Created on 09-27-2024 02:44 AM - edited 09-27-2024 02:53 AM
Hello ,
I am trying to setup LDAP on my Nifi Registry and I am getting the below errror :
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut Caused by: java.lang.Exception: Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory.loadLoginIdentityProvidersConfiguration(IdentityProviderFactory.java:160)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory.getIdentityProvider(IdentityProviderFactory.java:110)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5.CGLIB$getIdentityProvider$0(<generated>)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5$$FastClassBySpringCGLIB$$53c655ec.invoke(<generated>)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5.getIdentityProvider(<generated>)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at java.lang.reflect.Method.invoke(Method.java:498)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... 58 common frames omitted
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,919 INFO [Thread-1] org.apache.nifi.registry.NiFiRegistry Initiating shutdown of Jetty web server...
nifi-registry 2024-09-27 09:25:06,922 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,922 INFO [Thread-1] o.eclipse.jetty.server.AbstractConnector Stopped ServerConnector@7a1ebcd8{HTTP/1.1,[http/1.1]}{0.0.0.0:18080}
nifi-registry 2024-09-27 09:25:06,922 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,922 INFO [Thread-1] org.eclipse.jetty.server.session node0 Stopped scavenging
nifi-registry 2024-09-27 09:25:07,787 INFO [main] o.a.n.registry.bootstrap.RunNiFiRegistry NiFi Registry never started. Will not restart NiFi Registry
I am using helm chart to deploy this and the above pasted logs are my pod logs ..
While debugging I do see that the file is present inside the pod :
nifi@nifi-registry-custom-0:/opt/nifi-registry/nifi-registry-current/conf$ ls -lrth
total 112K
-rw-r--r-- 1 nifi nifi 1020 Dec 19 2019 registry-aliases.xml
-rw-r--r-- 1 nifi nifi 6.0K Dec 19 2019 identity-providers.xml
-rw-r--r-- 1 nifi nifi 2.1K Dec 19 2019 bootstrap.conf
-rw-r--r-- 1 nifi nifi 5.0K Aug 19 2020 providers.xml
-rw-r--r-- 1 root root 5.3K Sep 27 09:14 nifi-registry.temp
-rw-r--r-- 1 root root 6.7K Sep 27 09:14 login-identity-providers-ldap.xml
-rw-r--r-- 1 root root 21K Sep 27 09:14 authorizers.temp
-rw-r--r-- 1 nifi nifi 4.9K Sep 27 09:14 nifi-registry.properties
-rw-r--r-- 1 nifi nifi 6.7K Sep 27 09:14 login-identity-providers.xml
and my login-indentity-providers.xml file contents are as below :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one or more
~ contributor license agreements. See the NOTICE file distributed with
~ this work for additional information regarding copyright ownership.
~ The ASF licenses this file to You under the Apache License, Version 2.0
~ (the "License"); you may not use this file except in compliance with
~ the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!--
This file lists the identity providers to use when running securely. In order
to use a specific provider it must be configured here and its identifier
must be specified in the nifi-registry.properties file.
-->
<identityProviders>
<!--
Identity Provider for users logging in with username/password against an LDAP server.
'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
'Manager Password' - The password of the manager that is used to bind to the LDAP server to
search for users.
'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
using LDAPS or START_TLS.
'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
Possible values are REQUIRED, WANT, NONE.
'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
TLSv1.1, TLSv1.2, etc).
'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
before the target context is closed. Defaults to false.
'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
'User Search Filter' - Filter for searching for users against the 'User Search Base'.
(i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
The default functionality if this property is missing is USE_DN in order to retain
backward compatibility. USE_DN will use the full DN of the user entry if possible.
USE_USERNAME will use the username the user logged in with.
'Authentication Expiration' - The duration of how long the user authentication is valid
for. If the user never logs out, they will be required to log back in following
this duration.
-->
<provider>
<identifier>ldap-identity-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.local.svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password">xxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.local.svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password">xxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url"></property>
<property name="User Search Base"></property>
<property name="User Search Filter">(cn={0})</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
<!--
Identity Provider for users logging in with username/password against a Kerberos KDC server.
'Default Realm' - Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).
'Authentication Expiration' - The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
-->
<!-- To enable the kerberos-identity-provider remove 2 lines. This is 1 of 2.
