Community Articles
Find and share helpful community-sourced technical articles
Labels (1)

NiFi User Authentication with LDAP in HW Sandbox


1) Assuming you already have NiFi-0.4.0/HDF-1.1 downloaded on your HW Sandbox, else execute below after ssh connectivity to sandbox is established.

cd /opt/

2) Make sure Knox is installed on your sandbox and demo LDAP is started via Ambari



1. I already created Certification Authorities and client certificates at


How to create certificates as well configurations can be found in below article:

If you are too lazy to create them, try with mine [Attached as]

- Use cert-browser.pfx to load into browser to be a NiFi administrator 'DEMO'

- Upload other two certificates to Sandbox under '/root/scripts/' and execute below commands, while executing last command enter 'hadoop' as password and 'yes' when asked if it can be trusted.

# cd /root/scripts/
# mv cert.pfx cert.p12
# openssl x509 -outform der -in cacert.pem -out cacert.der
# keytool -import -keystore cacert.jks -file cacert.der

2. My keystore is saved as ‘/root/scripts/cert.p12’ and a truststore is saved as ‘/root/scripts/cacert.jks’. and password is set as hadoop.

3. Below are the configuration updates you have to do in file in sandbox:

# vi /opt/nifi-

4. Once opened in editor update below properties to given values [updating https port and certificate details]:


5. Now configure the authorized users in ‘authorized-users.xml’ file, configuration of user is based on certificate. Configure it exactly as you have in your certificate. Following is my configuration:

vi /opt/nifi-
<user dn="CN=Demo, OU=Demo, O=Hortonworks, L=San Jose, ST=California, C=US"> 
<role name="ROLE_ADMIN"/>


6. Above configuration is to login as NiFi Administrator, every other users can be pulled from LDAP after this administrator assigns roles on request.

7. Configure ./conf/login-identity-providers.xml as below with reference to Knox Demo LDAP Server.


<property name="Authentication Strategy">SIMPLE</property>  
<property name="Manager DN">uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</property>  
<property name="Manager Password">admin-password</property>  
<property name="TLS - Keystore">/root/scripts/cert.p12</property>  
<property name="TLS - Keystore Password">hadoop</property>  
<property name="TLS - Keystore Type">PKCS12</property>  
<property name="TLS - Truststore">/root/scripts/cacert.jks</property>  
<property name="TLS - Truststore Password">hadoop</property>  
<property name="TLS - Truststore Type">JKS</property>  
<property name="TLS - Client Auth"></property>  
<property name="TLS - Protocol">TLS</property>  
<property name="TLS - Shutdown Gracefully"></property>  
<property name="Referral Strategy">FOLLOW</property>  
<property name="Connect Timeout">10 secs</property>  
<property name="Read Timeout">10 secs</property>  
<property name="Url">ldap://localhost:33389</property>  
<property name="User Search Base">ou=people,dc=hadoop,dc=apache,dc=org</property>  
<property name="User Search Filter">uid={0}</property>  
<property name="Authentication Expiration">12 hours</property>  

8. Once configured, restart NiFi server.

# /opt/nifi- restart

9. Now say open ‘Chrome’ browser and load client certificate associated with ADMIN user and login to secure https url of NiFi running on sandbox:


10. When asked, confirm for security exception and proceed. Now you are securely logged in as Demo user with admin privileges. You can now grant access to any user requesting access who are part of LDAP Directory.

11. Open another browser say ‘Safari’ to establish another session


It will popup below screen for login, enter credentials for accounts part of LDAP. Below are credentials part of knox demo ldap we have configured.



12. Enter the password and hit login, enter justification and it will show up below screen that request is pending with Admin who already have access using certificates.


13. Now go back to chrome browser where ‘Demo’ user is NiFi Administrator and assign role to Tom



14. Go back to the old session as tom in safari, refresh the browser and you will be logged in as tom with privileges assigned by NiFi administrator. You can test if for other users as well.


Thanks for sharing!

New Contributor

Thanks for the article. I've tried to implement this but messed up something. How can I remove the admin user from Nifi's repository? After I've imported the client certificate into the browser, it requested that I submit a request for authorizing access and now it's stuck because the admin user status is "request pending".

Appreciate any hints. Thanks,

New Contributor

Issues such as the one in my question above can be resolved by stopping Nifi and then removing the `database_repository/nifi-users.h2.db` file and starting fresh again.

@Jobin George I configured for ldap as above but only thing is I connected it with AD. SSL works great but I don't see any trace of ldap authentication happening in logs. Certificate based authentication is working but not ldap. I have used ldap-provider and configured the same. Is there any property or anything that needs to be enabled for ldap authentication to be triggered other than using ldap-provider ?

Hi @Deep Doradla,

Can you verify if you have ssl certificate details provided in the step 7? as well as all the tags are in step7 above are in place?



Hi @Jobin George it is working now. I am able to authenticate via AD. I had made a small mistake and corrected it.

Thanks for your quick response and also for the great tutorial.




I have LDAP setup and working for me. However whenever I go to /nifi/login page, it throws an exception in User logs. Though it works just fine i.e I can login and logout etc. Just wondering if you have seen this exception (is this by-design?) [Already reported this issue]

2016-08-15 15:43:00,046 ERROR [NiFi Web Server-94] o.a.n.w.s.NiFiAuthenticationFilter Unable to authorize: An Authentication object was not found in the SecurityContext

@Jobin George Thank you for the tutorial.

So, I am trying to get Nifi user authentication by binding it to my company's LDAP server. So, I gave in the details in xml file and got the certs from tinycert. I added the browser cert to the login Keychain(Mac). But, when I try to run Nifi and then access through browser, it doesn't load and it says "the site can't be reached". It worked well when I ran Nifi with http. Is it because I am running Nifi from an Ubuntu VM and accessing the browser through my Mac (I don't really think that would be the issue)? Or is it because of proxy server (Again, that wasn't a problem when i ran Nifi as a non-secure instance on an http port)? Any tips would be greatly appreciated. :)