LDAP User Group Provider properties
After you enable authorization through Ranger or file-based policies, set the LDAP User Group Provider properties to enable NiFi/NiFi Registry to sync users and user groups and determine the association between them.
Set the following LDAP User Group Provider properties
(
ldap-user-group-provider
) in the Cloudera Manager
Configuration tab.LDAP User Group Provider properties | Description |
---|---|
Authorizers: LDAP Authentication Strategy | How the connection to the LDAP server is authenticated.
Possible values are ANONYMOUS , SIMPLE ,
LDAPS , or START_TLS . |
Authorizers: LDAP Manager DN | The DN of the manager that is used to bind to the LDAP server to search for users. |
Authorizers: LDAP Manager Password | The password of the manager that is used to bind to the LDAP server to search for users. |
Authorizers: LDAP TLS - Keystore | Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. |
Authorizers: LDAP TLS - Keystore Password | Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. |
Authorizers: LDAP TLS - Keystore Type | Type of the Keystore that is used when connecting to LDAP
using LDAPS or START_TLS (i.e. JKS or
PKCS12 ). |
Authorizers: LDAP TLS - Truststore | Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. |
Authorizers: LDAP TLS - Truststore Password | Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. |
Authorizers: LDAP TLS - Truststore Type | Type of the Truststore that is used when connecting to
LDAP using LDAPS or START_TLS (i.e. JKS or
PKCS12 ). |
Authorizers: LDAP TLS - Client Auth | Client authentication policy when connecting to LDAP
using LDAPS or START_TLS. Possible values are REQUIRED ,
WANT , NONE . |
Authorizers: LDAP TLS - Protocol | Protocol to use when connecting to LDAP using LDAPS or
START_TLS. (i.e. TLS , TLSv1.1 ,
TLSv1.2 , etc). |
Authorizers: LDAP TLS - Shutdown Gracefully | Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false. |
Authorizers: LDAP Referral Strategy | Strategy for handling referrals. Possible values are
FOLLOW , IGNORE , THROW . |
Authorizers: LDAP Connect Timeout | Duration of connect timeout. (i.e. 10
secs ). |
Authorizers: LDAP Read Timeout | Duration of read timeout. (i.e. 10
secs ). |
Authorizers: LDAP Url | Space-separated list of URLs of the LDAP servers (i.e.
ldap://<hostname>:<port> ). |
Authorizers: LDAP Page Size | Sets the page size when retrieving users and groups. If not specified, no paging is performed. |
Authorizers: LDAP Group Membership - Enforce Case Sensitivity | Sets whether group membership decisions are case sensitive. When a user or group is inferred (by not specifying or user or group search base or user identity attribute or group name attribute) case sensitivity is enforced since the value to use for the user identity or group name would be ambiguous. Defaults to false. |
Authorizers: LDAP Sync Interval | Duration of time between syncing users and groups. (i.e.
30 mins ). Minimum allowable value is 10
secs . |
Authorizers: LDAP User Search Base | Base DN for searching for users (i.e.
ou=users,o=nifi ). Required to search users. |
Authorizers: LDAP User Object Class | Object class for identifying users (i.e.
person ). Required if searching users. |
Authorizers: LDAP User Search Scope | Search scope for searching users
(ONE_LEVEL , OBJECT , or
SUBTREE ). Required if searching users. |
Authorizers: LDAP User Search Filter | Filter for searching for users against the User
Search Base (i.e. (memberof=cn=team1,ou=groups,o=nifi) ).
Optional. |
Authorizers: LDAP User Identity Attribute | Attribute to use to extract user identity (i.e.
cn ). Optional. If not set, the entire DN is used. |
Authorizers: LDAP User Group Name Attribute | Attribute to use to define group membership (i.e.
memberof ). Optional. If not set group membership will not be
calculated through the users. Will rely on group membership being defined through
Group Member Attribute if set. The value of this property is the
name of the attribute in the user ldap entry that associates them with a group. The
value of that user attribute could be a dn or group name for instance. What value is
expected is configured in the User Group Name Attribute - Referenced Group
Attribute . |
Authorizers: LDAP User Group Name Attribute - Referenced Group Attribute | If blank, the value of the attribute defined in
User Group Name Attribute is expected to be the full dn of the
group. If not blank, this property will define the attribute of the group ldap entry
that the value of the attribute defined in User Group Name
Attribute is referencing (i.e. name ). Use of this
property requires that Group Search Base is also
configured. |
Authorizers: LDAP Group Search Base | Base DN for searching for groups (i.e.
ou=groups,o=nifi ). Required to search groups. |
Authorizers: LDAP Group Object Class | Object class for identifying groups (i.e.
groupOfNames ). Required if searching groups. |
Authorizers: LDAP Group Search Scope | Search scope for searching groups
(ONE_LEVEL , OBJECT , or
SUBTREE ). Required if searching groups. |
Authorizers: LDAP Group Search Filter | Filter for searching for groups against the Group
Search Base . Optional. |
Authorizers: LDAP Group Name Attribute | Attribute to use to extract group name (i.e.
cn ). Optional. If not set, the entire DN is used. |
Authorizers: LDAP Group Member Attribute | Attribute to use to define group membership (i.e.
member ). Optional. If not set group membership will not be
calculated through the groups. Will rely on group membership being defined through
User Group Name Attribute if set. The value of this property is
the name of the attribute in the group ldap entry that associates them with a user.
The value of that group attribute could be a dn or memberUid for instance. What
value is expected is configured in the Group Member Attribute - Referenced
User Attribute . (i.e. member: cn=User 1,ou=users,o=nifi
vs. memberUid: user1 ) |
Authorizers: LDAP Group Member Attribute - Referenced User Attribute | If blank, the value of the attribute defined in
Group Member Attribute is expected to be the full dn of the user.
If not blank, this property will define the attribute of the user ldap entry that
the value of the attribute defined in Group Member Attribute is
referencing (i.e. uid ). Use of this property requires that
User Search Base is also configured. (i.e. member:
cn=User 1,ou=users,o=nifi vs. memberUid: user1 ) |