Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Failing to login Nifi UI with LDAP user

Highlighted

Failing to login Nifi UI with LDAP user

New Contributor

Hello,

In my Nifi Cluster setup, I'm failing to login with ldap user.

Nifi UI is loading automatically with anonymous user. I do not get login page. I have tried to authenticate with LDAP with below configurations.

<provider>
            <identifier>ldap-provider</identifier>
            <class>org.apache.nifi.ldap.LdapProvider</class>
            <property name="Identity Strategy">USE_DN</property>
            <property name="Authentication Strategy">SIMPLE</property>
            <property name="Manager DN">CN=hadoop,OU=Servers,DC=ex,DC=com</property>
            <property name="Manager Password">zxc</property>
            <property name="Referral Strategy">FOLLOW</property>
            <property name="Connect Timeout">10 secs</property>
            <property name="Read Timeout">10 secs</property>
            <property name="Url">ldap://ldap.ex.com:389</property>
            <property name="User Search Base">DC=ex,DC=com</property>
            <property name="User Search Filter">sAMAccountName={0}</property>
            <property name="Authentication Expiration">12 hours</property>
            </provider>

Nifi is enabled with SSL. To enable with SSL I have converted .jks file to .p12 format and loaded in browser. After this I get Nifi UI with below error.

nifi-insuffiecient-perm.png

Then I have created policy in Ranger. Then I'm able to get Nifi UI with anonymous user auto logged in. Please check below screenshot.

nifi-log-in.png

Below output from Nifi server.

[root@ip-x ~]#ldapsearch -h ldap.ex.com -p 389 -D "CN=hadoop,OU=Servers,DC=ex,DC=com" -b "DC=ex,DC=com"
# extended LDIF
#
# LDAPv3
# base <DC=ex,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#


# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v2580


# numResponses: 1

[root@ip-x ~]#

Please suggest why I'm unable to get login page in Nifi?

What need to do to get user authentication with LDAP in Nifi?
I have followed the steps from below links

https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap/comment-page-1/

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider

4 REPLIES 4

Re: Failing to login Nifi UI with LDAP user

Hi Suraj,

Can you please confirm that your nifi.properties is configured to use the LDAP Identity Provider for authentication? Client certificate authentication is always enabled, so converting a the NiFi JKS keystore to PKCS12 and loading it in your browser (while not recommended as a best practice) would allow you to authenticate as an identity trusted by the same certificate which signed the NiFi server certificate, which I believe is what you are describing.

In addition to configuring the login-identity-providers.xml file as you have above, you need to instruct NiFi to allow LDAP login by populating the following value in nifi.properties:

nifi.security.user.login.identity.provider=ldap-provider

If you have done this as well, please share the content of $NIFI_HOME/logs/nifi-user.log and $NIFI_HOME/logs/nifi-app.log to help us diagnose the issue. Thanks.

Re: Failing to login Nifi UI with LDAP user

New Contributor

Thank you @Andy LoPresto

Can you please confirm that your nifi.properties is configured to use the LDAP Identity Provider for authentication?

>> yes. Please check below screenshot.

amabari-nifi-1.png

In nifi.properties 'nifi.security.user.login.identity.provider=ldap-provider' is mentioned. Please check below logs as requested.

==> /data/log/nifi/nifi-user.log <==
2017-10-25 07:15:56,293 INFO [NiFi Web Server-2721] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<><nifi03.ex.local@ex.COM><CN=nifi02.ex.local, OU=ex.COM>) GET https://nifi03.ex.local:8443/nifi-api/flow/controller/bulletins (source ip: 10.248.12.81)
2017-10-25 07:15:56,293 INFO [NiFi Web Server-2721] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for anonymous
2017-10-25 07:15:56,295 INFO [NiFi Web Server-2438] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<><nifi03.ex.local@ex.COM><CN=nifi02.ex.local, OU=ex.COM>) GET https://nifi03.ex.local:8443/nifi-api/flow/current-user (source ip: 10.248.12.81)
2017-10-25 07:15:56,295 INFO [NiFi Web Server-2438] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for anonymous
2017-10-25 07:16:32,570 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty
2017-10-25 07:16:33,769 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty
2017-10-25 07:16:33,821 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty
2017-10-25 08:23:27,288 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty
2017-10-25 08:23:28,397 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty
2017-10-25 08:23:28,454 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty


==> /data/log/nifi/nifi-app.log <==
2017-10-26 05:37:52,278 INFO [Clustering Tasks Thread-1] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:37:52,138 and sent to nifi01.ex.local:9088 at 2017-10-26 05:37:52,278; send took 139 millis
2017-10-26 05:37:57,419 INFO [Clustering Tasks Thread-2] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:37:57,278 and sent to nifi01.ex.local:9088 at 2017-10-26 05:37:57,419; send took 140 millis
2017-10-26 05:38:02,559 INFO [Clustering Tasks Thread-2] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:38:02,419 and sent to nifi01.ex.local:9088 at 2017-10-26 05:38:02,559; send took 139 millis
2017-10-26 05:38:07,700 INFO [Clustering Tasks Thread-1] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:38:07,559 and sent to nifi01.ex.local:9088 at 2017-10-26 05:38:07,700; send took 140 millis
2017-10-26 05:38:09,093 INFO [pool-12-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile Repository
2017-10-26 05:38:09,159 INFO [pool-12-thread-1] org.wali.MinimalLockingWriteAheadLog org.wali.MinimalLockingWriteAheadLog@53eb4dae checkpointed with 0 Records and 0 Swap Files in 65 milliseconds (Stop-the-world time = 30 milliseconds, Clear Edit Logs time = 31 millis), max Transaction ID -1
2017-10-26 05:38:09,159 INFO [pool-12-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Successfully checkpointed FlowFile Repository with 0 records in 65 milliseconds
2017-10-26 05:38:12,841 INFO [Clustering Tasks Thread-1] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:38:12,700 and sent to nifi01.ex.local:9088 at 2017-10-26 05:38:12,841; send took 140 millis
2017-10-26 05:38:17,981 INFO [Clustering Tasks Thread-1] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:38:17,841 and sent to nifi01.ex.local:9088 at 2017-10-26 05:38:17,981; send took 139 millis
2017-10-26 05:38:23,121 INFO [Clustering Tasks Thread-1] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:38:22,981 and sent to nifi01.ex.local:9088 at 2017-10-26 05:38:23,121; send took 139 millis
2017-10-26 05:38:28,262 INFO [Clustering Tasks Thread-1] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-10-26 05:38:28,121 and sent to nifi01.ex.local:9088 at 2017-10-26 05:38:28,262; send took 140 millis



Please suggest, where is the configuration missing?

Note:I have configured cluster setup through Ambari.

Thanks

Re: Failing to login Nifi UI with LDAP user

New Contributor

Problem has been resolved, by passing correct jks files to ranger policy.

Thank you.

Re: Failing to login Nifi UI with LDAP user

New Contributor

So When you say "by passing correct jks files to ranger policy." are you referring to the jks file we get while generating client certificates when enabling SSL for nifi? I can see this in NIFI page like you said. This is when I add {USER} in ranger policy. 108771-1558037226542.png