LDAP User Sync Configuration
You can allow LDAP User Sync for NiFi by using Cloudera Manager safety valves for
authorizers.xml to extend the configuration.
The user group provider, once defined, can be used to replace the default user group property for file access providers.
| Property Name | Description | Allowable Values |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.class | The fully qualified Java NiFi class name used by the LDAP User Group Provider. Only one allowable value is supported. |
org.apache.nifi.ldap.tenants.LdapUserGroupProvider |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Authentication Strategy | How the connection to the LDAP server is authenticated. | ANONYMOUS, SIMPLE, LDAPS,
or START_TLS. |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Manager DN | The DN of the manager that is used to bind to the LDAP server to search for users. | |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Manager Password | The password of the manager that is used to bind to the LDAP server to search for users. | |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Referral Strategy | Strategy for handling referrals. | FOLLOW, IGNORE, or THROW |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Connect Timeout | Duration of connect timeout. | 10 secs |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Read Timeout | Duration of read timeout. | 10 secs |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Url | Space-separated list of URLs of the LDAP servers. Format:
Example: ldap://localhost:389 |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Page Size | Sets the page size when retrieving users and groups. If not specified, no paging is performed. | |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Sync Interval | Duration of time between syncing users and groups. | 30 mins Minimum allowable value is |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Membership - Enforce Case Sensitivity | Sets whether group membership decisions are case sensitive. When a user or group is
inferred (by not specifying a user or group search base or user identity attribute or group
name attribute) case sensitivity is enforced since the value to use for the user identity or
group name would be ambiguous. Defaults to false. |
true or false |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Base | Base DN for searching for users. ou=users,o=nifi
Required to search users. |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Object Class | Object class for identifying users. Required if searching for users. |
Example: Person, PosixAccount |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Scope | Search scope for searching users. Required if searching for users. |
ONE_LEVEL, OBJECT, or
SUBTREE |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Filter | Filter for searching for users against the User Search
Base.Example:
Optional. |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Identity Attribute | Attribute to extract user identity. Example: Optional. If not set, the entire DN is used. |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Group Name Attribute | Attribute to define group membership. Example: Optional. If this property is not set, the group membership
will
not be calculated through the users. If this property is set, the value
will rely on group membership being defined through |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Group Name Attribute - Referenced Group Attribute | If this attribute is not specified, the value of the attribute defined in User
Group Name Attribute is expected to be the full DN of the group.
If
this attribute is not specified, this property defines the group LDAP entry attribute that
the value of the attribute defined in User Group Name Attribute is
referencing (that is, name).
To
use
this property
ensure
that the
|
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Base | Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups. |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Object Class | Object class for identifying groups (i.e. groupOfNames). Required if searching groups. |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Scope | Search scope for searching groups. Required if searching groups. |
ONE_LEVEL, OBJECT, or
SUBTREE |
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Filter | Filter for searching for groups against the Group Search Base.
Optional. |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Name Attribute | Attribute
to extract
group name (i.e. cn). Optional. If not set, the entire DN is used. |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Member Attribute | Attribute used to define group membership (i.e. member). Optional. If this property is not set, group membership will not be calculated through the
groups.If
the property is set, the group membership is defined through |
|
| xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Member Attribute - Referenced User Attribute | The value of the attribute defined in Group Member Attribute is
expected to be the full DN of the user. If not specified, this property will define the
attribute of the user LDAP entry that the value of the attribute defined in Group
Member Attribute is referencing (i.e. uid). Use of this
property requires that |
