You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Martijn Dekkers <ma...@dekkers.org.uk> on 2018/06/06 02:01:17 UTC
LDAP/AD User groups
Hello all,
I have set up a secure NiFi that works using an AD LDAP server. I can log
in with different users, and authenticate, assign policies - all great.
The one thing I am not managing to get to work at all is groups and group
membership. Users that are part of the NiFiUsers group show up, and no
others - as I want it to be. Unfortunately, the groups defined in AD (in
the correct OU) just don't show, and in the userlist in NiFi "Member of:"
is empty for the listed users.
Any suggestions appreciated. I followed Pierre Villard's excellent guide.
Many thanks.
Martijn
My authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">CN=LDAP
MGR,OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="Manager Password">xxxxx</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://xxx.xxx.xxxx.net:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">5 mins</property>
<property name="User Search
Base">OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search
Filter">(memberOf=CN=NiFiUsers,OU=groups,OU=Dev,DC=xxx,DC=xxxx,DC=net)</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group
Attribute"></property>
<property name="Group Search Base"></property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User
Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group
Provider">file-user-group-provider</property>
<property name="User Group Provider
1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">mdekkers</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
Re: LDAP/AD User groups
Posted by Kevin Doran <kd...@apache.org>.
Cool, glad it’s working for you! Thanks for sharing your final config, I’m sure that might help future users who are searching for AD integration help.
Regards,
Kevin
From: Martijn Dekkers <ma...@dekkers.org.uk>
Reply-To: <us...@nifi.apache.org>
Date: Wednesday, June 6, 2018 at 00:38
To: <us...@nifi.apache.org>
Subject: Re: LDAP/AD User groups
Bingo! Thank you so much Kevin,
In the end not using a Group Search Filter is what made this work for AD.
Here is the relevant snippet:
<property name="Group Search Base">OU=groups,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
Thanks again!
Martijn
On 6 June 2018 at 05:58, Kevin Doran <kd...@apache.org> wrote:
Whoops, in my example, disregard the class for the ldap-user-group-provider (org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider). I took that snippet from one of my NiFi Registry configuration files, which is the same as NiFi except for the class name ☺. Just mentioning that so it doesn’t confuse anyone or you don’t copy/paste from my example.
From: Kevin Doran <kd...@apache.org>
Reply-To: <us...@nifi.apache.org>
Date: Tuesday, June 5, 2018 at 23:52
To: <us...@nifi.apache.org>
Subject: Re: LDAP/AD User groups
Hi Martijn,
You’re really close to having this configured correctly. Basically, you just need to set a few more Group properties in your ldap-user-group-provider config.
The way user and group loading works in NiFI:
The users are synced from LDAP using the “User Search *” (and related) properties
The groups are synced from LDAP using the “Group Search * (and related) properties
The user <-> group relationships are created using the “User Group Name Attribute” or “Group Member Attribute” properties
The full description of these properties is available in the NiFi Admin Guide [1].
It looks like you’ve fully specified the User related properties and it sound like that is working the way you expect.
Next you’ll want to specify the Group properties that NiFi needs to sync the group records (search base, search filter, etc.) This will be very similar to your user search, just change the base and filter. This will create the groups in NiFi, but not the information about which users are in each group.
For that, you’ll need to specify the User Group Name or Group Member Attribute properties. Which ones to set and how to configure them depends on the structure of your LDAP/AD. From the NiFi Admin Guide documentation [1]:
User Group Name Attribute - Attribute to use to define group membership (i.e. memberof). Optional. If not set group membership will not be calculated through the users. Will rely on group membership being defined through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
Group Member Attribute - Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group membership being defined through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup
---
Here is just one example of how this might work.
