question Apache Nifi LDAP Authentication issue. in Support Questions

Apache Nifi LDAP Authentication issue.

mks27 — Wed, 17 May 2023 06:00:00 GMT

Hi Team,

I trying to configure Apache Nifi LDAP authentication,

Here is my nifi.properties.

-----

nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=/var/tmp/mks/certs/keystore.jks
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=************
nifi.security.keyPasswd=
nifi.security.truststore=/var/tmp/mks/certs/keystore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=**************
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

------

Here is my "login-identity-providers.xml"

-----

-->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">LDAPS</property>

<property name="Manager DN">CN=**********,OU=Groups,OU=*********,OU=********,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
<property name="Manager Password">************</property>

<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>

<property name="Url">ldap://***********:389</property>
<property name="User Search Base">OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
<property name="User Search Filter">sAMAccountName={0}</property>

<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>

-----

but i am getting below error.

Unable to load the login identity provider configuration file at: /var/nifi/conf/login-identity-providers.xml

File is there

# ls -ld /var/nifi/conf/login-identity-providers.xml
-rw-rw-r--. 1 root root 7205 May 17 01:46 /var/nifi/conf/login-identity-providers.xml

Please help me to fix it.

Re: Apache Nifi LDAP Authentication issue.

VidyaSargur — Wed, 17 May 2023 07:58:22 GMT

@mks27, Welcome to our community! To help you get the best possible answer, I have tagged our NiFi experts @cotopaul @SAMSAL @MattWho @steven-matison who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.

Re: Apache Nifi LDAP Authentication issue.

mks27 — Thu, 18 May 2023 06:39:05 GMT

Hello @cotopaul @SAMSAL @MattWho @steven-matison

I have fixed the login provider issue and now when i try to login , i am getting below errors.

Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:190)
at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:79)
at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:276)
... 109 common frames omitted
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:363)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:147)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:166)
at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:806)
at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:260)
at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:100)
at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:86)
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:174)
... 111 common frames omitted
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3261)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:351)

Re: Apache Nifi LDAP Authentication issue.

MattWho — Fri, 26 May 2023 19:20:33 GMT

@mks27

Your configuration has a ldap://... address; however, you have configured the "authentication strategy as LDAPS. This needs to be "SIMPLE" instead of "LDAPS".

I would also recommend that you change the "Identity Strategy" form " USE_DN" to "USE_USERNAME".

ldap exception with data 52e typically means bad password.
Also consider that the login-identity-providers.xml configuration file is XML. XML has special characters that if used in your manager password must be escaped or change your manager password to not use these special characters:

& replace with & < replace with < > replace with > " replace with " ‘ replace with '

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt