question Re: Nifi error when integrating authen with ldap in Support Questions

Nifi error when integrating authen with ldap

yoonli — Tue, 26 Aug 2025 09:55:36 GMT

As the title says, I'm getting an unexpected error when logging into nifi with the same ldap account even though I configured that account as admin in the authorizers.xml file. Bellow this my setting:

nifi.properties

nifi.security.user.authorizer=managed-authorizer nifi.security.user.login.identity.provider=ldap-provider

<provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">cn=admin,dc=nifi,dc=com</property> <property name="Manager Password">adminpassword</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://10.29.144.58:389</property> <property name="User Search Base">ou=users,dc=nifi,dc=local</property> <property name="User Search Filter">(uid={0})</property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Expiration">12 hours</property> </provider>

authorizers.xml

<userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">cn=admin,dc=nifi,dc=local</property> <property name="Manager Password">adminpassword</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://10.29.144.58:389</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ou=users,dc=nifi,dc=local</property> <property name="User Object Class">inetOrgPerson</property> <property name="User Search Scope">ONE_LEVEL</property> <property name="User Search Filter">(uid={0})</property> <property name="User Identity Attribute">uid</property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base"></property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute"></property> <property name="Group Member Attribute"></property> <property name="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">ldap-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">nifi</property> <property name="Initial Admin Group"></property> <property name="Node Identity 1"></property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer>

Error in nifi-app.log

2025-08-26 10:50:30,548 INFO [main] o.a.nifi.controller.StandardFlowService Setting Flow Controller's Node ID: 10.29.144.58:8443
2025-08-26 10:50:30,551 INFO [main] org.apache.nifi.nar.StandardNarManager Synchronizing NARs with cluster coordinator
2025-08-26 10:50:30,793 ERROR [main] org.apache.nifi.nar.StandardNarManager Failed to synchronize NARs from cluster coordinator [10.29.144.56] no local NARs found
java.lang.IllegalStateException: Error calling https://10.29.144.56:8443/nifi-api/controller/nar-manager/nars - 403 - Unable to view the controller. Contact the system administrator.
at org.apache.nifi.client.NiFiRestApiClient.getResponseBody(NiFiRestApiClient.java:111)
at org.apache.nifi.client.NiFiRestApiClient.executeEntityRequest(NiFiRestApiClient.java:81)
at org.apache.nifi.nar.NarRestApiClient.listNarSummaries(NarRestApiClient.java:70)
at org.apache.nifi.nar.StandardNarManager.listNarSummaries(StandardNarManager.java:329)
at org.apache.nifi.nar.StandardNarManager.getNarSummariesFromCoordinator(StandardNarManager.java:317)
at org.apache.nifi.nar.StandardNarManager.syncWithClusterCoordinator(StandardNarManager.java:267)
at org.apache.nifi.controller.StandardFlowService.loadFromConnectionResponse(StandardFlowService.java:909)
at org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:465)
at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:855)
at org.apache.nifi.runtime.Application.startServer(Application.java:131)
at org.apache.nifi.runtime.Application.run(Application.java:78)
at org.apache.nifi.runtime.Application.run(Application.java:60)
at org.apache.nifi.NiFi.main(NiFi.java:42)

nifi-user.log

2025-08-26 16:53:20,896 ERROR [NiFi Web Server-32] o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: java.io.UncheckedIOException: Read Current User Entity failed. Returning Internal Server Error response.
java.io.UncheckedIOException: Read Current User Entity failed
at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:446)
at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:421)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1622)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365)
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:125)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:60)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:158)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:96)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.csrf.CsrfCookieFilter.doFilterInternal(CsrfCookieFilter.java:43)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.filter.ServletRequestPathFilter.doFilter(ServletRequestPathFilter.java:52)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebSecurityConfiguration.java:319)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:44)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462)
at org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317)
at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594)
at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1555)
at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:823)
at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:440)
at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:470)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1071)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:151)
at org.eclipse.jetty.server.Handler$Sequence.handle(Handler.java:805)
at org.eclipse.jetty.server.Server.handle(Server.java:182)
at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:678)
at org.eclipse.jetty.util.thread.Invocable$ReadyTask.run(Invocable.java:177)
at org.eclipse.jetty.http2.server.internal.HttpStreamOverHTTP2$1.run(HttpStreamOverHTTP2.java:136)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.produce(AdaptiveExecutionStrategy.java:195)
at org.eclipse.jetty.http2.HTTP2Connection.produce(HTTP2Connection.java:210)
at org.eclipse.jetty.http2.HTTP2Connection.onFillable(HTTP2Connection.java:157)
at org.eclipse.jetty.http2.HTTP2Connection$FillableCallback.succeeded(HTTP2Connection.java:462)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
at org.eclipse.jetty.io.ssl.SslConnection$SslEndPoint.onFillable(SslConnection.java:612)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:413)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:155)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:981)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1211)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1166)
at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 16]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2596)
at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2622)
at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2630)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:830)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3662)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2749)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:867)
at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:753)
at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:5058)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4961)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3948)
at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:444)
... 121 common frames omitted