For this directory structure (in LDIF format):
# define dc=example,dc=com, etc ...
dn: uid=user1,dc=example,dc=com
sn: User1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: user1
cn: User 1
dn: uid=user2,dc=example,dc=com
sn: User2
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: user1
cn: User 2
dn: ou=group1,dc=example,dc=com
uniqueMember: uid=user1,dc=example,dc=com
uniqueMember: uid=user2,dc=example,dc=com
ou: group1
cn: Group 1
objectClass: groupOfUniqueNames
objectClass: top
The ldap-user-group-provider in authorizers.xml would look like this:
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
<!-- ... -->
<property name="User Search Base">dc=example,dc=com</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(uid=*)</property>
<property name="User Identity Attribute">uid</property>
<!--<property name="User Group Name Attribute"></property>-->
<property name="Group Search Base">dc=example,dc=com</property>
<property name="Group Object Class">groupOfUniqueNames</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(ou=*)</property>
<property name="Group Name Attribute">ou</property>
<property name="Group Member Attribute">uniqueMember</property>
</userGroupProvider>
This is just an example of course. Using this properties depends on your directory. There will be some unused properties (this is because the configuration has to be flexible enough to support almost any directory structure), but make sure something is defining group membership.
Hope this helps solve your issue!
Regards,
Kevin
From: Martijn Dekkers <ma...@dekkers.org.uk>
Reply-To: <us...@nifi.apache.org>
Date: Tuesday, June 5, 2018 at 22:01
To: <us...@nifi.apache.org>
Subject: LDAP/AD User groups
Hello all,
I have set up a secure NiFi that works using an AD LDAP server. I can log in with different users, and authenticate, assign policies - all great.
The one thing I am not managing to get to work at all is groups and group membership. Users that are part of the NiFiUsers group show up, and no others - as I want it to be. Unfortunately, the groups defined in AD (in the correct OU) just don't show, and in the userlist in NiFi "Member of:" is empty for the listed users.
Any suggestions appreciated. I followed Pierre Villard's excellent guide.
Many thanks.
Martijn
My authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">CN=LDAP MGR,OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="Manager Password">xxxxx</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://xxx.xxx.xxxx.net:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">5 mins</property>
<property name="User Search Base">OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=NiFiUsers,OU=groups,OU=Dev,DC=xxx,DC=xxxx,DC=net)</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base"></property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">mdekkers</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
Re: LDAP/AD User groups
Posted by Martijn Dekkers <ma...@dekkers.org.uk>.
Bingo! Thank you so much Kevin,
In the end not using a Group Search Filter is what made this work for AD.
Here is the relevant snippet:
<property name="Group Search
Base">OU=groups,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User
Attribute"></property>
Thanks again!
Martijn
On 6 June 2018 at 05:58, Kevin Doran <kd...@apache.org> wrote:
> Whoops, in my example, disregard the class for the
> ldap-user-group-provider (org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider).
> I took that snippet from one of my NiFi Registry configuration files, which
> is the same as NiFi except for the class name ☺. Just mentioning that so
> it doesn’t confuse anyone or you don’t copy/paste from my example.
>
>
>
> *From: *Kevin Doran <kd...@apache.org>
> *Reply-To: *<us...@nifi.apache.org>
> *Date: *Tuesday, June 5, 2018 at 23:52
> *To: *<us...@nifi.apache.org>
> *Subject: *Re: LDAP/AD User groups
>
>
>
> Hi Martijn,
>
>
>
> You’re really close to having this configured correctly. Basically, you
> just need to set a few more Group properties in your
> ldap-user-group-provider config.
>
>
>
> The way user and group loading works in NiFI:
>
>
>
> 1. The users are synced from LDAP using the “User Search *” (and
> related) properties
> 2. The groups are synced from LDAP using the “Group Search * (and
> related) properties
> 3. The user <-> group relationships are created using the “User Group
> Name Attribute” or “Group Member Attribute” properties
>
>
>
> The full description of these properties is available in the NiFi Admin
> Guide [1].
>
>
>
> It looks like you’ve fully specified the User related properties and it
> sound like that is working the way you expect.
>
>
>
> Next you’ll want to specify the Group properties that NiFi needs to sync
> the group records (search base, search filter, etc.) This will be very
> similar to your user search, just change the base and filter. This will
> create the groups in NiFi, but not the information about which users are in
> each group.
