question Re: Nifi LDAP user login issue. in Support Questions

question Re: Nifi LDAP user login issue. in Support Questions https://community.cloudera.com/t5/Support-Questions/Nifi-LDAP-user-login-issue/m-p/376350#M242870 <a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/105103">@mks27</a>  I am reading through this post and see multiple conflicting output shared from you which imply config changes were applied between updates added to this post. First you need to understand that NiFi authentication and NiFi authorization are two totally separate processes.  After successful authentication is successful the user identity string is evaluated against any configured Identity mapping patterns configured in the nifi.properties file.  IF a java regex mapping pattern matches against the user identity string returned during authentication, the configured associated identity mapping value is applied.   At this point the user identity string is passed off to the configured authorizer configured in NiFi to verify that the user is authorized for the request endpoint being accessed.  The authorizer must be aware of all user identity strings and those user must be authorized to the resource before a user will be authorized.  It is IMPORTANT to understand that NiFi is case sensitive (Identity bob and BOB would be treated as two different users). Your initial query you stated that the NiFi UI shows successful authentication, but indicates that authorization was then not successful.  We know this because it returned a user identity (determined during authentication) and then reported that user was not known to your NiFi during authorization verification.<LI-CODE lang="markup">Unknown user with identity 'cn=Mohit Kumar,ou=FM-Users,ou=Managed services,dc=CORP,dc=SA,dc=ZAIN,dc=COM'. Contact the system administrator.</LI-CODE>In your same post you shared the DN from your ldapsearch response as:<LI-CODE lang="markup">CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</LI-CODE>As we can see these do not match.  Regardless of above, what NiFi received in response to your authentication request from your ldap is what is displayed in the NiFiUI. Now, in a later post you shared the nifi-user.log output below:<LI-CODE lang="markup">023-05-23 02:53:37,220 INFO [NiFi Web Server-21] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[mohit.kumar], groups[] does not have permission to access the requested resource. Unknown user with identity 'mohit.kumar'. Returning Forbidden response.</LI-CODE>This log line implies that a user was successfully authenticated with a user identity of "mohit.kumar".  This is not same user as shared in the initial post.  My guess here us that changed your ldap-provider from using:<LI-CODE lang="markup"><property name="Identity Strategy">USE_DN</property></LI-CODE>to:<LI-CODE lang="markup"><property name="Identity Strategy">USE_USERNAME</property></LI-CODE>The "USE_USERNAME" is more commonly used.  Upon successful authentication, the username entered at the NiFi login prompt is used as the user identity rather than the DN returned by ldap.   Or you setup some Identity.mapping.pattern that matched in your full DN, extracted just the CN and set it to all lowercase?   NiFi authorization is handled by the authorizers.xml NiFi configuration file. In your authorizers.xml you have the "Managed authorizer" which has a configured dependency on the "File-Access-Policy-Provider" which itself has a configured dependency on "File-User-Group-Provider". The File-User-Group-Provider is responsible for building the users.xml file and populating it with a few initial entries.  This provider will ONLY generate a users.xml file if it does NOT already exist.  So any edits to this configuration after the users.xml file already exists will not be reflected in this file.  I see you have configured this provider to create the following user identity:<LI-CODE lang="markup"><property name="Initial User Identity 1">CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property></LI-CODE>This Identity matches neither Identity mentioned earlier that resulted from successful authentication (remember that NiFi is case sensitive).I would recommend changing this to the following and deleting the users.xml so it gets recreated:<LI-CODE lang="markup"><property name="Initial User Identity 1">mohit.kumar</property></LI-CODE>Make sure you are also use "USE_USERNAME" in your ldap-provider. The File-Access-Policy-Provider is responsible for building the authorizations.xml file only if it does not already exist.   Within this provider you defined who your initial admin user identity should be.  When building the authorizations.xml file for the first time, this initial admin user identity will be granted the authorization needed to act as an administrator.<LI-CODE lang="markup"><property name="Initial Admin Identity">CN=Mohit Kumar,OU=FM-Users,OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property></LI-CODE>This should be changed to below and current authorizations.xml (not authorizers.xml) must be deleted so it can be rebuild based on new initial admin:<LI-CODE lang="markup"><property name="Initial Admin Identity">mohit.kumar</property></LI-CODE> Now restart your NiFi and login using "mohit.kumar" in the NiFi login window.  I should note that I am assuming here that "mohit.kumar" is your users sAMAccountName value in your LDAP entry.If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.Thank you, Matt Thu, 14 Sep 2023 16:51:41 GMT MattWho 2023-09-14T16:51:41Z