LDAP User Group Provider Properties

After you enable authorization through Ranger or file-based policies, set the LDAP User Group Provider properties to enable NiFi/NiFi Registry to sync users and user groups and determine the association between them.

Set the following LDAP User Group Provider properties (ldap-user-group-provider) in the Cloudera Manager Configuration tab.
LDAP User Group Provider Properties Description
Authorizers: LDAP Authentication Strategy How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
Authorizers: LDAP Manager DN The DN of the manager that is used to bind to the LDAP server to search for users.
Authorizers: LDAP Manager Password The password of the manager that is used to bind to the LDAP server to search for users.
Authorizers: LDAP TLS - Keystore Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
Authorizers: LDAP TLS - Keystore Password Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
Authorizers: LDAP TLS - Keystore Type Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).
Authorizers: LDAP TLS - Truststore Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
Authorizers: LDAP TLS - Truststore Password Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
Authorizers: LDAP TLS - Truststore Type Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).
Authorizers: LDAP TLS - Client Auth Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.
Authorizers: LDAP TLS - Protocol Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).
Authorizers: LDAP TLS - Shutdown Gracefully Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.
Authorizers: LDAP Referral Strategy Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
Authorizers: LDAP Connect Timeout Duration of connect timeout. (i.e. 10 secs).
Authorizers: LDAP Read Timeout Duration of read timeout. (i.e. 10 secs).
Authorizers: LDAP Url Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
Authorizers: LDAP Page Size Sets the page size when retrieving users and groups. If not specified, no paging is performed.
Authorizers: LDAP Group Membership - Enforce Case Sensitivity Sets whether group membership decisions are case sensitive. When a user or group is inferred (by not specifying or user or group search base or user identity attribute or group name attribute) case sensitivity is enforced since the value to use for the user identity or group name would be ambiguous. Defaults to false.
Authorizers: LDAP Sync Interval Duration of time between syncing users and groups. (i.e. 30 mins). Minimum allowable value is 10 secs.
Authorizers: LDAP User Search Base Base DN for searching for users (i.e. ou=users,o=nifi). Required to search users.
Authorizers: LDAP User Object Class Object class for identifying users (i.e. person). Required if searching users.
Authorizers: LDAP User Search Scope Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
Authorizers: LDAP User Search Filter Filter for searching for users against the User Search Base (i.e. (memberof=cn=team1,ou=groups,o=nifi)). Optional.
Authorizers: LDAP User Identity Attribute Attribute to use to extract user identity (i.e. cn). Optional. If not set, the entire DN is used.
Authorizers: LDAP User Group Name Attribute Attribute to use to define group membership (i.e. memberof). Optional. If not set group membership will not be calculated through the users. Will rely on group membership being defined through Group Member Attribute if set. The value of this property is the name of the attribute in the user ldap entry that associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected is configured in the User Group Name Attribute - Referenced Group Attribute.
Authorizers: LDAP User Group Name Attribute - Referenced Group Attribute If blank, the value of the attribute defined in User Group Name Attribute is expected to be the full dn of the group. If not blank, this property will define the attribute of the group ldap entry that the value of the attribute defined in User Group Name Attribute is referencing (i.e. name). Use of this property requires that Group Search Base is also configured.
Authorizers: LDAP Group Search Base Base DN for searching for groups (i.e. ou=groups,o=nifi). Required to search groups.
Authorizers: LDAP Group Object Class Object class for identifying groups (i.e. groupOfNames). Required if searching groups.
Authorizers: LDAP Group Search Scope Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
Authorizers: LDAP Group Search Filter Filter for searching for groups against the Group Search Base. Optional.
Authorizers: LDAP Group Name Attribute Attribute to use to extract group name (i.e. cn). Optional. If not set, the entire DN is used.
Authorizers: LDAP Group Member Attribute Attribute to use to define group membership (i.e. member). Optional. If not set group membership will not be calculated through the groups. Will rely on group membership being defined through User Group Name Attribute if set. The value of this property is the name of the attribute in the group ldap entry that associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected is configured in the Group Member Attribute - Referenced User Attribute. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
Authorizers: LDAP Group Member Attribute - Referenced User Attribute If blank, the value of the attribute defined in Group Member Attribute is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that the value of the attribute defined in Group Member Attribute is referencing (i.e. uid). Use of this property requires that User Search Base is also configured. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)