have in AD (Nifi Admins/Nifi Users) without having to populate all of my AD users, if that makes sense.

MattWho · ‎01-31-2025

@mslnrd

You are absolutely on the correct track with setting up users and groups in NiFi. Since all synced users and groups are loaded into NiFi's heap memory, it is best practice to limit what is synced to just those users and groups who need to be authorized to access your NiFi.

The easiest way to do this is by only syncing the specific groups that contain the users requiring authorized access to your NiFi.

For syncing users and groups from AD/LDAP, your authorizers would be configured with the ldap-user-group-provider.

Since you can already successfully connect and sync users and groups from your AD/LDAP, i'll just focus on the properties used to control which users and groups are synced:

Default settings:

        <property name="User Search Base"></property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute"></property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base"></property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute"></property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

First note that it is NOT necessary to configure both the user and group search properties in order to sync both user and group identities.
(NOTE: do not unset "class" or "scope" as NiFi will not start)

I would recommend the following setup:

        <property name="User Search Base"></property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base">OU=Groups,DC=my,DC=network,DC=com</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">SUBTREE</property>
        <property name="Group Search Filter">(|(sAMAccountName=group1)(sAMAccountName=group2)(sAMAccountName=group3))</property>
        <property name="Group Name Attribute">sAMAccountName</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

With above configuration the following will happen:

A sync of all user will not happen since the user Search Base is not configured.
A group sync will happen which will sync only <group1>, <group2>, and <group3> based on he configured Group Search Filter.
For each synced group this provider will return all the <member> lines/attributes.
For each of those returned members (typically full user DNs), the user will be looked up to obtain the users sAMAccountName identity string (this happens because "sAMAccountName" is configured in the "User Identity Attribute" property. These returned sAMAccountName user identities will be synced in NiFi to the appropriate <group1> or <group2> or <group3> "sAMAccoutName" group identity.

Now you can setup Authorizations for either <group1> or <group2> or <group3> for the various NiFi policies. Creating groups in AD/LDAP for the various teams/roles in NIFi allows you to more granular control accesses in NiFi.

Once you have authorized your groups any users that are later added to any one of these groups will automatically gain authorized access when the next sync happens in NiFi Default every 30 mins).

Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

MattWho · ‎01-31-2025

@mslnrd

You are absolutely on the correct track with setting up users and groups in NiFi. Since all synced users and groups are loaded into NiFi's heap memory, it is best practice to limit what is synced to just those users and groups who need to be authorized to access your NiFi.

The easiest way to do this is by only syncing the specific groups that contain the users requiring authorized access to your NiFi.

For syncing users and groups from AD/LDAP, your authorizers would be configured with the ldap-user-group-provider.

Since you can already successfully connect and sync users and groups from your AD/LDAP, i'll just focus on the properties used to control which users and groups are synced:

Default settings:

        <property name="User Search Base"></property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute"></property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base"></property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute"></property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

First note that it is NOT necessary to configure both the user and group search properties in order to sync both user and group identities.
(NOTE: do not unset "class" or "scope" as NiFi will not start)

I would recommend the following setup:

        <property name="User Search Base"></property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">SUBTREE</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base">OU=Groups,DC=my,DC=network,DC=com</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">SUBTREE</property>
        <property name="Group Search Filter">(|(sAMAccountName=group1)(sAMAccountName=group2)(sAMAccountName=group3))</property>
        <property name="Group Name Attribute">sAMAccountName</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

With above configuration the following will happen:

A sync of all user will not happen since the user Search Base is not configured.
A group sync will happen which will sync only <group1>, <group2>, and <group3> based on he configured Group Search Filter.
For each synced group this provider will return all the <member> lines/attributes.
For each of those returned members (typically full user DNs), the user will be looked up to obtain the users sAMAccountName identity string (this happens because "sAMAccountName" is configured in the "User Identity Attribute" property. These returned sAMAccountName user identities will be synced in NiFi to the appropriate <group1> or <group2> or <group3> "sAMAccoutName" group identity.

Now you can setup Authorizations for either <group1> or <group2> or <group3> for the various NiFi policies. Creating groups in AD/LDAP for the various teams/roles in NIFi allows you to more granular control accesses in NiFi.

Once you have authorized your groups any users that are later added to any one of these groups will automatically gain authorized access when the next sync happens in NiFi Default every 30 mins).

Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

mslnrd · ‎02-05-2025

@Matt

Thank you so much this has been a big help!

Cloudera Community

Support Questions

LDAP User/Group Search Filter