question Re: Questions on configuring LDAP Authentication in NiFi in Support Questions

Questions on configuring LDAP Authentication in NiFi

LKB — Fri, 15 Sep 2023 12:53:44 GMT

Hello All,

I am new to NiFi. I have set up NiFi with LDAP authentication and NiFi starts with no issues but I don't know how to log into NiFi as "Initial Admin Identity" user "user_admin" as shown in my setup below. What should I use as the login credentials as NiFi presently rejects user_admin/<password>?

nifi.properties

nifi.security.user.authorizer=file-provider
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider

login-identity-providers.xml

<identifier>ldap-provider</identifier>

<class>org.apache.nifi.ldap.LdapProvider</class>

<property name="Authentication Strategy">START_TLS</property>

<property name="Manager DN">uid=test_admin,OU=users,DC=abc,DC=com</property>

<property name="TLS - Keystore">./conf/keystore.p12</property>

<property name="TLS - Truststore">./conf/truststore.p12</property>

<property name="TLS - Client Auth">REQUIRED</property>

<property name="Referral Strategy">FOLLOW</property>

<property name="Url">ldaps://test.com</property>

<property name="User Search Filter">sAMAccountName={0}</property>

<property name="Identity Strategy">USE_USERNAME</property>

<property name="Authentication Expiration">12 hours</property>

-----------------------

authorizer.xml

<identifier>file-provider</identifier>

<class>org.apache.nifi.authorization.FileAuthorizer</class>

<property name="Authorizations File">./conf/authorizations.xml</property>

<property name="Users File">./conf/users.xml</property>

<property name="Initial Admin Identity">uid=user_admin,OU=USERS,DC=abc,DC=com</property>

</authorizer>

Re: Questions on configuring LDAP Authentication in NiFi

MattWho — Fri, 15 Sep 2023 14:59:59 GMT

@LKB

Does the user "uid=user_admin,OU=USERS,DC=abc,DC=com" exist in your LDAP server?

Also I have never seen a LDAP user entry that used a full DistinquishedName (DN) in the sAMAccountName attribute. sAMAccountName is typically a short name for the user.

NiFi does not install a LDAP/AD server or create/add users and groups to an existing LDAP/AD . NiFi can be configured to authenticate user that already exists in some external existing LDAP/AD server.

So if the login username and password would be whatever was setup in your externally installed and managed LDAP server.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Questions on configuring LDAP Authentication in NiFi

LKB — Fri, 15 Sep 2023 16:40:56 GMT

Yes, user_admin exists in LDAP server but when I try to use it's password from the server to log on, NiFi rejects even though I know it's correct.

Should I change this: sAMAccountName to just {0}?

Also, how do I use the contents of the user.xml and authorizations.xml that were generated by NiFi? What do those mean? Sorry for my very basic questions. I really appreciate your help

Re: Questions on configuring LDAP Authentication in NiFi

MattWho — Fri, 15 Sep 2023 18:12:24 GMT

@LKB
I am not clear what you mean by "NiFi rejects" it. What is the exact exception you are seeing. NiFi does not reject anything, the ldap endpoint would be what would be responding to the query.

The "{0}" is replaced with the username string you enter in the "user" field presented by NiFi. So let's assume you login with "user_admin". Your configured LDAP endpoint would be queried for user with "sAMAccountName=user_admin" as an attribute.

I would get the ldap listing for your user_admin user from ldap server and verify that "sAMAccountName=user_admin" exists. sAMAccountName is an attribute more commonly associated with Active Directory (AD), but can be added to LDAP as a useable attribute with some custom ldifs.

Two authentication happen here:
First is the Manager DN along with Manager password is used to facilitate a connection to your ldap. Then the supplied username via login UI is used to lookup the specific user record for password verification.

Additionally, since you are using LDAPS instead of LDAP, you are enabling a TLS encrypted connection to your LDAPS. So something else you'll want to verify is that the keystore and truststore you configured in your ldap-provider contains the necessary entries to facilitate that successful TLS connection.

Something other configs that strikes me as incorrect:
1. Your user DN is "uid=user_admin,OU=USERS,DC=abc,DC=com"; however, your configured user search base is "DC=abc,DC=net". That means your user you are trying to authenticate would not be found under that search base.
2. Your LDAPS url is missing the port number "ldaps://test.com:<port>" (commonly 636 and 3269 are defaults for ldaps). If your LDAP support unencrypted connections you could change your "Authentication Strategy" from "START_TLS" to "SIMPLE" and then set your LDAP URL to ldap://test.com:389 (389 is default unencrypted port).

Make sure you are checking your nifi-app.log and nifi-user.log for any exceptions that may be thrown as you try to login to help you troubleshoot further.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Questions on configuring LDAP Authentication in NiFi

LKB — Fri, 15 Sep 2023 21:19:22 GMT

Thanks @MattWho

The ldap listing without the port number was a typo in my text message here but not in the server

I just checked the nifi-user log (after failed log on attempts) as advised and this is the error I got. So apparently, even though Nifi starts, the user set up is not right. Can you suggest what my ldap parameters should be based on sample I provided above? Your help will be appreciated

2023-09-15 15:57:58,201 ERROR [NiFi Web Server-25] o.a.n.w.a.c.AdministrationExceptionMapper org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator.. Returning Internal Server Error response.
org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator..

Re: Questions on configuring LDAP Authentication in NiFi

MattWho — Mon, 18 Sep 2023 19:16:52 GMT

@LKB
I'd expect a full stack trace in the nifi-app.log following that ERROR.

The ldap-provider is configured inside the login-identity-providers.xml file. Does your LDAP Manager password happen to contain any XML special characters? If so, you should escape them.
https://xml.silmaril.ie/specials.html

Have you tried using ldapsearch to manually make a connection to your LDAPS from the server where you have NiFi installed using same manager DN, Manager password, and keystore and trustsore? Was it successful?

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt