Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml

sha257 — Fri, 27 Sep 2024 09:53:52 GMT

Hello ,

I am trying to setup LDAP on my Nifi Registry and I am getting the below errror :

nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut Caused by: java.lang.Exception: Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory.loadLoginIdentityProvidersConfiguration(IdentityProviderFactory.java:160) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory.getIdentityProvider(IdentityProviderFactory.java:110) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5.CGLIB$getIdentityProvider$0(<generated>) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5$$FastClassBySpringCGLIB$$53c655ec.invoke(<generated>) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5.getIdentityProvider(<generated>) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at java.lang.reflect.Method.invoke(Method.java:498) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... 58 common frames omitted nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,919 INFO [Thread-1] org.apache.nifi.registry.NiFiRegistry Initiating shutdown of Jetty web server... nifi-registry 2024-09-27 09:25:06,922 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,922 INFO [Thread-1] o.eclipse.jetty.server.AbstractConnector Stopped ServerConnector@7a1ebcd8{HTTP/1.1,[http/1.1]}{0.0.0.0:18080} nifi-registry 2024-09-27 09:25:06,922 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,922 INFO [Thread-1] org.eclipse.jetty.server.session node0 Stopped scavenging nifi-registry 2024-09-27 09:25:07,787 INFO [main] o.a.n.registry.bootstrap.RunNiFiRegistry NiFi Registry never started. Will not restart NiFi Registry

I am using helm chart to deploy this and the above pasted logs are my pod logs ..

While debugging I do see that the file is present inside the pod :

nifi@nifi-registry-custom-0:/opt/nifi-registry/nifi-registry-current/conf$ ls -lrth total 112K -rw-r--r-- 1 nifi nifi 1020 Dec 19 2019 registry-aliases.xml -rw-r--r-- 1 nifi nifi 6.0K Dec 19 2019 identity-providers.xml -rw-r--r-- 1 nifi nifi 2.1K Dec 19 2019 bootstrap.conf -rw-r--r-- 1 nifi nifi 5.0K Aug 19 2020 providers.xml -rw-r--r-- 1 root root 5.3K Sep 27 09:14 nifi-registry.temp -rw-r--r-- 1 root root 6.7K Sep 27 09:14 login-identity-providers-ldap.xml -rw-r--r-- 1 root root 21K Sep 27 09:14 authorizers.temp -rw-r--r-- 1 nifi nifi 4.9K Sep 27 09:14 nifi-registry.properties -rw-r--r-- 1 nifi nifi 6.7K Sep 27 09:14 login-identity-providers.xml

and my login-indentity-providers.xml file contents are as below :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>   <identityProviders>  <provider> <identifier>ldap-identity-provider</identifier> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN"></property> <property name="Manager Password"></property> <property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.local.svc.cluster.local/keystore.jks</property> <property name="TLS - Keystore Password">xxx</property> <property name="TLS - Keystore Type">jks</property> <property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.local.svc.cluster.local/truststore.jks</property> <property name="TLS - Truststore Password">xxx</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth">NONE</property> <property name="TLS - Protocol">TLS</property> <property name="TLS - Shutdown Gracefully">false</property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url"></property> <property name="User Search Base"></property> <property name="User Search Filter">(cn={0})</property> <property name="Identity Strategy">USE_DN</property> <property name="Authentication Expiration">12 hours</property> </provider>   </identityProviders>

My properties file contents are :

# security properties # nifi.registry.security.keystore=/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.default.svc.cluster.local/keystore.jks nifi.registry.security.keystoreType=jks nifi.registry.security.keystorePasswd=xxx nifi.registry.security.keyPasswd=xxx nifi.registry.security.truststore=/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.default.svc.cluster.local/truststore.jks nifi.registry.security.truststoreType=jks nifi.registry.security.truststorePasswd=changeMe nifi.registry.security.needClientAuth= nifi.registry.security.authorizers.configuration.file=/opt/nifi-registry/nifi-registry-current/conf/authorizers.xml nifi.registry.security.authorizer=file-provider nifi.registry.security.identity.providers.configuration.file=/opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml nifi.registry.security.identity.provider=ldap-identity-provider

However , I am not sure what the issue is .

Could someone please help ?

Re: Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml

MattWho — Fri, 27 Sep 2024 13:29:52 GMT

@sha257

The provider as shared is missing required configurations Manager DN, Manager password, URL, and User Search Base. Perhaps you just blanked these out for this post. Since this is an xml format file, make sure that you are properly escaping any XML special characters if used in any of the property values.

XML Special Character:	Replacement escape value:
"	"
'	'
<	<
>	>
&	&

if any of these are used without being escaped, the xml will be invalid a not able to be loaded.

I also see that you have configured the Authentication Strategy as SIMPLE which means your using ldap and not ldaps; however, I see that you have configured the TLS keystore and truststore properties. That is not an issue, unless your ldap URL is really secured requiring either the LDAPS or START_TLS "Authentication Strategy" to be set.

For your User Search Filter, try changing that from "(cn={0})" to just "cn={0}"

Most common issue is use of special characters within XML field property values like passwords that have not been escaped properly.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml

sha257 — Fri, 27 Sep 2024 14:15:29 GMT

Hey @MattWho

Thank you very much for your response.

I am new to setting up the Nifi registry and have been trying out most of the implementation from the official documentation .

Yes , I would like to use ldap and have been looking into these steps - https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#ldap_identity_provider

However , as per your answer , I understood that the TLS keystore and truststore properties are not required for this - Did I understand it correct ?

Re: Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml

MattWho — Fri, 27 Sep 2024 15:45:07 GMT

@sha257

The TLS properties need to be configured if your LDAP endpoint is secured meaning it requires LDAPS or START_TLS authentication strategies. Even when secured, you will alwasy need the TLS truststore, but may or may not need a TLS keystore (depends on your LDAP setup).

For unsecured LDAP url access, the TLS properties are not necessary. Even unsecured (meaning connection is not encrypted), the manager DN and manager Password are still going to be required to connect to the ldap server.

Based on information shared, I cannot say what your ldap setup does or does not require. You'll need to work with your ldap administrators to understand the requirements for connecting to your ldap.

Thank you,
Matt

question Re: Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml in Support Questions

Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml

Re: Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml

Re: Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml

Re: Apache Nifi Registry - Unbale to set LDAP - Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml