Feature: Make LDAP User/Group Search Scope Configurable (#272)

Signed-off-by: Matthew Baird <matthew@zenaptix.com>

Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: nifi
-version: 1.1.1
+version: 1.1.2
 appVersion: 1.16.3
 description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems.
 keywords:

README.md

@@ -145,6 +145,8 @@ The following table lists the configurable parameters of the nifi chart and the
 | `auth.ldap.host`                                                            | ldap hostname                                                                                                      | `ldap://<hostname>:<port>`      |
 | `auth.ldap.searchBase`                                                      | ldap searchBase                                                                                                    | `CN=Users,DC=example,DC=com`    |
 | `auth.ldap.searchFilter`                                                    | ldap searchFilter                                                                                                  | `CN=john`                       |
+| `auth.ldap.userSearchScope`                                                 | ldap userSearchScope                                                                                               | `ONE_LEVEL`                     |
+| `auth.ldap.groupSearchScope`                                                | ldap groupSearchScope                                                                                              | `ONE_LEVEL`                     |
 | **Oidc authentication**
 | `auth.oidc.enabled`                                                         | Enable User auth via oidc                                                                                          | `false`                         |
 | `auth.oidc.discoveryUrl`                                                    | oidc discover url                                                                                                  | `https://<provider>/.well-known/openid-configuration`      |

configs/authorizers.xml

@@ -141,14 +141,14 @@
         <property name="Sync Interval">30 mins</property>
         <property name="User Search Base">{{.Values.auth.ldap.searchBase}}</property>
         <property name="User Object Class">person</property>
-        <property name="User Search Scope">ONE_LEVEL</property>
+        <property name="User Search Scope">{{.Values.auth.ldap.userSearchScope}}</property>
         <property name="User Search Filter">{{.Values.auth.ldap.searchFilter}}</property>
         <property name="User Identity Attribute">{{.Values.auth.ldap.UserIdentityAttribute}}</property>
         <property name="User Group Name Attribute"></property>
         <property name="User Group Name Attribute - Referenced Group Attribute"></property>
         <property name="Group Search Base"></property>
         <property name="Group Object Class">group</property>
-        <property name="Group Search Scope">ONE_LEVEL</property>
+        <property name="Group Search Scope">{{.Values.auth.ldap.groupSearchScope}}</property>
         <property name="Group Search Filter"></property>
         <property name="Group Name Attribute"></property>
         <property name="Group Member Attribute"></property>

values.yaml

@@ -137,6 +137,8 @@ auth:
     authStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
     identityStrategy: USE_DN
     authExpiration: 12 hours
+    userSearchScope: ONE_LEVEL # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
+    groupSearchScope: ONE_LEVEL # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
 
   oidc:
     enabled: false