>
>
>
> For that, you’ll need to specify the User Group Name or Group Member
> Attribute properties. Which ones to set and how to configure them depends
> on the structure of your LDAP/AD. From the NiFi Admin Guide documentation
> [1]:
>
>
>
> *User Group Name Attribute - Attribute to use to define group membership
> (i.e. memberof). Optional. If not set group membership will not be
> calculated through the users. Will rely on group membership being defined
> through 'Group Member Attribute' if set. The value of this property is the
> name of the attribute in the user ldap entry that associates them with a
> group. The value of that user attribute could be a dn or group name for
> instance. What value is expected is configured in the 'User Group Name
> Attribute - Referenced Group Attribute'.*
>
>
>
> *Group Member Attribute - Attribute to use to define group membership
> (i.e. member). Optional. If not set group membership will not be calculated
> through the groups. Will rely on group membership being defined through
> 'User Group Name Attribute' if set. The value of this property is the name
> of the attribute in the group ldap entry that associates them with a user.
> The value of that group attribute could be a dn or memberUid for instance.
> What value is expected is configured in the 'Group Member Attribute -
> Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs.
> memberUid: user1)*
>
>
>
> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-
> guide.html#authorizers-setup
>
>
>
> ---
>
>
>
> Here is just one example of how this might work.
>
>
>
> For this directory structure (in LDIF format):
>
>
> # define dc=example,dc=com, etc ...
>
>
>
> dn: uid=user1,dc=example,dc=com
> sn: User1
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> uid: user1
> cn: User 1
>
>
>
> dn: uid=user2,dc=example,dc=com
> sn: User2
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> uid: user1
> cn: User 2
>
>
> dn: ou=group1,dc=example,dc=com
> uniqueMember: uid=user1,dc=example,dc=com
> uniqueMember: uid=user2,dc=example,dc=com
> ou: group1
> cn: Group 1
> objectClass: groupOfUniqueNames
> objectClass: top
>
>
>
> The ldap-user-group-provider in authorizers.xml would look like this:
>
>
>
> <*userGroupProvider*>
> <*identifier*>ldap-user-group-provider</*identifier*>
> <*class*>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</*class*>
> <!-- ... -->
> <*property **name**="User Search Base"*>dc=example,dc=com</*property*>
> <*property **name**="User Object Class"*>person</*property*>
> <*property **name**="User Search Scope"*>ONE_LEVEL</*property*>
> <*property **name**="User Search Filter"*>(uid=*)</*property*>
> <*property **name**="User Identity Attribute"*>uid</*property*>
>
>
> *<!--<property name="User Group Name Attribute"></property>--> *<*property **name**="Group Search Base"*>dc=example,dc=com</*property*>
> <*property **name**="Group Object Class"*>groupOfUniqueNames</*property*>
> <*property **name**="Group Search Scope"*>ONE_LEVEL</*property*>
> <*property **name**="Group Search Filter"*>(ou=*)</*property*>
> <*property **name**="Group Name Attribute"*>ou</*property*>
> <*property **name**="Group Member Attribute"*>uniqueMember</*property*>
> </*userGroupProvider*>
>
>
>
>
>
> This is just an example of course. Using this properties depends on your
> directory. There will be some unused properties (this is because the
> configuration has to be flexible enough to support almost any directory
> structure), but make sure something is defining group membership.
>
>
>
> Hope this helps solve your issue!
>
>
>
> Regards,
> Kevin
>
>
>
> *From: *Martijn Dekkers <ma...@dekkers.org.uk>
> *Reply-To: *<us...@nifi.apache.org>
> *Date: *Tuesday, June 5, 2018 at 22:01
> *To: *<us...@nifi.apache.org>
> *Subject: *LDAP/AD User groups
>
>
>
> Hello all,
>
>
>
> I have set up a secure NiFi that works using an AD LDAP server. I can log
> in with different users, and authenticate, assign policies - all great.
