I am trying to use a search filter for Nifi authorizer via LDAP. The problem is that the usual search filter syntax does not seem to work.
I currently have nifi working with one of my groups, so getting LDAP to work is not the issue. I was also able to make it work by using the complete paths to both groups, but I would like to use wildcards.
So I have my AD groups as following
prod.xxxx.be
|--PROD
|--Groups TIM application entitlements
|--(A) Nifi - Admin
|--(A) Nifi - Operator
|--(A) Nifi - User
When using the following it works, and users from both groups are populated in the users list in Nifi UI;
<property name="User Search Base">OU=PROD, DC=prod, DC=xxxx, DC=be</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(&(memberof=CN=(A) Nifi - Admin, OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=xxxx, DC=be)(memberof=CN=(A) Nifi - User, OU=Groups TIM Application Entitlements, OU=PROD, DC=prod, DC=xxxx, DC=be))</property>
<property name="User Identity Attribute">CN</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
But since more groups might be added, it does not seem to be very legible. Therefore it would be great to use wildcards.
I tried many combinations I found at https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx but none seem to work for Nifi.
Examples;
(&(objectCategory=group)(cn=(A) Nifi*))
I even tried to escape the special characters;
(&(objectCategory=group)(cn=\28A\29 Nifi*))
or
(&(objectCategory=group)(cn=\28A\29 Nifi*))
Since the config file for authorizers is an XML file, but no luck.
Any advice would be greatly appreciated.
Best regards, Kristof
