@Frank168  I'd expect what you are seeing with the long sync times.  Sync interval has not impact in speed of the user an group syncs.  This simply controls how often NiFi is expected re-sync with ldap.  So in your case, NiFi would finding one sync and immediately start the next.  NiFi does a sync during startup as it loads the authorizers.xml, NiFi does not continue to load until that initial sync completes otherwise it can't do authorizations.   After that initial successful sync with ldap, NiFi will finish loading and only then will UI become available.   While running the sync interval will run in the background to re-sync from ldap in case any users or groups are added/removed/updated since last sync.    some users adjust this to sync every 24 hours instead of every 30 minutes.   This depends on how quickly you want NiFi to be aware of changes. As I commented before, you are loading 50,000+ users into NiFi heap memory (this impact the free heap available to the NiFi process for executing your dataflows on the canvas) and then redoing that every sync interval.  This was not how NiFi ldap-user-group-provider was intended to be used.   The only users and groups that should be loaded in to NiFi are those you plan to establish authorization policies for and will be accessing your secured NiFi. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@Frank168  Unfortunately, Apache NiFi does not support Nested Groups. There is an existing Apache NiFi Jira (NIFI-8035) for such an improvement, but it has never been implemented.  The existing implementation of the ldap-user-group-provider would treat all members of a group as users and does not validate the type of member.  Any change here would require NiFi to retrieve the object class of all members of a group and then conduct another search of any that were of identified as a group to retrieve their members and so on until all users are identified throughout the entire nested group tree.    Something to keep in mind here is that all the user and group identities along with associations are held in the NiFi heap memory on every node.  So doing such could result in a lot of user and groups consuming NiFi heap memory.   You should configure your Ldap-user-group-provider to sync only the groups from which users exist that will be accessing your NiFi limiting the length of time it takes to sync every 30 minutes and the heap memory impact.   Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more