Community Articles

Find and share helpful community-sourced technical articles.
Celebrating as our community reaches 100,000 members! Thank you!
Super Collaborator

In this article, we will have a walk through of integrating LDAP with NiFi Registry.

The precondition for LDAP to work with NiFi-Registry is that SSL need to be enabled. This article also covers the "How To" enable SSL for NiFI Registry.

For the sake of simplicity, I am using self signed certificates (JKS, using keytool). Steps for creating self signed certificates are as below :-

Generate KeyStore

keytool -genkey -keyalg RSA -validity 3650 -alias <alias_name> -keypass <pwd> -storepass <pwd> -dname "cn=hostname, ou=home, o=ak, c=us" -keystore nifi_reg_keystore.jks 

Export a certificate with the public key

keytool -export -alias <alias_name> -file nifi_reg.cer -storepass <pwd> -keystore nifi_reg_keystore.jks

Generate TrustStore

keytool -import -noprompt -alias nr-c0 -file nifi_reg.cer -storepass changeitchangeit -keystore nifi_reg_truststore.jks


Below, is a representation of the NiFi Registry UI with default http and anonymous user login.


Now we will login to Ambari and use the above generated certificate details to complete setting up SSL. On the configuration tab, search for the SSL settings. The section to be edited is as below:-


Populate the form with the details of the truststore and keystore that we generated above.


At this stage, SSL setup for NiFi Registry is complete, however we have't assigned any users to login to the UI. Either we generate a certificate for an Initial Admin, or create an initial admin from the LDAP user base.

We will use an LDAP user as the Initial Admin for the NiFi Registry. The configuration information for the same is as below,

There are 4 sections that need to be edited,

Configure Initial Admin


Configure Security Identity Provider (


Configure login-identity-providers.xml

  • Remove the 2 lines that say
    • To enable the ldap-identity-provider remove 2 lines. This is 1 of 2.
    • To enable the ldap-identity-provider remove 2 lines. This is 2 of 2.
  • Fill details specific to your LDAP server. I am using a SIMPLE auth strategy with a non ssl LDAP server. Below are relevant sections from my configuration window


Configure authorizers.xml

  • Remove the 2 lines that say
    • To enable the ldap-user-group-provider remove 2 lines. This is 1 of 2.
    • To enable the ldap-user-group-provider remove 2 lines. This is 2 of 2.
  • Configure ldap-user-group-provider
  • Configure accessPolicyProvider

The below screenshot shows the relevant section for configuring the ldap-user-group-provider


Screenshot below shows the configuration changes needed to the access policy provider. Set User Group Provider to ldap-user-group-provider.


At this stage, we are in a position to save all the configuration changes and restart the NiFI Registry services. Follow the Ambari prompts and you should see as below



Now we should be good to access the NiFi Registry UI and login as the Initial Admin that is configured. guest1 in my example.

Access NiFi Registry UI from Quick Links


Login Using the Initial Admin Credentials


Verify login is successful


Verify users are available/sync-ed


You should be able to proceed using the NiFi registry from here on.

Version history
Last update:
‎08-17-2019 08:52 AM
Updated by: