Created 12-09-2020 08:10 AM
Hi Im having trouble configuring the ldap to work with Nifi. First I was able to secure my nifi instance following the instruction under : "https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-tls" When I access Nifi and select the certificate I can see the account CN=my_username, OU=Nifi top right. Next step was to setup Ldap and for that I followed this link "https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap/comment-page-1/" . In my login-identity-providers.xml file the ldap-provider was configured as the following (I used #### for sensitive info):
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore">./conf/keystore.jks</property>
<property name="TLS - Keystore Password">####</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">./conf/truststore.jks</property>
<property name="TLS - Truststore Password">###</property>
<property name="TLS - Truststore Type">jks</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol">TLSv1.2</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">LDAP://ldap.####.com</property>
<property name="User Search Base">OU=Standard Users,OU=Users,OU=US-Houston,OU=####,OU=Engineering,OU=Divisions,DC=####,DC=com</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
However when I go back to Nifi and select Users I dont see anything added there from the ldap server except for the main user added while securing nifi. The log file doesnt show any error. What am I doing wrong? Can you help please.
Created 12-12-2020 07:42 AM
Can someone help please. Im trying to run a test pilot for to see if Nifi can be adapted as tool of choice. The tool is impressive in terms of capabilities and out of the box components but It cant be used if its not easily integrated with our environment. I tried calling support on the phone and left a message, contacted sales via email but no response. One of the factor we have to adapt a tool is the ease of getting support when needed and so far the coulder community is not showing that unless Im doing something wrong.
Created 01-25-2021 10:26 AM
OK, Its unfortunate that I did not get any help from the support community about this but the good news after several trials and many hours I was able to resolve it and Im sharing my experience to help those who might get stuck in the future regarding the same issue:
1- No need to set up any of the TLS properties if you are connecting to LDAP:// url and not LDAPS://. You can comment or remove this part.
3- Authentication Strategy: SIMPLE
2- Manager DN: if you are using windows open Active Directory Administrative Center (can be installed ). Do global search for one of the accounts you are familiar with and going to use, once located right click to select properties, scroll down to Extensions section and click Attribute Editor tab, locate the distinguishedName attribute and that will be the value to use in the Manager DN. It will be something like :
CN=lastName.FirstName,OU=Standard Users,OU=Users,OU=LocationOU,OU=OrgName,OU=SomeOU,OU=AnotherOU,DC=DomainName,DC=com
3- Manager Password: the selected account password from above.
4-Url: The Ldap url, example : LDAP://ldap.DomainName.com/
5- User Search Base: Use the Same string from Step 2 without the the account CN, Example:
OU=Standard Users,OU=Users,OU=Location,OU=OrgName,OU=SomeOU,OU=AnotherOU,DC=DomainName,DC=com
6- User Search Filter: This is what you will use to add user and login to nifi. What worked for me is the "sAMAccountName={0}" which you can find set under the Attribute Editor (step 2) and it refers to search by the user name (example: lastname.firstname).
7- Identity Strategy: USE_USERNAME
8- Make sure to add the provider name (Example: ldap-provider) to nifi.properties.
9- Restart nifi.
10- using the default admin account created when setting up secure TLS on the installation server (Example: my_username) to add the AD user to Users and Set the Policies using user name from above.
11- From another machine launch nifi from the browser and you should be prompted to log in. Login using the same account credential you added to nifi and you should be in.
Other helpful information can be found: https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap/comment-page-1/
good luck.
Created 01-25-2021 10:35 AM
With this tutorial from Pierre Villard it doesn't work(Pierre is a genius), I was trying to make it work and there is no way to connect to LDAP. That's why my post today as I can't find the problem.
Created 01-26-2021 06:16 AM
The NiFi login-identity-providers.xml is not used to sync users from ldap. Configuring this will not result in any user being added in to the list of users within NiFi's UI.
This "ldap-provider" is a login provider which when configured provides and additional user authentication method for accessing NiFi's UI. Configuring the ldap-provider does not disable TLS based authentication. It simply changes the TSL handshake from a "require" client certificate to a "want" client certificate request from NiFi. If the client does not present a client certificate during the TLS handshake, NiFi redirects to the login UI where users can enter their ldap/AD username and password to authenticate themselves to NiFi.
Users and groups can be synced from ldap, but that is done within the NiFi authorizers.xml file using the ldap-user-group-provider.
I also noticed from your ldap-provider login that you are using "SIMPLE" Authentication Strategy which means that none of the TLS properties are used, so no need to set them.
Hope this helps,
Matt