LDAP User Group Provider Properties
After you enable authorization through Ranger or file-based policies, set the LDAP User Group Provider properties to enable NiFi/NiFi Registry to sync users and user groups and determine the association between them.
Set the following LDAP User Group Provider properties
(
ldap-user-group-provider) in the Cloudera Manager
Configuration tab.| LDAP User Group Provider Properties | Description |
|---|---|
| Authorizers: LDAP Authentication Strategy | How the connection to the LDAP server is authenticated. Possible
values are ANONYMOUS, SIMPLE, LDAPS, or
START_TLS. |
| Authorizers: LDAP Manager DN | The DN of the manager that is used to bind to the LDAP server to search for users. |
| Authorizers: LDAP Manager Password | The password of the manager that is used to bind to the LDAP server to search for users. |
| Authorizers: LDAP TLS - Keystore | Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. |
| Authorizers: LDAP TLS - Keystore Password | Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. |
| Authorizers: LDAP TLS - Keystore Type | Type of the Keystore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12). |
| Authorizers: LDAP TLS - Truststore | Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. |
| Authorizers: LDAP TLS - Truststore Password | Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. |
| Authorizers: LDAP TLS - Truststore Type | Type of the Truststore that is used when connecting to LDAP
using LDAPS or START_TLS (i.e. JKS or PKCS12). |
| Authorizers: LDAP TLS - Client Auth | Client authentication policy when connecting to LDAP using LDAPS
or START_TLS. Possible values are REQUIRED, WANT,
NONE. |
| Authorizers: LDAP TLS - Protocol | Protocol to use when connecting to LDAP using LDAPS or
START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2,
etc). |
| Authorizers: LDAP TLS - Shutdown Gracefully | Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false. |
| Authorizers: LDAP Referral Strategy | Strategy for handling referrals. Possible values are
FOLLOW, IGNORE, THROW. |
| Authorizers: LDAP Connect Timeout | Duration of connect timeout. (i.e. 10
secs). |
| Authorizers: LDAP Read Timeout | Duration of read timeout. (i.e. 10
secs). |
| Authorizers: LDAP Url | Space-separated list of URLs of the LDAP servers (i.e.
ldap://<hostname>:<port>). |
| Authorizers: LDAP Page Size | Sets the page size when retrieving users and groups. If not specified, no paging is performed. |
| Authorizers: LDAP Group Membership - Enforce Case Sensitivity | Sets whether group membership decisions are case sensitive. When a user or group is inferred (by not specifying or user or group search base or user identity attribute or group name attribute) case sensitivity is enforced since the value to use for the user identity or group name would be ambiguous. Defaults to false. |
| Authorizers: LDAP Sync Interval | Duration of time between syncing users and groups. (i.e.
30 mins). Minimum allowable value is 10 secs. |
| Authorizers: LDAP User Search Base | Base DN for searching for users (i.e.
ou=users,o=nifi). Required to search users. |
| Authorizers: LDAP User Object Class | Object class for identifying users (i.e.
person). Required if searching users. |
| Authorizers: LDAP User Search Scope | Search scope for searching users (ONE_LEVEL,
OBJECT, or SUBTREE). Required if searching users. |
| Authorizers: LDAP User Search Filter | Filter for searching for users against the User Search
Base (i.e. (memberof=cn=team1,ou=groups,o=nifi)).
Optional. |
| Authorizers: LDAP User Identity Attribute | Attribute to use to extract user identity (i.e.
cn). Optional. If not set, the entire DN is used. |
| Authorizers: LDAP User Group Name Attribute | Attribute to use to define group membership (i.e.
memberof). Optional. If not set group membership will not be calculated
through the users. Will rely on group membership being defined through Group Member
Attribute if set. The value of this property is the name of the attribute in the
user ldap entry that associates them with a group. The value of that user attribute could be
a dn or group name for instance. What value is expected is configured in the User
Group Name Attribute - Referenced Group Attribute. |
| Authorizers: LDAP User Group Name Attribute - Referenced Group Attribute | If blank, the value of the attribute defined in User
Group Name Attribute is expected to be the full dn of the group. If not blank,
this property will define the attribute of the group ldap entry that the value of the
attribute defined in User Group Name Attribute is referencing (i.e.
name). Use of this property requires that Group Search
Base is also configured. |
| Authorizers: LDAP Group Search Base | Base DN for searching for groups (i.e.
ou=groups,o=nifi). Required to search groups. |
| Authorizers: LDAP Group Object Class | Object class for identifying groups (i.e.
groupOfNames). Required if searching groups. |
| Authorizers: LDAP Group Search Scope | Search scope for searching groups (ONE_LEVEL,
OBJECT, or SUBTREE). Required if searching
groups. |
| Authorizers: LDAP Group Search Filter | Filter for searching for groups against the Group Search
Base. Optional. |
| Authorizers: LDAP Group Name Attribute | Attribute to use to extract group name (i.e.
cn). Optional. If not set, the entire DN is used. |
| Authorizers: LDAP Group Member Attribute | Attribute to use to define group membership (i.e.
member). Optional. If not set group membership will not be calculated
through the groups. Will rely on group membership being defined through User Group
Name Attribute if set. The value of this property is the name of the attribute in
the group ldap entry that associates them with a user. The value of that group attribute
could be a dn or memberUid for instance. What value is expected is configured in the
Group Member Attribute - Referenced User Attribute. (i.e. member:
cn=User 1,ou=users,o=nifi vs. memberUid: user1) |
| Authorizers: LDAP Group Member Attribute - Referenced User Attribute | If blank, the value of the attribute defined in Group
Member Attribute is expected to be the full dn of the user. If not blank, this
property will define the attribute of the user ldap entry that the value of the attribute
defined in Group Member Attribute is referencing (i.e.
uid). Use of this property requires that User Search Base
is also configured. (i.e. member: cn=User 1,ou=users,o=nifi vs.
memberUid: user1) |
