nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [nifi] dtmo commented on issue #3602: NIFI-5839 Applied identity mapping to user lookups and group members
Date Sat, 17 Aug 2019 22:24:47 GMT
dtmo commented on issue #3602: NIFI-5839 Applied identity mapping to user lookups and group
members
URL: https://github.com/apache/nifi/pull/3602#issuecomment-522275057
 
 
   @mcgilman You're quite right. While my change to the application of transformations does
provide a fix for that specific problem, in reality there shouldn't be any need for transformations
in the first place. In my case I made use of transformations as a work around for the situation
where user certificate DNs, LDAP user DNs and LDAP group unique member DNs were all considered
equal based on LDAP's matching rules, but not based on the Java String equality checks that
NiFi performs.
   Delegating the checks user existence and group membership to the LDAP server would be a
reliable approach, but would break NiFi's current behaviour of only hitting the LDAP server
once for each refresh of its cache.
   As I understand it, an LDAP server should support being queried to establish which matching
rules are applied for each attribute. Specific OIDs are defined for each matching rule (e.g.
OID 2.5.13.2 for case-ignore-match, OID 2.5.13.5 for case-exact-match) so is it possible that
no extra configuration would be required at all and the provider could simply establish the
correct behaviour for itself?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message