Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

LDAP Integration (ldap-provider) Issue

Solved Go to solution
Highlighted

LDAP Integration (ldap-provider) Issue

New Contributor

Dear All,

I am encountering issue with LDAP integration.

  1. I have completed LDAP (ldap-provider) and Certificate configurations according to documentation.
  2. I added IU certificate in NiFi (keystore, truststore etc.) and configured other pieces of the MS AD LDAP integration (authorizers.xml, login-identity-providers.xml and nifi.properties).
  3. I logged on NiFi from HTTPS UI with initial admin (admin1) and assigned the policies one of the LDAP users (nifiadmin) which is located on MS AD LDAP.
  4. I checked LDAP user (nifiadmin) from NiFi UI it is exist in the NiFi. It seems Ok. I added all screenshots (nifi_policies.jpg) about that.
  5. When I try to login initial admin (admin1) there is no error:

nifi-user.log:

2020-08-13 10:46:43,544 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Aug 13 10:46:43 MSK 2020

2020-08-13 10:46:43,684 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Thu Aug 13 10:46:43 MSK 2020

2020-08-13 11:21:28,051 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/current-user (source ip: 10.0.2.15)

2020-08-13 11:21:28,062 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin1

2020-08-13 11:21:28,167 INFO [NiFi Web Server-118] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/client-id (source ip: 10.0.2.15)

2020-08-13 11:21:28,170 INFO [NiFi Web Server-118] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin1

2020-08-13 11:21:28,170 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/config (source ip: 10.0.2.15)

2020-08-13 11:21:28,179 INFO [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for admin1

2020-08-13 11:21:28,206 INFO [NiFi Web Server-118] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/banners (source ip: 10.0.2.15)

      6. But, when I try to login with LDAP User (nifiadmin) who was already assigned NiFi UI access by me I am getting permission error. I added all screenshots (nifi_policies.jpg) about that:

nifi-user.log:

2020-08-13 11:51:52,255 INFO [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifiportal.abc.example.com/nifi-api/flow/current-user (source ip: 10.0.2.15)

2020-08-13 11:51:52,258 INFO [NiFi Web Server-16] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin

2020-08-13 11:51:52,260 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin], groups[] does not have permission to access the requested resource. Unknown user with identity 'nifiadmin'. Returning Forbidden response.

      7. When I check the nifi-app.log there is no error:

nifi-app.log:

2020-08-13 10:46:52,310 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@1b8354aa(fa3f2599-3d3b-43c9-9e7a-ea26375d4470,h=[nifiportal.abc.example.com],w=[]) for SslContextFactory@378a5302[provider=null,keyStore=file:///C:/nifi/certificates/private-keystore1,trus

tStore=file:///C:/nifi/certificates/public-keystore1]

2020-08-13 10:46:52,325 INFO [main] o.eclipse.jetty.server.AbstractConnector Started ServerConnector@2794eab6{SSL,[ssl, http/1.1]}{nifiportal.abc.example.com:443}

2020-08-13 10:46:52,325 INFO [main] org.eclipse.jetty.server.Server Started @31030ms

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.nar.NarAutoLoader Starting NAR Auto-Loader for directory .\extensions ...

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.nar.NarAutoLoader NAR Auto-Loader started

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:

2020-08-13 10:46:52,419 INFO [main] org.apache.nifi.web.server.JettyServer https://nifiportal.abc.example.com:443/nifi

      8. What I did for solving the problem

  • I deleted user.xml and authorizations.xml several times. Nifi creates automatically them but problem is still continue.
  • I tried different kind of the configurations in the related files (authorizers.xml, login-identity-providers.xml and nifi.properties). But no change
  • I also tried another LDAP user than nifiadmin (admin2) but there is no any solution for ldap user login issue

I added all configuration files (authorizations, authorizers, login-identity-providers, nifi.properties and users) with jpeg format. I also added screenshots (nifi_policies.jpg) about access and user policies.

My environment details are below:
Apache NiFi 1.11.3 (single, not cluster)
Windows Server 2016
Java JRE 1.8.0_251 (64 Bit)

MS Active Directory 2016 for LDAP

 

Do you have any comment or idea?

 

nifi_policiesnifi_policiesauthorizations.xmlauthorizations.xmlauthorizers-1.xmlauthorizers-1.xmlauthorizers-2.xmlauthorizers-2.xmlauthorizers-3.xmlauthorizers-3.xmllogin-identity-providers.xmllogin-identity-providers.xmlnifi.propertiesnifi.propertiesusers.xmlusers.xml

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: LDAP Integration (ldap-provider) Issue

New Contributor

Dear All,

I solved the problem.

View solution in original post

2 REPLIES 2
Highlighted

Re: LDAP Integration (ldap-provider) Issue

New Contributor

Dear All,

I solved the problem.

View solution in original post

Re: LDAP Integration (ldap-provider) Issue

Community Manager

Hi @Muhyid , I'm happy to see you resolved your issue. Can you please provide the details of the solution? It will make it easier for others to find the answer in the future.


Vidya Sargur, Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Don't have an account?
Coming from Hortonworks? Activate your account here