From d1db3e3f788259e8a2b2bf14722b03172c598a7d Mon Sep 17 00:00:00 2001
From: Matthew Baird <matthew@zenaptix.com>
Date: Fri, 23 Sep 2022 12:51:08 +0200
Subject: [PATCH] Feature: Make LDAP User/Group Search Scope Configurable

Signed-off-by: Matthew Baird <matthew@zenaptix.com>
---
 Chart.yaml              | 2 +-
 README.md               | 2 ++
 configs/authorizers.xml | 4 ++--
 values.yaml             | 2 ++
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index c4341966..4576848e 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: nifi
-version: 1.1.1
+version: 1.1.2
 appVersion: 1.16.3
 description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems.
 keywords:
diff --git a/README.md b/README.md
index f0ef06a8..ff09b794 100644
--- a/README.md
+++ b/README.md
@@ -145,6 +145,8 @@ The following table lists the configurable parameters of the nifi chart and the
 | `auth.ldap.host`                                                            | ldap hostname                                                                                                      | `ldap://<hostname>:<port>`      |
 | `auth.ldap.searchBase`                                                      | ldap searchBase                                                                                                    | `CN=Users,DC=example,DC=com`    |
 | `auth.ldap.searchFilter`                                                    | ldap searchFilter                                                                                                  | `CN=john`                       |
+| `auth.ldap.userSearchScope`                                                 | ldap userSearchScope                                                                                               | `ONE_LEVEL`                     |
+| `auth.ldap.groupSearchScope`                                                | ldap groupSearchScope                                                                                              | `ONE_LEVEL`                     |
 | **Oidc authentication**
 | `auth.oidc.enabled`                                                         | Enable User auth via oidc                                                                                          | `false`                         |
 | `auth.oidc.discoveryUrl`                                                    | oidc discover url                                                                                                  | `https://<provider>/.well-known/openid-configuration`      |
diff --git a/configs/authorizers.xml b/configs/authorizers.xml
index 2833750d..c31fa8b9 100644
--- a/configs/authorizers.xml
+++ b/configs/authorizers.xml
@@ -141,14 +141,14 @@
         <property name="Sync Interval">30 mins</property>
         <property name="User Search Base">{{.Values.auth.ldap.searchBase}}</property>
         <property name="User Object Class">person</property>
-        <property name="User Search Scope">ONE_LEVEL</property>
+        <property name="User Search Scope">{{.Values.auth.ldap.userSearchScope}}</property>
         <property name="User Search Filter">{{.Values.auth.ldap.searchFilter}}</property>
         <property name="User Identity Attribute">{{.Values.auth.ldap.UserIdentityAttribute}}</property>
         <property name="User Group Name Attribute"></property>
         <property name="User Group Name Attribute - Referenced Group Attribute"></property>
         <property name="Group Search Base"></property>
         <property name="Group Object Class">group</property>
-        <property name="Group Search Scope">ONE_LEVEL</property>
+        <property name="Group Search Scope">{{.Values.auth.ldap.groupSearchScope}}</property>
         <property name="Group Search Filter"></property>
         <property name="Group Name Attribute"></property>
         <property name="Group Member Attribute"></property>
diff --git a/values.yaml b/values.yaml
index 6ed516d2..cf45a8e3 100644
--- a/values.yaml
+++ b/values.yaml
@@ -137,6 +137,8 @@ auth:
     authStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
     identityStrategy: USE_DN
     authExpiration: 12 hours
+    userSearchScope: ONE_LEVEL # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
+    groupSearchScope: ONE_LEVEL # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
 
   oidc:
     enabled: false