>
>
>
> The one thing I am not managing to get to work at all is groups and group
> membership. Users that are part of the NiFiUsers group show up, and no
> others - as I want it to be. Unfortunately, the groups defined in AD (in
> the correct OU) just don't show, and in the userlist in NiFi "Member of:"
> is empty for the listed users.
>
>
>
> Any suggestions appreciated. I followed Pierre Villard's excellent guide.
>
>
>
> Many thanks.
>
>
>
> Martijn
>
>
>
> My authorizers.xml:
>
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
>
>
> <authorizers>
>
> <userGroupProvider>
>
> <identifier>file-user-group-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>
> <property name="Users File">./conf/users.xml</property>
>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Initial User Identity 1"></property>
>
> </userGroupProvider>
>
>
>
> <userGroupProvider>
>
> <identifier>ldap-user-group-provider</identifier>
>
> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>
> <property name="Authentication Strategy">START_TLS</property>
>
> <property name="Manager DN">CN=LDAP MGR,OU=people,OU=Dev,DC=xxx,
> DC=xxxx,DC=net</property>
>
> <property name="Manager Password">xxxxx</property>
>
> <property name="Referral Strategy">FOLLOW</property>
>
> <property name="Connect Timeout">10 secs</property>
>
> <property name="Read Timeout">10 secs</property>
>
> <property name="Url">ldap://xxx.xxx.xxxx.net:389</property>
>
> <property name="Page Size"></property>
>
> <property name="Sync Interval">5 mins</property>
>
>
>
> <property name="User Search Base">OU=people,OU=Dev,DC=xxx,
> DC=xxxx,DC=net</property>
>
> <property name="User Object Class">person</property>
>
> <property name="User Search Scope">ONE_LEVEL</property>
>
> <property name="User Search Filter">(memberOf=CN=
> NiFiUsers,OU=groups,OU=Dev,DC=xxx,DC=xxxx,DC=net)</property>
>
> <property name="User Identity Attribute">sAMAccountName</property>
>
> <property name="User Group Name Attribute"></property>
>
> <property name="User Group Name Attribute - Referenced Group
> Attribute"></property>
>
>
>
> <property name="Group Search Base"></property>
>
> <property name="Group Object Class">group</property>
>
> <property name="Group Search Scope">ONE_LEVEL</property>
>
> <property name="Group Search Filter"></property>
>
> <property name="Group Name Attribute">cn</property>
>
> <property name="Group Member Attribute"></property>
>
> <property name="Group Member Attribute - Referenced User
> Attribute"></property>
>
> </userGroupProvider>
>
>
>
> <userGroupProvider>
>
> <identifier>composite-configurable-user-group-
> provider</identifier>
>
> <class>org.apache.nifi.authorization.
> CompositeConfigurableUserGroupProvider</class>
>
> <property name="Configurable User Group Provider">file-user-group-
> provider</property>
>
> <property name="User Group Provider 1">ldap-user-group-provider</
> property>
>
> </userGroupProvider>
>
>
>
> <accessPolicyProvider>
>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</
> class>
>
> <property name="User Group Provider">composite-
> configurable-user-group-provider</property>
>
> <property name="Authorizations File">./conf/authorizations.
> xml</property>
>
> <property name="Initial Admin Identity">mdekkers</property>
>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Node Identity 1"></property>
>
> </accessPolicyProvider>
>
>
>
> <authorizer>
>
> <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</
> class>
>
> <property name="Access Policy Provider">file-access-policy-
> provider</property>
>
> </authorizer>
>
>
>
> </authorizers>
>
Re: LDAP/AD User groups
Posted by Kevin Doran <kd...@apache.org>.
Whoops, in my example, disregard the class for the ldap-user-group-provider (org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider). I took that snippet from one of my NiFi Registry configuration files, which is the same as NiFi except for the class name ☺. Just mentioning that so it doesn’t confuse anyone or you don’t copy/paste from my example.