Re: Nifi error Insufficient Permissions when integrating authen with ldap

VidyaSargur — Tue, 26 Aug 2025 07:11:03 GMT

@yoonli, Welcome to our community! To help you get the best possible answer, I have tagged our NiFi experts, @MattWho and @vafs, who may be able to assist you further.

Please feel free to provide any additional information or details about your query. We hope that you will find a satisfactory solution to your question.

Re: Nifi error when integrating authen with ldap

vafs — Tue, 26 Aug 2025 18:06:31 GMT

Hello @yoonli,

I was checking the configuration and comparing it with other threads and it looks fine to me.

Now, I was checking that users.xml and authorizations.xml cannot already exist to be created.

You will need to stop the NiFi and then rename those files:

cp conf/authorizations.xml conf/authorizations.xml.backup
cp conf/users.xml conf/users.xml.backup

Then you can retry.
Also, it will worth to check this thread as well, that contains a lot of information on this same issue:
https://community.cloudera.com/t5/Support-Questions/Untrusted-proxy-error-Authentication-Failed-o-a-n-w-s/m-p/399540

Re: Nifi error when integrating authen with ldap

yoonli — Wed, 27 Aug 2025 01:04:46 GMT

Hi @vafs,
Before, I delete 2 files users.xml and authorization.xml. When starting nifi, it recreate. I read content file and saw that It got the nifi user and permission. But I loged in again and got the error.

Re: Nifi error when integrating authen with ldap

MattWho — Wed, 27 Aug 2025 13:00:09 GMT

@vafs

You shared two different authorizers.xml configurations (one that uses file-user-group-provider and another that uses the ldap-user-group-provider).

Which one are you using when you experience your error?
What version of Apache NiFi are you using?
Is this a multi-node NiFi cluster or Single NiFi instance?
Do you have an external load balance in front of your NiFi or are you accessing your NiFi instance(s) directly using the NiFi hosts assigned IP?

While the configuration of the "ldap-provider" in the login-identity-providers.xml looks valid, the configuration in your "ldap-user-group-provider" in the authorizers.xml is not valid and is not going to return any user identities.

The ldap-user-group-provider executes every 30 mins to resync users and maybe groups (depending on configuration). It executes independent of any outside input. So the following configuration line is not valid:

<property name="User Search Filter">(uid={0})</property>

The above is only valid in the "ldap-provider". The ldap-provider is triggered when a user supplies their username and password in the NiFi login prompt. "{0}" is then replaced with the username supplied at login. No such external input is passed to the ldap-user-group-provider, thus treating this search string as a literal value.

In the ldap-user-group-provider you can leave the "User Search Filter" blank if your goal is to sync all users at ONE_LEVEL from your user search base:

ou=users,dc=nifi,dc=local

While the app.log does reveal some unauthorized request to the endpoint: https://10.29.144.56:8443/nifi-api/controller/nar-manager/nars, it it does not show the user identity that made the request. The nifi-user.log should include that information. The snippet you shared from both the nifi-app.log and nifi-user.log are not from the same time window. Additionally the snippet shared from the nifi-user.log is incomplete (often the very last "Caused by:" section in the full stack trace tells you what they initial failure was.

keep in mind that the file-access-policy-provider is responsible for creating the authorizations.xml file ONLY when it does not already exist. When it needs to be created, it uses the file-access-policy-provider configuration to seed authorizations for an Initial Admin user identity and for your node identities (commonly retrieved from the file-user-group-provider, if a NiFi cluster setup is being used). Post existence of the authorizations.xml file, modifications are made to this file via admin user actions from directly in the NiFi UI.

