question Re: LDAP Authentication Issue in Support Questions

LDAP Authentication Issue

saikrishna_tara — Tue, 29 Aug 2017 04:08:33 GMT

Hi,I am trying to configure LDAP authentication to our NiFi instance, I am using SIMPLE authentication strategy , with the below settings.

<provider> <identifier>ldap-provider</identifier>

<class>org.apache.nifi.ldap.LdapProvider</class>

<property name="Authentication Strategy">SIMPLE</property>

<property name="Manager DN">CN=admintarapare,OU=Admins,OU=Users and Groups,OU=GC AMS,OU=AMS,OU=Organizations,DC=mycompany,DC=com></property>

<property name="Manager Password">mypwd></property>

</property> <property name="Referral Strategy">FOLLOW</property>

<property name="Url">ldap://ourserver:389</property>

<property name="User Search Base">OU=Admins,OU=Users and Groups,OU=GC AMS,OU=AMS,OU=Organizations,DC=mycompany,DC=com></property>

<property name="User Search Filter">sAMAccountName={0}</property>

<property name="Identity Strategy">USE_DN</property> <property name="Authentication Expiration">12 hours</property> </provider>

i am not getting any exception in the nifi-app.log, but getting this in nifi-user.log

o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid.. Returning Bad Request response.

I am using this user admintarapare(which i used in my Manager CN) to login and i know the pwd is correct and i used LDP on my server to verify its connecting to the LDAP server.

Any idea on what i am doing wrong here.?

Regards,

Sai

Re: LDAP Authentication Issue

Wynner — Wed, 30 Aug 2017 00:38:02 GMT

@Saikrishna Tarapareddy

Try changing the User Search Filter from sAMAccountName={0} to (sAMAccountName={0})

Re: LDAP Authentication Issue

saikrishna_tara — Wed, 30 Aug 2017 00:52:56 GMT

@wynner ,

I am getting the same error after changing sAMAccountName={0} to (sAMAccountName={0})

Re: LDAP Authentication Issue

Wynner — Wed, 30 Aug 2017 00:56:13 GMT

@Saikrishna Tarapareddy

Just to be sure. Did you restart NiFi after making the change?

Re: LDAP Authentication Issue

saikrishna_tara — Wed, 30 Aug 2017 01:01:37 GMT

@Wynner ,

Yes , i did.

Re: LDAP Authentication Issue

Wynner — Wed, 30 Aug 2017 01:09:11 GMT

@Saikrishna Tarapareddy

Another just to be sure, you have an extra character at the end of a couple of the properties.

This property appears to have an extra character

Manager DN

CN=admintarapare,OU=Admins,OU=Users and Groups,OU=GC AMS,OU=AMS,OU=Organizations,DC=mycompany,DC=com>

and this property also

User Search Base

OU=Admins,OU=Users and Groups,OU=GC AMS,OU=AMS,OU=Organizations,DC=mycompany,DC=com>

Re: LDAP Authentication Issue

saikrishna_tara — Wed, 30 Aug 2017 01:20:33 GMT

@Wynner,

i do not have any extra chars , i just double checked..

<property name="Manager DN">CN=admintarapa,OU=Admins,OU=Users and Groups,OU=GC AMS,OU=AMS,OU=Organizations,DC=mycomp,DC=com></property>

<property name="User Search Base">OU=Admins,OU=Users and Groups,OU=GC AMS,OU=AMS,OU=Organizations,DC=mycomp,DC=com></property>

One interesting thing is , i tried with wrong password for my manager DN in the login-identity-providers.xml file , even then i get the same error.

o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid.. Returning Bad Request response.

Regards,

Sai

Re: LDAP Authentication Issue

Wynner — Wed, 30 Aug 2017 01:27:19 GMT

@Saikrishna Tarapareddy

There is an extra character at the end of both of those properties.

">" this is the extra character, on the end of your value.

Re: LDAP Authentication Issue

jpetro416 — Wed, 30 Aug 2017 01:28:00 GMT

If your password has any unique characters such as "&" it will break the XML

The fix for this example would be changing the & to: "& amp;" without the space (this website will not show the correct value).

Re: LDAP Authentication Issue

saikrishna_tara — Wed, 30 Aug 2017 01:37:22 GMT

@Wynner ,

Sorry , i missed it..Thanks a lot..

now i am getting

insufficient permissions error ..let me check in my user..

Re: LDAP Authentication Issue

saikrishna_tara — Wed, 30 Aug 2017 02:15:14 GMT

@Wynner,

its working now .

Thank you,

Sai

Re: LDAP Authentication Issue

saikrishna_tara — Thu, 31 Aug 2017 01:44:38 GMT

@Wynner ,

i have another issue..while i was able to LDAP authenticate successfully using same OU values.

It is failing to authenticate when my Manager DN's OU is different than Users.

As per our company rule they create service accounts differently to regular user accounts. and we want to use service account as Initial Admin and Manager as shown below..

Only way i could solve this is by

1. In login-identity-providers.xml have Manager DN and User Search Base's OU same.

in my case (ou=Generic-Users,ou=Users and Groups,ou=NPPC AMS,ou=AMS,ou=Organizations,dc=mycomp,dc=com)

2. Start NiFi and log in as Initial Admin .

3. from NiFi UI , create an user with my users DN like (OU=US-StLouis-HQ,OU=Users and Groups,OU=NPPC AMS,OU=AMS,OU=Organizations,DC=mycomp,DC=com) , this is how general users DN looks.

4. in login-identity-providers.xml change the user search base to match with step 3

5. restart NiFi

6. Login as user

Managers DN:

<property name="Manager DN">cn=nifiadmin,ou=Generic-Users,ou=Users and Groups,ou=NPPC AMS,ou=AMS,ou=Organizations,dc=mycomp,dc=com</property>

User Search base:

<property name="User Search Base">OU=US-StLouis-HQ,OU=Users and Groups,OU=NPPC AMS,OU=AMS,OU=Organizations,DC=mycomp,DC=com</property>

Is there a better way.? this way i will have to go back and forth when i have to add a new user or grant an user with create user policy and use that user to create new users instead of initial admin.

Regards,

Sai

Re: LDAP Authentication Issue

Wynner — Thu, 31 Aug 2017 02:03:46 GMT

@Saikrishna Tarapareddy

This should be a different question, not a continuation of your first question.

Because, now you are asking about authorization, not authentication.

Re: LDAP Authentication Issue

Wynner — Thu, 31 Aug 2017 04:12:05 GMT

@Saikrishna Tarapareddy

Look at this article, it should help you: User management in NiFi through identity mapping patterns