From: Kevin Doran <kd...@apache.org>
Reply-To: <us...@nifi.apache.org>
Date: Tuesday, June 5, 2018 at 23:52
To: <us...@nifi.apache.org>
Subject: Re: LDAP/AD User groups
Hi Martijn,
You’re really close to having this configured correctly. Basically, you just need to set a few more Group properties in your ldap-user-group-provider config.
The way user and group loading works in NiFI:
The users are synced from LDAP using the “User Search *” (and related) properties
The groups are synced from LDAP using the “Group Search * (and related) properties
The user <-> group relationships are created using the “User Group Name Attribute” or “Group Member Attribute” properties
The full description of these properties is available in the NiFi Admin Guide [1].
It looks like you’ve fully specified the User related properties and it sound like that is working the way you expect.
Next you’ll want to specify the Group properties that NiFi needs to sync the group records (search base, search filter, etc.) This will be very similar to your user search, just change the base and filter. This will create the groups in NiFi, but not the information about which users are in each group.
For that, you’ll need to specify the User Group Name or Group Member Attribute properties. Which ones to set and how to configure them depends on the structure of your LDAP/AD. From the NiFi Admin Guide documentation [1]:
User Group Name Attribute - Attribute to use to define group membership (i.e. memberof). Optional. If not set group membership will not be calculated through the users. Will rely on group membership being defined through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
Group Member Attribute - Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group membership being defined through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup
---
Here is just one example of how this might work.
For this directory structure (in LDIF format):
# define dc=example,dc=com, etc ...
dn: uid=user1,dc=example,dc=com
sn: User1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: user1
cn: User 1
dn: uid=user2,dc=example,dc=com
sn: User2
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: user1
cn: User 2
dn: ou=group1,dc=example,dc=com
uniqueMember: uid=user1,dc=example,dc=com
uniqueMember: uid=user2,dc=example,dc=com
ou: group1
cn: Group 1
objectClass: groupOfUniqueNames
objectClass: top
The ldap-user-group-provider in authorizers.xml would look like this:
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
<!-- ... -->
<property name="User Search Base">dc=example,dc=com</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(uid=*)</property>
<property name="User Identity Attribute">uid</property>
<!--<property name="User Group Name Attribute"></property>-->
<property name="Group Search Base">dc=example,dc=com</property>
<property name="Group Object Class">groupOfUniqueNames</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(ou=*)</property>
<property name="Group Name Attribute">ou</property>
<property name="Group Member Attribute">uniqueMember</property>
</userGroupProvider>
This is just an example of course. Using this properties depends on your directory. There will be some unused properties (this is because the configuration has to be flexible enough to support almost any directory structure), but make sure something is defining group membership.
Hope this helps solve your issue!
Regards,
Kevin
From: Martijn Dekkers <ma...@dekkers.org.uk>
Reply-To: <us...@nifi.apache.org>
Date: Tuesday, June 5, 2018 at 22:01
To: <us...@nifi.apache.org>
Subject: LDAP/AD User groups
Hello all,
I have set up a secure NiFi that works using an AD LDAP server. I can log in with different users, and authenticate, assign policies - all great.
The one thing I am not managing to get to work at all is groups and group membership. Users that are part of the NiFiUsers group show up, and no others - as I want it to be. Unfortunately, the groups defined in AD (in the correct OU) just don't show, and in the userlist in NiFi "Member of:" is empty for the listed users.
Any suggestions appreciated. I followed Pierre Villard's excellent guide.
Many thanks.
Martijn
My authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">CN=LDAP MGR,OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="Manager Password">xxxxx</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://xxx.xxx.xxxx.net:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">5 mins</property>
<property name="User Search Base">OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=NiFiUsers,OU=groups,OU=Dev,DC=xxx,DC=xxxx,DC=net)</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base"></property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">mdekkers</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
Re: LDAP/AD User groups
Posted by Kevin Doran <kd...@apache.org>.