In a NiFi cluster setup the authorizer would common include the following providers:

file-user-group-provider (contains only node identities derived from node certificates)
ldap-user-group-provider (sync users and possibly groups)
composite-configurable-user-group-provider (used to call both above providers)
file-access-policy-provider (configured to use composite-configurable-user-group-provider)
managed-authorizer

There is not much other insights I can provide from the information provided. Hopefully this guidance will lead you to the useful log output and help you correct you configuration issue.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Nifi error when integrating authen with ldap

vafs — Wed, 27 Aug 2025 20:26:04 GMT

Hi @MattWho,

I think you tagged the wrong person.
@yoonli, take a look on @MattWho update.

Re: Nifi error when integrating authen with ldap

yoonli — Thu, 28 Aug 2025 09:48:22 GMT

@MattWho I fixed the error and connect successful to nifi UI. However I have got the problem with nifi ui when login by admin user. I similar this post https://community.cloudera.com/t5/Supp

ort-Questions/Nifi-Process-Groups-and-Processors-not-authorized-after/m-p/327745.
I can't select processor. Please help me.

Re: Nifi error when integrating authen with ldap

MattWho — Thu, 28 Aug 2025 13:17:07 GMT

@yoonli

That issue is unrelated to the issue here with getting your NiFi authorizer setup correctly. Glad you were able to get that resolved. If the feedback helped you resolve that issue, please accept that solution to help others in the community.

What you are describing now is a missing authorization policy for your admin user. When NiFi's authorizer seeds the initial policies for the "admin" user, that does not mean the admin user has been given all access. It seeds the policies the admin user would need to access the UI and manage/modify authorizations for all users.

The dataflow construction icon along the top of the UI are only visible to users who have been authorized on the Process Group (PG) being displayed. When NiFi is started for the first time it has no flow.json.gz file to load, so it generates one. That flow.json.gz will contain the root PG (NiFi default names the root PG "NiFi Flow"). Since your admin user is not authorized yet on this root PG, all the icons are greyed out. You'll also notice in the lower left corner or the UI and in the "Operation" panel on left side of canvas that the PG displays a UUID instead of the name "NiFi Flow".

Now your admin user would have the authorization set to global manage authorization policies, so in that "Operations" panel you should see a key icon that is not greyed out.

Clicking on that key will allow you admin to authorize users (including the admin user) to the authorizations polices specific to that PG:

Select the Policy from the drop down you want to modify and you'll see a list of users and/or groups already authorized (I expect your's will be blank). After selecting the policy, you'll see an "Add users/groups to this policy" icon to the far right.

Click on that and locate your admin user identity from the displayed list and click apply.

View the component - will allow and authorized user to view details and configuration of a component. If that component is a process group, this authorization will be inherited by all components (processors, controller services, child process groups, etc) added to the canvas of that process group. But you have the ability to set authorizations explicitly on any component directly. So after setting this one you should start seeing "NiFi flow" PG name.
Modify the component - will allow you to make changes. For a PG this means making all the construct icon to become available to you along the top of the UI.

Thank you,
Matt

Re: Nifi error when integrating authen with ldap

yoonli — Fri, 29 Aug 2025 01:09:46 GMT

thank you so much @MattWho

Re: Nifi error when integrating authen with ldap

yoonli — Fri, 29 Aug 2025 03:57:34 GMT

@MattWho I want to ask one more question. I applied above config for my cluster 3 node. and can't log in due to untrust proxy error.

2025-08-29 10:38:45,421 INFO [NiFi Web Server-33] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.29.144.58 [<cn=nifi,ou=users,dc=baoviet,dc=local><CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN>] GET https://10.29.144.56:8443/nifi-api/flow/current-user 2025-08-29 10:38:45,422 WARN [NiFi Web Server-33] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.29.144.58 GET https://10.29.144.56:8443/nifi-api/flow/current-user [Untrusted proxy CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN]

I added <property name="Node Identity 1">CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN</property> to authorizes.xml and delete file user.xml and authorization.xml. When restart nifi, I got the error:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:206) at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:133) at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1896) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1316) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:349) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254) at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1745) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1628) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.resolveMethodArguments(AutowiredAnnotationBeanPostProcessor.java:888) ... 75 common frames omitted Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate node CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN to seed policies. at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54) at jdk.proxy3/jdk.proxy3.$Proxy62.onConfigured(Unknown Source) at org.apache.nifi.authorization.AuthorizerFactoryBean.loadProviderProperties(AuthorizerFactoryBean.java:189) at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:159) at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:63) at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:200) ... 84 common frames omitted

Re: Nifi error when integrating authen with ldap

MattWho — Fri, 29 Aug 2025 13:34:43 GMT

@yoonli

Did you setup your authorizers.xml with cluster recommended structure i outlined earlier:

From the log shared you can see following cause for your issue:

What this exception tells me is that you added your node's certificate DN to the file-access-policy-provider only. So on startup the file-access-policy-provider is attempting to seed NiFi nodes policies for that user identity, but it could not find that user identity because none of the configured user-group providers in the authorizers.xml created it.