<provider>
<identifier>kerberos-identity-provider</identifier>
<class>org.apache.nifi.registry.web.security.authentication.kerberos.KerberosIdentityProvider</class>
<property name="Default Realm">NIFI.APACHE.ORG</property>
<property name="Authentication Expiration">12 hours</property>
<property name="Enable Debug">false</property>
</provider>
To enable the kerberos-provider remove 2 lines. This is 2 of 2. -->
</identityProviders>
My properties file contents are :
# security properties #
nifi.registry.security.keystore=/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.default.svc.cluster.local/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=xxx
nifi.registry.security.keyPasswd=xxx
nifi.registry.security.truststore=/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.default.svc.cluster.local/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=changeMe
nifi.registry.security.needClientAuth=
nifi.registry.security.authorizers.configuration.file=/opt/nifi-registry/nifi-registry-current/conf/authorizers.xml
nifi.registry.security.authorizer=file-provider
nifi.registry.security.identity.providers.configuration.file=/opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml
nifi.registry.security.identity.provider=ldap-identity-provider
However , I am not sure what the issue is .
Could someone please help ?
Created on 09-27-2024 05:47 AM - edited 09-27-2024 06:29 AM
@sha257
The provider as shared is missing required configurations Manager DN, Manager password, URL, and User Search Base. Perhaps you just blanked these out for this post. Since this is an xml format file, make sure that you are properly escaping any XML special characters if used in any of the property values.
XML Special Character: | Replacement escape value: |
" | " |
' | ' |
< | < |
> | > |
& | & |
if any of these are used without being escaped, the xml will be invalid a not able to be loaded.
I also see that you have configured the Authentication Strategy as SIMPLE which means your using ldap and not ldaps; however, I see that you have configured the TLS keystore and truststore properties. That is not an issue, unless your ldap URL is really secured requiring either the LDAPS or START_TLS "Authentication Strategy" to be set.
For your User Search Filter, try changing that from "(cn={0})" to just "cn={0}"
Most common issue is use of special characters within XML field property values like passwords that have not been escaped properly.
Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 09-27-2024 08:45 AM
@sha257
The TLS properties need to be configured if your LDAP endpoint is secured meaning it requires LDAPS or START_TLS authentication strategies. Even when secured, you will alwasy need the TLS truststore, but may or may not need a TLS keystore (depends on your LDAP setup).
For unsecured LDAP url access, the TLS properties are not necessary. Even unsecured (meaning connection is not encrypted), the manager DN and manager Password are still going to be required to connect to the ldap server.
Based on information shared, I cannot say what your ldap setup does or does not require. You'll need to work with your ldap administrators to understand the requirements for connecting to your ldap.
Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created on 09-27-2024 05:47 AM - edited 09-27-2024 06:29 AM
@sha257
The provider as shared is missing required configurations Manager DN, Manager password, URL, and User Search Base. Perhaps you just blanked these out for this post. Since this is an xml format file, make sure that you are properly escaping any XML special characters if used in any of the property values.
XML Special Character: | Replacement escape value: |
" | " |
' | ' |
< | < |
> | > |
& | & |
if any of these are used without being escaped, the xml will be invalid a not able to be loaded.
I also see that you have configured the Authentication Strategy as SIMPLE which means your using ldap and not ldaps; however, I see that you have configured the TLS keystore and truststore properties. That is not an issue, unless your ldap URL is really secured requiring either the LDAPS or START_TLS "Authentication Strategy" to be set.
For your User Search Filter, try changing that from "(cn={0})" to just "cn={0}"
Most common issue is use of special characters within XML field property values like passwords that have not been escaped properly.
Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 09-27-2024 07:15 AM
Hey @MattWho
Thank you very much for your response.
I am new to setting up the Nifi registry and have been trying out most of the implementation from the official documentation .
Yes , I would like to use ldap and have been looking into these steps - https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#ldap_identity_provide...
However , as per your answer , I understood that the TLS keystore and truststore properties are not required for this - Did I understand it correct ?
Created 09-27-2024 08:45 AM
@sha257
The TLS properties need to be configured if your LDAP endpoint is secured meaning it requires LDAPS or START_TLS authentication strategies. Even when secured, you will alwasy need the TLS truststore, but may or may not need a TLS keystore (depends on your LDAP setup).
For unsecured LDAP url access, the TLS properties are not necessary. Even unsecured (meaning connection is not encrypted), the manager DN and manager Password are still going to be required to connect to the ldap server.
Based on information shared, I cannot say what your ldap setup does or does not require. You'll need to work with your ldap administrators to understand the requirements for connecting to your ldap.
Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt