Need a simple "How To" for Nifi-AD / LDAP integration

zzzz77 — Tue, 03 Feb 2026 05:01:35 GMT

Hi all,

I recently spent a full 2 days over a rainy weekend trying to get a stand alone instance of Nifi v2.5.0 on ubuntu 22.04 trying to integrate with AD, to use AD for Nifi authentication, but with no joy. It almost worked but couldn't get past a certain point. The problem I discovered is there doesn't seem to exist on the internet a simple step by step process on how to set up Nifi with AD/LDAP.

My set up is a linux PC called nifi1 and had an old windows 2012 R2 domain controller with LDAP running on it I decided to use.

I created a domain called testdomain.local and created a domain user called testuser in the AD User OU that I wanted to use as a nifi user. I also created a service account called svc-nifi also in the User OU that is used to log onto AD as a service.

I ran a series of tests using LDAP command line queries from the linux PC whereby the service account could run LDAP queries from linux that proved it could access AD, read the AD info it needed and could connect OK to AD etc. The testuser logon also works fine in logging onto the domain on other PCs.

Is there a documented basic step by step process of how to do this on a linux ( or windows ) PC please?

I just need the minimum basic working example of nifi.properties, authorizers.xml, uses.xml and authorize.xml etc files please. There are so many variables in each file that make it difficult to work through sequentially, as I dont have expert Nifi knowledge.

I wondered if I had maybe skipped a step or something, like :

* Do I need to add the linux PC to AD itself first , and if so, how is this set up in the

config files?

* What do i need to add to the nifi.properties, authorizers.xml file etc to get it to work please?

* etc.

Any help appreciated - this should really be simple, but its not......

I'm happy to write up a step by process and post it back here once I have it running, to help others.

Thanks in advance. 🙂

Re: Need a simple "How To" for Nifi-AD / LDAP integration

MattWho — Wed, 04 Feb 2026 17:46:01 GMT

@zzzz77

I can certainly help you with the structured setup commonly used when integrating NIFi with LDAP. NiFi authentication and authorization are different processes and configurations. You can even authenticate using LDAP and not use LDAP at all during authorization. Also need to be aware that only a secured NiFi setup over HTTPS can support authentication and authorization.

Since Authentication needs to happen first, we'll start there.

LDAP authentication is configured as a login provider inside the login-identity-providers.xml configuration file:

<provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN"></property> <property name="Manager Password"></property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url"></property> <property name="User Search Base"></property> <property name="User Search Filter"></property> <property name="Identity Strategy">USE_DN</property> <property name="Authentication Expiration">12 hours</property> </provider>

The actual configuration is dependent on your LDAP setup. You can refer to the linked documentation for each field. Depending on "Authentication Strategy" setting, TLS properties may not need to be configured. The "identifier" for this provider is "ldap-provider". The "Identity Strategy" is used to decide what string is used as the authenticated users identity. Options are "USE_DN" (use the full DN from the LDAP entry) or "USE_USERNAME" (use the username as typed in the login window). USE_USERNAME is commonly used.

This identifier needs to be configured in the nifi.properties file, so NiFi knows which login-provider NiFi should be using.

nifi.security.user.login.identity.provider=ldap-provider

Now we need to setup the authorizers.xml file so we can setup authorizations for the ldap users. Here you have two options, you can manually add the ldap user identities via the "user-group-provider" or you can sync the user identities directly from ldap using the "ldap-user-group-provider". Sometimes you want both if not all your users/clients are part of LDAP (this applies to user identities derived from clientAuth certificates during a mutualTLS exchange). Both would commonly be necessary for a NiFi cluster setup.
Since you are setting up a single instance (non cluster) NiFi, I'll show how to structure your authorizers.xml file using just the ldap-user-group-provider:

<userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">cn=Manager,dc=nifi,dc=hwx</property> <property name="Manager Password">password</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password"></property> <property name="TLS - Keystore Type"></property> <property name="TLS - Truststore"></property> <property name="TLS - Truststore Password"></property> <property name="TLS - Truststore Type"></property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol"></property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://<ip or hostname>:389</property> <property name="Page Size">500</property> <property name="Sync Interval">30 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ou=People,dc=nifi,dc=hwx</property> <property name="User Object Class">inetOrgPerson</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter"></property> <property name="User Identity Attribute">cn</property> <property name="User Group Name Attribute">memberOf</property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base">ou=Group,dc=nifi,dc=hwx</property> <property name="Group Object Class">groupOfNames</property> <property name="Group Search Scope">SUBTREE</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute"></property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">ldap-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">nifiadmin</property> <property name="Node Identity 1"></property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer>

Above authorizer is the most basic setup example assuming an unsecure ldap setup as the example. You can see it has three sections. The bets way to read an authorizers.xml configuration is from the bottom up starting with the "authorizer".

In this example you can see I am using the "StandardManagedAuthorizer" which has an identifier of "managed-authorizer" and it is configured to reference the "file-access-policy-provider". So the next provider we should find going up through the authorizers.xml will be the provider with the identifier "file-access-policy-provider".

The "FileAccessPolicyProvider" is responsible for persisting the granted authorizations in a file name "authorizations.xml". This provider will also set some initial authorizations for the user identity set in the "Initial Admin Identity" field and the for any "Node Identity <num>" field entries. We can see that this provider is learning about users and groups from the "ldap-user-group-provider".
IMPORTANT NOTES: This provider will only create the authorizations.xml file if it does NOT already exist. So if you make any changes to this provider, those changes would not be reflected in an already existing authorizations.xml file. Also any identity strings set this provider must be returned by a user-group-provider(s).

So the next provider needed has the identifier "ldap-user-group-provider" and needs to be located further up in this authorizations.xml file. So we locate the "LdapUserGroupProvider" which has this identifier. This provider has no reference to any additional providers. While i shared a very basic sample configuration, your configuration will be specific to your ldap server source. My example is configured to sync users and groups from ldap. You can choose to sync users or users and groups. You can not sync just groups.

Inside the nifi.properties file you will set the authorizer you want to use:

nifi.security.user.authorizer=managed-authorizer

Now that we have the authentication and authorization setup complete, let's walk through what happens when you access NiFi's "https://<hostname>:<port>/nifi" url.
A mutualTLS exchange with the client (browser) will occur where NiFi will "WANT" a clientAuth certificate. Of one is not presented in that exchange, NiFi will redirect to the login UI:

Here the user will supply their ldap username and password. Assuming the ldap-login-identity-provider is using "USE_USERNAME" and authentication was successful, the username (case sensitive) as typed in the username field will be passed to the managed authorizer to check what authorizations are in place for that user. Before that user identity reaches the managed authorizer, it is compared against the any Identity Mapping Properties configured in the nifi.properties file to see if any string manipulation should happen. Next the string (manipulated if mapping was applied) goes to the authorizer. First the authorizer will check to see if that user identity belongs to any groups. Then it will check if the user or any groups that user is known to be member of (based on returns from ldap-user-group-provider sync) has proper authorizations to access the NiFi UI. If proper authorization exist, you will see the NiFi UI and the user identity will show in the upper right corner.

If there are authorization issues, you'll find that logged in the nifi-user.log.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

question Need a simple "How To" for Nifi-AD / LDAP integration in Support Questions

Need a simple "How To" for Nifi-AD / LDAP integration

Re: Need a simple "How To" for Nifi-AD / LDAP integration