Since this user identity derived from your node's certificate DN is not being returned by your ldap-user-group-provider, it would need to be returned by the file-user-group-provider.

For clarity, you are logging in just fine with your user. What is happening is your are logging into just one of yoru NiFi cluster nodes. So upon successful authentication the request to see the UI is sent to the elected cluster coordinator and replicated to all nodes in the cluster on your behalf. This is where the node is the proxy doing this for your successfully authenticated user. So you node is not authorized to proxy user requests. Replicating the user requests is required so changes are made all nodes in the cluster and so one node's UI can show data from all connected nodes.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue(s) or answering your question(s), please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Nifi error when integrating authen with ldap

yoonli — Mon, 01 Sep 2025 01:53:27 GMT

I understand that CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN do not need to exist in ldap right. And now I need to follow the steps in your image below using composite configurable

ke it work without needing it in ldap.

Re: Nifi error when integrating authen with ldap

MattWho — Tue, 02 Sep 2025 12:44:31 GMT

@yoonli

Yes, your node certificate DNs do not need to be returned by your ldap. The common cluster setup I shared has both the file-user-group-provider (which you would use to define user identities manually) and ldap-user-group-provider (which syncs users and/or groups from your ldap so you don't need to add them manually).

So the file-user-group-provider might look something like this in your authorizers.xml:

<userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN</property> <property name="Initial User Identity 2"></property> </userGroupProvider>

Above will create the user identity "CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN" for your node's certificate manually. it then becomes available for your file-access-policy provider to use to seed the node policies needed. If each of your NiFi nodes has a unique DN, you would add as many "Initial User Identity <num>" lines as needed to add them all on initial startup.

***REMINDER: users.xml and authorizations.xml files are ONLY created if they do not already exist. Edits to file-user-group-provider or file-access-policy provider will not edit preexisting files.

The complete recommended authorizers.xml setup would look something like this:

<authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN</property> <property name="Initial User Identity 2"></property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">ANONYMOUS</property> <property name="Manager DN"></property> <property name="Manager Password"></property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://localhost:10389</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ou=users,o=nifi</property> <property name="User Object Class">person</property> <property name="User Search Scope">ONE_LEVEL</property> <property name="User Search Filter"></property> <property name="User Identity Attribute">cn</property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base">ou=groups,o=nifi</property> <property name="Group Object Class">groupOfNames</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider> <userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class> <property name="Configurable User Group Provider">file-user-group-provider</property> <property name="User Group Provider 1">ldap-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">nifi</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN/property> <property name="Node Identity 2"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>

*** Reminder: More then one user group provider added to the authorizers.xml can NOT return the same user or group identity. So do not add any user identities you are syncing from ldap-user-group-provider to the file-user-group-provider or NiFi will throw an exception complaining that two providers returned the same identity.

Hope this helps clarify.

Thank you,
Matt

Re: Nifi error when integrating authen with ldap

yoonli — Thu, 04 Sep 2025 10:01:45 GMT

@MattWho Here is my configuration according to your instruction

<userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN</property> <property name="Initial Group Identity 1"></property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">cn=admin,dc=nifi,dc=local</property> <property name="Manager Password">adminpassword</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://10.29.144.58:389</property> <property name="Page Size"></property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ou=users,dc=nifi,dc=local</property> <property name="User Object Class">person</property> <property name="User Search Scope">ONE_LEVEL</property> <property name="User Search Filter">(cn={0})</property> <property name="User Identity Attribute">cn</property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Group Search Base"></property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute"></property> <property name="Group Member Attribute"></property> <property name="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider> <userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class> <property name="Configurable User Group Provider">file-user-group-provider</property> <property name="User Group Provider 1">ldap-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">cn=nifi,ou=users,dc=nifi,dc=local</property> <property name="Initial Admin Group"></property> <property name="Node Identity 1">CN=nifi-cluster, OU=NiFi, O=NiFi Cluster, L=Hanoi, ST=HaNoi, C=VN</property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer>