Hi Martijn,
You’re really close to having this configured correctly. Basically, you just need to set a few more Group properties in your ldap-user-group-provider config.
The way user and group loading works in NiFI:
The users are synced from LDAP using the “User Search *” (and related) properties
The groups are synced from LDAP using the “Group Search * (and related) properties
The user <-> group relationships are created using the “User Group Name Attribute” or “Group Member Attribute” properties
The full description of these properties is available in the NiFi Admin Guide [1].
It looks like you’ve fully specified the User related properties and it sound like that is working the way you expect.
Next you’ll want to specify the Group properties that NiFi needs to sync the group records (search base, search filter, etc.) This will be very similar to your user search, just change the base and filter. This will create the groups in NiFi, but not the information about which users are in each group.
For that, you’ll need to specify the User Group Name or Group Member Attribute properties. Which ones to set and how to configure them depends on the structure of your LDAP/AD. From the NiFi Admin Guide documentation [1]:
User Group Name Attribute - Attribute to use to define group membership (i.e. memberof). Optional. If not set group membership will not be calculated through the users. Will rely on group membership being defined through 'Group Member Attribute' if set. The value of this property is the name of the attribute in the user ldap entry that associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected is configured in the 'User Group Name Attribute - Referenced Group Attribute'.
Group Member Attribute - Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group membership being defined through 'User Group Name Attribute' if set. The value of this property is the name of the attribute in the group ldap entry that associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected is configured in the 'Group Member Attribute - Referenced User Attribute'. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup
---
Here is just one example of how this might work.
For this directory structure (in LDIF format):
# define dc=example,dc=com, etc ...
dn: uid=user1,dc=example,dc=com
sn: User1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: user1
cn: User 1
dn: uid=user2,dc=example,dc=com
sn: User2
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: user1
cn: User 2
dn: ou=group1,dc=example,dc=com
uniqueMember: uid=user1,dc=example,dc=com
uniqueMember: uid=user2,dc=example,dc=com
ou: group1
cn: Group 1
objectClass: groupOfUniqueNames
objectClass: top
The ldap-user-group-provider in authorizers.xml would look like this:
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class>
<!-- ... -->
<property name="User Search Base">dc=example,dc=com</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(uid=*)</property>
<property name="User Identity Attribute">uid</property>
<!--<property name="User Group Name Attribute"></property>-->
<property name="Group Search Base">dc=example,dc=com</property>
<property name="Group Object Class">groupOfUniqueNames</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(ou=*)</property>
<property name="Group Name Attribute">ou</property>
<property name="Group Member Attribute">uniqueMember</property>
</userGroupProvider>
This is just an example of course. Using this properties depends on your directory. There will be some unused properties (this is because the configuration has to be flexible enough to support almost any directory structure), but make sure something is defining group membership.
Hope this helps solve your issue!
Regards,
Kevin
From: Martijn Dekkers <ma...@dekkers.org.uk>
Reply-To: <us...@nifi.apache.org>
Date: Tuesday, June 5, 2018 at 22:01
To: <us...@nifi.apache.org>
Subject: LDAP/AD User groups
Hello all,
I have set up a secure NiFi that works using an AD LDAP server. I can log in with different users, and authenticate, assign policies - all great.
The one thing I am not managing to get to work at all is groups and group membership. Users that are part of the NiFiUsers group show up, and no others - as I want it to be. Unfortunately, the groups defined in AD (in the correct OU) just don't show, and in the userlist in NiFi "Member of:" is empty for the listed users.
Any suggestions appreciated. I followed Pierre Villard's excellent guide.
Many thanks.
Martijn
My authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">CN=LDAP MGR,OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="Manager Password">xxxxx</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://xxx.xxx.xxxx.net:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">5 mins</property>
<property name="User Search Base">OU=people,OU=Dev,DC=xxx,DC=xxxx,DC=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=NiFiUsers,OU=groups,OU=Dev,DC=xxx,DC=xxxx,DC=net)</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base"></property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">mdekkers</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>