Support Questions

Dear All,

I am encountering issue with LDAP integration.

1. I have completed LDAP (ldap-provider) and Certificate configurations according to documentation.
2. I added IU certificate in NiFi (keystore, truststore etc.) and configured other pieces of the MS AD LDAP integration (authorizers.xml, login-identity-providers.xml and nifi.properties).
3. I logged on NiFi from HTTPS UI with initial admin (admin1) and assigned the policies one of the LDAP users (nifiadmin) which is located on MS AD LDAP.
4. I checked LDAP user (nifiadmin) from NiFi UI it is exist in the NiFi. It seems Ok. I added all screenshots (nifi_policies.jpg) about that.
5. When I try to login initial admin (admin1) there is no error:

nifi-user.log:

2020-08-13 10:46:43,544 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Aug 13 10:46:43 MSK 2020

2020-08-13 10:46:43,684 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Thu Aug 13 10:46:43 MSK 2020

2020-08-13 11:21:28,051 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/current-user (source ip: 10.0.2.15)

2020-08-13 11:21:28,062 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin1

2020-08-13 11:21:28,167 INFO [NiFi Web Server-118] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/client-id (source ip: 10.0.2.15)

2020-08-13 11:21:28,170 INFO [NiFi Web Server-118] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin1

2020-08-13 11:21:28,170 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/config (source ip: 10.0.2.15)

2020-08-13 11:21:28,179 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin1

2020-08-13 11:21:28,206 INFO [NiFi Web Server-118] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/banners (source ip: 10.0.2.15)

      6. But, when I try to login with LDAP User (nifiadmin) who was already assigned NiFi UI access by me I am getting permission error. I added all screenshots (nifi_policies.jpg) about that:

nifi-user.log:

2020-08-13 11:51:52,255 INFO [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/current-user (source ip: 10.0.2.15)

2020-08-13 11:51:52,258 INFO [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin

2020-08-13 11:51:52,260 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin], groups[] does not have permission to access the requested resource. Unknown user with identity 'nifiadmin'. Returning Forbidden response.

      7. When I check the nifi-app.log there is no error:

nifi-app.log:

2020-08-13 10:46:52,310 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@1b8354aa(fa3f2599-3d3b-43c9-9e7a-ea26375d4470,h=[nifiportal.abc.example.com],w=[]) for SslContextFactory@378a5302[provider=null,keyStore=file:///C:/nifi/certificates/private-keystore1,trus

tStore=file:///C:/nifi/certificates/public-keystore1]

2020-08-13 10:46:52,325 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector@2794eab6{SSL,[ssl, http/1.1]}{nifiportal.abc.example.com:443}

2020-08-13 10:46:52,325 INFO [main] org.eclipse.jetty.server.Server Started @31030ms

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.nar.NarAutoLoader Starting NAR Auto-Loader for directory .\extensions ...

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.nar.NarAutoLoader NAR Auto-Loader started

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.web.server.JettyServer https://nifiportal.abc.example.com:443/nifi

      8. What I did for solving the problem

• I deleted user.xml and authorizations.xml several times. Nifi creates automatically them but problem is still continue.
• I tried different kind of the configurations in the related files (authorizers.xml, login-identity-providers.xml and nifi.properties). But no change
• I also tried another LDAP user than nifiadmin (admin2) but there is no any solution for ldap user login issue

I added all configuration files (authorizations, authorizers, login-identity-providers, nifi.properties and users) with jpeg format. I also added screenshots (nifi_policies.jpg) about access and user policies.

My environment details are below:
Apache NiFi 1.11.3 (single, not cluster)
Windows Server 2016
Java JRE 1.8.0_251 (64 Bit)

MS Active Directory 2016 for LDAP

Do you have any comment or idea?

nifi_policiesauthorizations.xmlauthorizers-1.xmlauthorizers-2.xmlauthorizers-3.xmllogin-identity-providers.xmlnifi.propertiesusers.xml