When I start nifi. The log emit

Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin cn=nifi,ou=users,dc=baoviet,dc=local to seed policies at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:254) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.apache.nifi.authorization.AccessPolicyProviderInvocationHandler.invoke(AccessPolicyProviderInvocationHandler.java:54) at jdk.proxy3/jdk.proxy3.$Proxy64.onConfigured(Unknown Source) at org.apache.nifi.authorization.AuthorizerFactoryBean.loadProviderProperties(AuthorizerFactoryBean.java:189) at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:159) at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:63) at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:200) ... 84 common frames omitted

Re: Nifi error when integrating authen with ldap

MattWho — Thu, 04 Sep 2025 12:48:03 GMT

@yoonli

I see three issues:

Issue 1:
You are using the wrong composite provider. In my common setup list I properly state you need to be using the "composite-configurable-user-group-provider", but I see you are using the "composite-user-group-provider" class. However, some of the confusion comes from the example I copied from the Apache NiFi Documentation here:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-usersgroups

While the NiFi doc example uses the "composite-configurable-user-group-provider" (class name and properties correct), the provider "identifier" says "composite-user-group-provider" still, making this confusing. So it looks like you missed the difference in class name.

Since the "file-user-group-provider" is a configurable provider (meaning users/groups can dynamically be added and removed via the NiFI UI), it must be called by a provider that supports a configurable provider.

So you'll need to switch from using:

<userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class> <property name="Configurable User Group Provider">file-user-group-provider</property> <property name="User Group Provider 1">ldap-user-group-provider</property> </userGroupProvider>

to using:

<userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class> <property name="Configurable User Group Provider">file-user-group-provider</property> <property name="User Group Provider 1">ldap-user-group-provider</property> </userGroupProvider>

The "identifier" can be any string you want, but the "class" must align with the properties.

Issue 2:

Another issue I see is a mismatch in your user identity configured in the file-user-group-provider and the user name shown in the logs coming from your user authentication.

file-access-policy-provider:

cn=nifi,ou=users,dc=nifi,dc=local

nifi-user.log (source of truth)

cn=nifi,ou=users,dc=baoviet,dc=local

These "user identities" do not match.
Also keep in mind that the file-access-policy-provider can only seed policies for "user identities" that are being returned by one of your configured user-group-providers.

Where are you expecting this user's DN to be returned from?

Issue 3:

Your ldap-user-group-provider is still misconfigured. the following is not a valid configuration in this provider:

<property name="User Search Filter">(cn={0})</property>

You can only use "{0}" in the ldap-provider login provider within the login-identity-providers.xml file. This login provider will substitute the {0} with the username entered in the NiFi login UI. The intent of the ldap-user-group-provider is return many user identities from your ldap. the above filter cn={0} would be treated as a literal and result in no results returned.

Also keep in mind that you have configured your ldap-user-group-provider to return the ldap value from the "cn" ldap attribute as the "user identity" which is typically not a full user DN, like we see in the nifi-user.log you shared.

<property name="User Identity Attribute">cn</property>

Also I see you added this property to your ldap-user-group-provider which is NOT a valid property:

property name="Identity Strategy">USE_USERNAME</property>

The above property only exist in the ldap-provider found in the login-dentity-providers.xml file. This is where your probably still have this set to "USE_DN" resulting in the full DN "user identity" you are seeing in the nifi-user.log instead off just "nifi" which i assume you are typing as the username in teh Nifi login window.

Thank you,
Matt

Re: Nifi error when integrating authen with ldap

yoonli — Fri, 05 Sep 2025 03:08:06 GMT

following your instructions, I have successfully configured and accessed nifi web with ip successfull. But I want to add haproxy as loadbalance for nifi web. When logging in, it shows an unauthorization error. Below is my configuration. I searched google and found many topics for this but when I added it, it was still not successful. I want to ask you for help.
haproxy.cfg

frontend nifi bind *:80 mode http default_backend nifi backend nifi mode http server nifi01 10.29.144.56:8443 ssl verify none server nifi02 10.29.144.57:8443 ssl verify none server nifi03 10.29.144.58:8443 ssl verify none

nifi.properties

nifi.web.proxy.host=10.29.144.56

Re: Nifi error when integrating authen with ldap

MattWho — Fri, 05 Sep 2025 12:16:29 GMT

@yoonli

This thread is growing in to multiple queries that are not directly related. Please start a new community question so the information is easier for our community members to follow when they have similar issues.

Thank you,
Matt