Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Apache Nifi LDAP Authentication issue.

Labels:
avatar
author-rank mks27
Explorer

Created ‎05-16-2023 11:00 PM

Hi Team,

 

I trying to configure Apache Nifi LDAP authentication,

 

Here is my nifi.properties.

 

-----

nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=/var/tmp/mks/certs/keystore.jks
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=************
nifi.security.keyPasswd=
nifi.security.truststore=/var/tmp/mks/certs/keystore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=**************
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

------

 

Here is my "login-identity-providers.xml"

 

-----

-->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">LDAPS</property>

<property name="Manager DN">CN=**********,OU=Groups,OU=*********,OU=********,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
<property name="Manager Password">************</property>

<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>

<property name="Url">ldap://***********:389</property>
<property name="User Search Base">OU=Managed services,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
<property name="User Search Filter">sAMAccountName={0}</property>

<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>

-----

 

but i am getting below error.

 

Unable to load the login identity provider configuration file at: /var/nifi/conf/login-identity-providers.xml

 

File is there

 

# ls -ld /var/nifi/conf/login-identity-providers.xml
-rw-rw-r--. 1 root root 7205 May 17 01:46 /var/nifi/conf/login-identity-providers.xml

 

Please help me to fix it.

1,987 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎05-26-2023 12:18 PM - edited ‎05-26-2023 12:20 PM

@mks27 

Your configuration has a ldap://... address; however, you have configured the "authentication strategy as LDAPS.  This needs to be "SIMPLE" instead of "LDAPS".  

I would also recommend that you change the "Identity Strategy" form " USE_DN" to "USE_USERNAME".

ldap exception with data 52e typically means bad password.
Also consider that the login-identity-providers.xml configuration file is XML. XML has special characters that if used in your manager password must be escaped or change your manager password to not use these special characters:

 

& replace with &amp;
< replace with &lt;
> replace with &gt;
" replace with &quot;
‘ replace with &apos;

 

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

1,809 Views
0 Kudos
3 REPLIES 3

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎05-17-2023 12:58 AM

@mks27, Welcome to our community! To help you get the best possible answer, I have tagged our NiFi experts @cotopaul @SAMSAL @MattWho @steven-matison  who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
1,961 Views
0 Kudos

avatar
author-rank mks27
Explorer

Created ‎05-17-2023 11:39 PM

Hello @cotopaul @SAMSAL @MattWho @steven-matison

 

I have fixed the login provider issue and now when i try to login , i am getting below errors.

 

Caused by: org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:190)
at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:79)
at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:276)
... 109 common frames omitted
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:363)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:147)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:166)
at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:806)
at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:260)
at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:100)
at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:86)
at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:174)
... 111 common frames omitted
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563^@]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3261)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:351)

1,887 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎05-26-2023 12:18 PM - edited ‎05-26-2023 12:20 PM

@mks27 

Your configuration has a ldap://... address; however, you have configured the "authentication strategy as LDAPS.  This needs to be "SIMPLE" instead of "LDAPS".  

I would also recommend that you change the "Identity Strategy" form " USE_DN" to "USE_USERNAME".

ldap exception with data 52e typically means bad password.
Also consider that the login-identity-providers.xml configuration file is XML. XML has special characters that if used in your manager password must be escaped or change your manager password to not use these special characters:

 

& replace with &amp;
< replace with &lt;
> replace with &gt;
" replace with &quot;
‘ replace with &apos;

 

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

1,810 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements