- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Connecting Nifi to LDAP with Docker
- Labels:
-
Apache NiFi
Created ‎02-04-2025 08:54 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been struggling with this for a week now.
Here are my files:
Authorizers.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">cn=localhost,ou=ngc</property>
<property name="Initial User Identity 2">CN=localhost,O=ngc,L=San Diego,ST=California,C=US</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=localhost,ou=ngc</property>
<property name="Manager Password">password</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://ldap:3890</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="User Search Base">CN=users</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(uid=*)</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base"></property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-configurable-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">cn=localhost,ou=ngc</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
login-identity-providers.xml
<loginIdentityProviders>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=localhost,ou=ngc</property>
<property name="Manager Password">password</property>
<property name="TLS - Keystore">./conf/keystore.p12</property>
<property name="TLS - Keystore Password">password</property>
<property name="TLS - Keystore Type">PKCS12</property>
<property name="TLS - Truststore">./conf/truststore.p12</property>
<property name="TLS - Truststore Password">password</property>
<property name="TLS - Truststore Type">PKCS12</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://ldap:3890</property>
<property name="User Search Base">cn=localhost,ou=ngc</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<!--<property name="User Search Filter">cn={0}</property>-->
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders>
nifi.properties
nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=./conf/keystore.p12
nifi.security.keystore.certificate=
nifi.security.keystore.privateKey=
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=password
nifi.security.keyPasswd=password
nifi.security.truststore=./conf/truststore.p12
nifi.security.truststore.certificate=
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=password
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
Docker setup
services:
nifi2:
image: testnifi:latest
attach: false
ports:
- 8443:8443
networks:
- ftcs_net
nifi-registry:
image: ssb-docker.nexus.usdin.gc1.myngc.com/apache/nifi-registry:ftcs-0.0.1
user: nifi
attach: false
restart: always
ports:
- 18080:18080
volumes:
- nifi_registry_database:/opt/nifi-registry/nifi-registry-current/database
- nifi_registry_flow_storage:/opt/nifi-registry/nifi-registry-current/flow_storage
networks:
- ftcs_net
ldap:
image: lldap/lldap:stable
ports:
- "3890:3890"
- "6360:6360"
- "17170:17170"
volumes:
- "ldap_data:/data"
- "./nifi/certs:/app/certs"
environment:
#- LLDAP_JWT_SECRET=12345
#- LLDAP_KEY_SEED=12345
#- LLDAP_LDAP_PORT=6360
- LLDAP_HTTP_HOST=0.0.0.0
- LLDAP_LDAP_HOST=ldap
- LLDAP_LDAP_BASE_DN=dc=localhost
- LLDAP_LDAP_USER_PASS=password
- LLDAP_LDAPS_OPTIONS__ENABLED=true
- LLDAP_LDAPS_OPTIONS__CERT_FILE=/app/certs/localhost.crt
- LLDAP_LDAPS_OPTIONS__KEY_FILE=/app/certs/localhost.key
Error: 2025-02-04 08:45:33 Caused by: javax.naming.CommunicationException: ldap:3890
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:251)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:141)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1620)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2848)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:349)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
2025-02-04 08:45:33 at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:520)
2025-02-04 08:45:33 at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
2025-02-04 08:45:33 at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
2025-02-04 08:45:33 at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
2025-02-04 08:45:33 at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:44)
2025-02-04 08:45:33 at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:350)
2025-02-04 08:45:33 ... 138 common frames omitted
2025-02-04 08:45:33 Caused by: java.net.UnknownHostException: ldap
2025-02-04 08:45:33 at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:567)
2025-02-04 08:45:33 at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
2025-02-04 08:45:33 at java.base/java.net.Socket.connect(Socket.java:751)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.Connection.createConnectionSocket(Connection.java:340)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:283)
2025-02-04 08:45:33 at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:230)
2025-02-04 08:45:33 Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation
2025-02-04 08:45:33 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:192)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:125)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1863)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1298)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:346)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
2025-02-04 08:45:33 at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1631)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1519)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:913)
2025-02-04 08:45:33 at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
2025-02-04 08:45:33 ... 116 common frames omitted
2025-02-04 08:45:33 Caused by: org.springframework.ldap.CommunicationException: ldap:3890
2025-02-04 08:45:33 at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:107)
Created on ‎02-06-2025 10:06 AM - edited ‎02-06-2025 10:07 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello @Darryl
the ldap exception shared indicates your ldap does not support anonymous access and expects authentication:
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - No user currently bound]
2025-02-05 09:20:33 at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3268)
using the "SIMPLE" strategy would use the manager DN and Manager password to connect to the ldap. "LDAPS" strategy would still require manager DN and Manager password, but would also require TLS properties configured (truststore only if one one may TLS is required by your ldap or both keystore and truststore if mutual TLS exchange is required by your ldap). LDAPS strategy requires using the ldaps://<url>:<ldaps port>. "START_TLS" is rarely used, but has same requirements as LDAPS strategy; however, connection is initially made insecure and later redirected to secure connection url.
https://nifi.apache.org/nifi-docs/administration-guide.html#ldapusergroupprovider
Also: Your user search base configuration is till not valid, but that is not related to your ldap connection exception.
Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created on ‎02-06-2025 10:06 AM - edited ‎02-06-2025 10:07 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello @Darryl
the ldap exception shared indicates your ldap does not support anonymous access and expects authentication:
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - No user currently bound]
2025-02-05 09:20:33 at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3268)
using the "SIMPLE" strategy would use the manager DN and Manager password to connect to the ldap. "LDAPS" strategy would still require manager DN and Manager password, but would also require TLS properties configured (truststore only if one one may TLS is required by your ldap or both keystore and truststore if mutual TLS exchange is required by your ldap). LDAPS strategy requires using the ldaps://<url>:<ldaps port>. "START_TLS" is rarely used, but has same requirements as LDAPS strategy; however, connection is initially made insecure and later redirected to secure connection url.
https://nifi.apache.org/nifi-docs/administration-guide.html#ldapusergroupprovider
Also: Your user search base configuration is till not valid, but that is not related to your ldap connection exception.
Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created on ‎02-06-2025 02:21 PM - edited ‎02-06-2025 02:26 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for all of your feedback so far. I have put LDAP on the back burner for now and will try that again soon.
Im trying to see if i can get it to work with Keycloak, but i am getting this error:
Caused by: org.apache.nifi.web.client.api.WebClientServiceException: Request execution failed HTTP Method [GET] URI [http://localhost:8080/realms/master/protocol/saml/descriptor]
using these settings:
nifi.security.user.saml.idp.metadata.url=http://localhost:8080/realms/master/protocol/saml/descriptor
nifi.security.user.saml.sp.entity.id=org:apache:nifi:saml:sp
nifi.security.user.saml.identity.attribute.name=
nifi.security.user.saml.group.attribute.name=
nifi.security.user.saml.request.signing.enabled=false
nifi.security.user.saml.want.assertions.signed=true
nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
nifi.security.user.saml.authentication.expiration=12 hours
nifi.security.user.saml.single.logout.enabled=false
nifi.security.user.saml.http.client.truststore.strategy=JDK
nifi.security.user.saml.http.client.connect.timeout=30 secs
nifi.security.user.saml.http.client.read.timeout=30 secs
Following instructions from here, except i am using the latest version of keycloak
Apache NiFi SAML Authentication with Keycloak
Created ‎02-07-2025 05:48 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Darryl
Please start a new community question around your new keycloak integration issues with NiFi.
Thank you,
Matt
- « Previous
-
- 1
- 2
- Next »
