Nifi LDAP Timeout Error

ajignacio — Thu, 01 Sep 2022 11:40:30 GMT

Hi Everyone

We trying to integrate LDAP to our existing nifi server single node. After configuring ldap details, Nifi fails with timeout connection error. There is no firewall block and we are able to telnet the ldap server. Please see our setup ldap below.

LDAP server :
CN=Service Account\, nifi_ldap,OU=Service Accounts,OU=Enterprise Dev,DC=dev,DC=abcde
ldap://ldap.dev.abcde:389
password: 5$qwerty!

nifi.properties *Previously our application was running as http but we change it to https*


nifi.authorizer.configuration.file=./conf/authorizers.xml
nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml
# web properties #
#############################################

# For security, NiFi will present the UI on 127.0.0.1 and only be accessible through this loopback interface.
# Be aware that changing these properties may affect how your instance can be accessed without any restriction.
# We recommend configuring HTTPS instead. The administrators guide provides instructions on how to do this.

nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=

#############################################
nifi.web.https.host=localhost
nifi.web.https.port=8080
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
nifi.web.proxy.host=
nifi.web.max.content.size=
nifi.web.max.requests.per.second=30000
nifi.web.max.access.token.requests.per.second=25
nifi.web.request.timeout=60 secs
nifi.web.request.ip.whitelist=
nifi.web.should.send.server.version=true
nifi.web.request.log.format=%{client}a - %u %t "%r" %s %O "%{Referer}i" "%{User-Agent}i"

# security properties #
nifi.sensitive.props.key=1234pwd
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=
nifi.security.keystoreType=
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

login-identity-providers.xml:


<loginIdentityProviders>
 <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>
       <property name="Manager DN">CN=Service Account\, nifi_ldap,OU=Service Accounts,OU=Enterprise Dev,DC=dev,DC=abcde</property>
        <property name="Manager Password">5$qwerty!</property>
       <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
       <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">300 secs</property>
        <property name="Read Timeout">300 secs</property>
       <property name="Url">ldap://ldap.dev.abcde:389</property>
        <property name="User Search Base">DC=dev,DC=abcde</property>
        <property name="User Search Filter"></property>
       <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>
</loginIdentityProviders>

authorizers.xml:

<authorizers>

<userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>
       <property name="Manager DN">CN=Service Account\, nifi_ldap,OU=Service Accounts,OU=Enterprise Dev,DC=dev,DC=abcde</property>
        <property name="Manager Password">5$qwerty!</property>
       <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
       <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">300 secs</property>
        <property name="Read Timeout">300 secs</property>
       <property name="Url">ldap://ldap.dev.abcde:389</property>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>
        <property name="Group Membership - Enforce Case Sensitivity">false</property>
       <property name="User Search Base">DC=dev,DC=abcde</property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute"></property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>
       <property name="Group Search Base">DC=dev,DC=abcde</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">ldap-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=Service Account\, nifi_ldap,OU=Service Accounts,OU=Enterprise Dev,DC=dev,DC=abcde</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>
   <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

error in nifi-app.log:

2022-09-01 06:16:24,995 INFO [main] o.e.j.a.AnnotationConfiguration Scanning elapsed time=412ms
2022-09-01 06:16:24,997 INFO [main] o.e.j.s.handler.ContextHandler._nifi_api No Spring WebApplicationInitializer types detected on classpath
2022-09-01 06:16:25,060 INFO [main] o.e.j.s.handler.ContextHandler._nifi_api Initializing Spring root WebApplicationContext
2022-09-01 06:16:26,607 INFO [main] o.a.nifi.properties.NiFiPropertiesLoader Loading Application Properties [/nifi/nifi-1.16.2-ldap/./conf/nifi.properties]
2022-09-01 06:18:34,427 ERROR [main] o.s.web.context.ContextLoader Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metaDataSourceAdvisor': Cannot resolve reference to bean 'methodSecurityMetadataSource' while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration': Unsatisfied dependency expressed through method 'setObjectPostProcessor' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.CommunicationException: ldap.dev.abcde:389; nested exception is javax.naming.CommunicationException: ldap.dev.abcde:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:537)
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:953)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:918)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:401)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:292)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)
at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:1073)
at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:572)
at org.eclipse.jetty.server.handler.ContextHandler.contextInitialized(ContextHandler.java:1002)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:746)

Note: Post nifi initialization fail , autorziation.xml and user.xml are not generated in below conf directory :

drwxr-xr-x 2 root root    8192 Sep  1 05:41 archive
-rw-r--r-- 1 root root   27294 Sep  1 06:14 authorizers.xml
-rw-r--r-- 1 root root    1320 Sep  1 05:23 bootstrap-aws.conf
-rw-r--r-- 1 root root    1076 Sep  1 05:23 bootstrap-azure.conf
-rw-r--r-- 1 root root    5942 Sep  1 05:23 bootstrap.conf
-rw-r--r-- 1 root root     952 Sep  1 05:23 bootstrap-gcp.conf
-rw-r--r-- 1 root root    2189 Sep  1 05:23 bootstrap-hashicorp-vault.conf
-rw-r--r-- 1 root root    2326 Sep  1 05:23 bootstrap-notification-services.xml
-rw-r--r-- 1 root root 5140762 Sep  1 05:41 flow.json.gz
-rw-r--r-- 1 root root 8114138 Sep  1 05:41 flow.xml.gz
-rw-r--r-- 1 root root   10549 Sep  1 05:34 logback.xml
-rw-r--r-- 1 root root    7265 Sep  1 06:13 login-identity-providers.xml
-rw-r--r-- 1 root root   16524 Sep  1 05:23 nifi-backup.properties
-rw-r--r-- 1 root root   17096 Sep  1 06:01 nifi.properties
-rw-r--r-- 1 root root   11402 Sep  1 05:23 nifi-toolkit.properties
-rw-r--r-- 1 root root    3696 Sep  1 05:23 stateless-logback.xml
-rw-r--r-- 1 root root    1946 Sep  1 05:23 stateless.properties
-rw-r--r-- 1 root root    9120 Sep  1 05:23 state-management.xml
-rw-r--r-- 1 root root    2573 Sep  1 05:23 zookeeper.properties

I checked Integration of NiFi with LDAP – Pierre Villard

NiFi System Administrator’s Guide (apache.org)but it didn't worked. Please guide me to integrate LDAP with Nifi.

Thanks,

Alvin

Re: Nifi LDAP Timeout Error

araujo — Fri, 02 Sep 2022 05:15:46 GMT

@ajignacio ,

What's the output of the command below if you run it from the same machine where NiFi is running?

openssl s_client -connect ldap.dev.abcde:389

I know you are not using TLS, but the command above can still give us some useful information.

Cheers,

André

Re: Nifi LDAP Timeout Error

ajignacio — Fri, 02 Sep 2022 10:27:30 GMT

Thanks André. Our Application is running as http not https. See the result below.

[nifi1 ~]$ openssl s_client -connect ldap.dev.abcde:389
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1662113057
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Please advise if there something we need to install/configure in our application

Thanks,

Alvin

Re: Nifi LDAP Timeout Error

ajignacio — Fri, 02 Sep 2022 16:27:43 GMT

Thanks André. Our Application is running as http not https. See the result below.

[nifi1 ~]$ openssl s_client -connect ldap.dev.abcde:389
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1662113057
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Please advise if there something we need to install/configure in our application

Thanks,

Alvin

question Nifi LDAP Timeout Error in Support Questions

Nifi LDAP Timeout Error

Re: Nifi LDAP Timeout Error

Re: Nifi LDAP Timeout Error

Re: Nifi LDAP Timeout Error