Created 09-11-2022 02:21 PM
Our team is using Nifi 1.14 , We want to use ldap file with user group policy to provide access on the basis of LDAP configuration , currently In Nifi that keywork is not invoking properly so Need assistance on the same , please look into our existing configuration ,
Created on 09-12-2022 06:36 AM - edited 09-12-2022 06:46 AM
@AnkurKush
It is impossible to provide a very specific solution without understanding the exact structure of your ldap user and group entries. You should obtain the output from the ldapsearch command for a sample user and sample group you will be authorizing in NiFi. That output will help you correctly configure the empty properties needed.
Some general configuration guidance:
- You should avoid syncing ALL users and groups from you ldap. ldap can contain thousands of users and groups and when you sync all of these to NiFi, these users and groups identities will be loaded into NiFi's heap memory. So limiting what is synced to the specific users and groups that will be accessing your NiFi will help reduce heap usage. This can be controlled using the correct "User Search Filter" and "Group Search Filter" settings.
- I recommend always setting the "Page Size" setting to 500. ldap server often is configured to limit max number fo returns in a single request of 500 or 1000. If the return set is larger then that, returns will be missing if you do not configure this property. it has not impact if there are fewer returns then the set page size of 500.
Specific guidance:
- When it comes to actually syncing user and group identity strings, the following section must be configured:
<property name="User Search Base">ou=people,dc=example,dc=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute"></property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">ou=groups,dc=example,dc=net</property>
<property name="Group Object Class">groups</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
1. Leaving "User Identity Attribute" and "Group Name Attribute" tell NiFi which property/attribute to use from the ldap return as the identity string for the returned user or group. without these set, you'll get no response.
2. "User Group Name Attribute" in the user sync section tells NiFi's ldap-user-group-provider which attribute from the ldap returned user entry contains groups that the returned user belongs to. Sometimes there is no group association in the user entries and this is blank. Without this set, NiFi will not be able to determine groups associated to users via the user sync and that association must be done via the group sync.
3. "Group Member Attribute" in the group sync section tells NiFi's ldap-user-group-provider which attribute from the ldap returned group entry contains the users that belong to this group. Without this set, NiFi will be unable to determine which users are associated to the returned groups.
4. The two "Reference group/user attribute" properties are needed when the user or group strings strings retuned from the configured property in 2 or 3 above are not full Distinguished names for the user or group. In this case, this would be used to define the attribute that contains the actual exact matching string.
If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.
Thank you,
Matt