Created on 07-01-2024 03:26 AM - edited 07-01-2024 03:41 AM
Hi .. I have nifi running with ldap-user-group-provider integrated with AD. However, there are some usernames with mixed case sAMAccountName, lets say `sAMAccountName=Michael`.
Logging into Nifi as `Michael` works (permission already given to an AD group which this user is a member of), but when logging into NiFi as `michael` or any username that does not match with the exact case, while the login is successful, i'm getting insufficient permission error.
have tried to set group membership enforce case sensitivity to false, but seems like did not work, any steps I might have missed?
and extract from authorizers.xml:
<property name="Page Size">300</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="Sync Interval">10 mins</property>
<property name="User Search Base">DC=company,DC=org</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Object Class">user</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="Group Search Base">DC=company,DC=org</property>
<property name="Group Name Attribute">name</property>
<property name="Group Member Attribute">member</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">SUBTREE</property>
<property name="Group Search Filter"></property>
An extract from login-identity-providers.xml
<property name="User Search Base">DC=company,DC=org</property>
<property name="User Search Filter">(sAMAccountName={0})</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
Created 07-01-2024 09:49 AM
@kagesenshi
Authentication and Authorization are two separate processes in NiFi. Authorization happens only after some method of authentication is successful resulting in an authorized user identity being passed to the NiFi authorizer for authorization verification.
Based on what you have shared, authentication in your setup supports TLS clientAuth based authentication and ldap-provider based authentication (you may have additional methods enabled as well).
Note: NiFi authentication and authorization is case sensitive
Your ldap-provider is configured with "USE_USERNAME" which tells this provider to use whatever user identity string was typed by the user in the login UI. Upon successful authentication of your ldap user identity, the user identity entered by user is evaluated against the identity.mapping.pattern.<xyz> java regular expressions and if the java expression matches the associated identity.mapping.value.<xyz> and identity.mapping.transform.<xyz> properties are applied against that user identity, The resulting manipulated user identity is then passed to the NiFi authorizer.
Within your authorizer.xml configuration file, NiFi has single authorizer and one or more user-group-providers.. The user-group-providers are used so that the authorizer is aware any groups that the user identity passed after authentication is member of.
You are using the ldap-user-group-provider. Within that provider you configured the group membership enforce case sensitivity to false. This has nothing to do with authorization. It is used so that when users and groups associations are being determined from the ldapsearch results returned by the user sync and group sync, those matches are handle in an case insensitivity fashion. After user to group associations are made, the user identity string comes from "sAMAccountName" and group identities come from "name" (this is not a common ldap/AD group name field. "cn" and "sAMAccountName" are most common). The user identities returned by ldap are also evaluated against identity.mapping.<abc>.<xyz> properties just like was done during authentication. The group identities are evaluated against the group.mapping properties.
While you can't change the case sensitive nature of NiFi, you can use identity mappings (user and group) to normalize the users identities and group identities (common to transform to all lowercase "LOWER"). This allows a user to enter their username in whatever case they want during login and have NiFi convert it to all lowercase in the background. See: Identity Mapping Properties for more on these properties set in the nifi.properties file.
Custom properties can be added such as below to convert user identities to all lowercase:
nifi.security.identity.mapping.pattern.username=^(.*?)$
nifi.security.identity.mapping.value.username=$1
nifi.security.identity.mapping.transform.username=LOWER
Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 07-01-2024 09:49 AM
@kagesenshi
Authentication and Authorization are two separate processes in NiFi. Authorization happens only after some method of authentication is successful resulting in an authorized user identity being passed to the NiFi authorizer for authorization verification.
Based on what you have shared, authentication in your setup supports TLS clientAuth based authentication and ldap-provider based authentication (you may have additional methods enabled as well).
Note: NiFi authentication and authorization is case sensitive
Your ldap-provider is configured with "USE_USERNAME" which tells this provider to use whatever user identity string was typed by the user in the login UI. Upon successful authentication of your ldap user identity, the user identity entered by user is evaluated against the identity.mapping.pattern.<xyz> java regular expressions and if the java expression matches the associated identity.mapping.value.<xyz> and identity.mapping.transform.<xyz> properties are applied against that user identity, The resulting manipulated user identity is then passed to the NiFi authorizer.
Within your authorizer.xml configuration file, NiFi has single authorizer and one or more user-group-providers.. The user-group-providers are used so that the authorizer is aware any groups that the user identity passed after authentication is member of.
You are using the ldap-user-group-provider. Within that provider you configured the group membership enforce case sensitivity to false. This has nothing to do with authorization. It is used so that when users and groups associations are being determined from the ldapsearch results returned by the user sync and group sync, those matches are handle in an case insensitivity fashion. After user to group associations are made, the user identity string comes from "sAMAccountName" and group identities come from "name" (this is not a common ldap/AD group name field. "cn" and "sAMAccountName" are most common). The user identities returned by ldap are also evaluated against identity.mapping.<abc>.<xyz> properties just like was done during authentication. The group identities are evaluated against the group.mapping properties.
While you can't change the case sensitive nature of NiFi, you can use identity mappings (user and group) to normalize the users identities and group identities (common to transform to all lowercase "LOWER"). This allows a user to enter their username in whatever case they want during login and have NiFi convert it to all lowercase in the background. See: Identity Mapping Properties for more on these properties set in the nifi.properties file.
Custom properties can be added such as below to convert user identities to all lowercase:
nifi.security.identity.mapping.pattern.username=^(.*?)$
nifi.security.identity.mapping.value.username=$1
nifi.security.identity.mapping.transform.username=LOWER
Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created on 07-03-2024 06:29 PM - edited 07-03-2024 06:30 PM
@MattWho
Thank you, .. adding the username transformer did the trick. Had a guess that the transformer might be the case, but could not find upstream documentation on what to key to update when using USE_USERNAME
Created on 07-01-2024 11:12 PM - edited 07-01-2024 11:16 PM
This is how it worked with my installation. My approach is very similar to Matt's, but might show a different option to adapt it to your specific environment.
nifi.security.identity.mapping.pattern.dn=^(cn|CN)=([0-9a-zA-Z]+),(.*)$
nifi.security.identity.mapping.value.dn=$2
nifi.security.identity.mapping.transform.dn=LOWER
and then in login-identity-providers.xml subsequently
<property name="Identity Strategy">USE_DN</property>
Thanks,
Heiko
Created 07-02-2024 06:05 AM
@Heiko
Thanks for sharing. The choice between "USE_USERNAME" and "USE_DN" needs to be evaluated against the specific structure of the end user's LDAP/AD.
With AD, the user commonly logs in with their sAMAccountName and very often the sAMAccountName value is not the same string used within the user's DN. While you would still be able to login using your sAMAccountName and password, the user identity passed to the authorizer would be the CN value form that full DN (Your regex assumes the CN consists of only upper or lower case letters and numbers which may not work for all DNs).
Then with the switch to using the CN from the DN, you need to consider equivalent changes in the ldap-user-group-provider in authorizers.xml. You'll need to make sure whatever user identity strings come out of authentication through DN are properly mapped to group identities.
Both solutions will work and both solutions need careful evaluation to setup. I typically find using USE_USERNAME more consistent in structure (LDAP and AD), and thus less impacted by corner case oddities that using USE_DN can introduce.
Thanks again for your contributions to the community. There is often more then 1 way to solve most queries in Apache NiFi.
Matt