You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Karl Koeck (Jira)" <ji...@apache.org> on 2021/02/05 12:40:00 UTC

[jira] [Created] (NIFI-8201) LdapUserGroupProvider Group Search Scope setting SUBTREE does not search directory tree

Karl Koeck created NIFI-8201:
--------------------------------

             Summary: LdapUserGroupProvider Group Search Scope setting SUBTREE does not search directory tree
                 Key: NIFI-8201
                 URL: https://issues.apache.org/jira/browse/NIFI-8201
             Project: Apache NiFi
          Issue Type: Bug
          Components: Configuration
    Affects Versions: 1.12.1, 1.11.4
         Environment: OS: Windows Server 2012 R2, LDAP Server: Microsoft Active Directory
            Reporter: Karl Koeck


Our *Group Search Scope* parameter is set to {{*SUBTREE*}}. However user authorization only works for user profiles directly located within the *Group Search Base* OU level. NiFi behaves as if I would have set *Group Search Scope* to {{*ONE_LEVEL*}}.

This results in the following exception in case the to-be-authorized user profile is located within a sub-OU of the *Group Search Base* parameter:
{code:java}
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[] does not have permission to access the requested resource. Unknown user with identity 'myuser'. Returning Forbidden response.{code}
The above mentioned behavior was observed with NiFi version 1.11.4 and 1.12.1 and was also verified by another Apache NiFi Slack user (see threads below):
[https://apachenifi.slack.com/archives/C0L9VCD47/p1608638026275800
] [https://apachenifi.slack.com/archives/C0L9VCD47/p1604920271147200]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)