Support Questions

mks27 · ‎02-13-2025

Hi Team,

We want to integrate Nifi with 2 LDAP servers and both have different manager DN, we are using below config in "login-identity-providers.xml" file

    <provider>
        <identifier>ldap-provider-1</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">CN=yaqootnifi,OU=Groups,OU=UATOCP,OU=OpenShift,DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
        <property name="Manager Password">*********</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
        
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://sarycrpdc01.corp.sa.zain.com:389</property>
        <property name="User Search Base">DC=CORP,DC=SA,DC=ZAIN,DC=COM</property>
        <property name="User Search Filter">sAMAccountName={0}</property>

        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

    <provider>
        <identifier>ldap-provider-2</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">CN=yaqootoscp,OU=Service Accounts,DC=OS,DC=LOCAL</property>
        <property name="Manager Password">********</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://10.123.105.18:389</property>
        <property name="User Search Base">DC=OS,DC=LOCAL</property>
        <property name="User Search Filter">sAMAccountName={0}</property>

        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

and below config in "nifi.properties" file

nifi.security.user.login.identity.provider=ldap-provider-1, ldap-provider-2

But it is not working and we are getting below error.

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [java.lang.Object]: Factory method 'loginIdentityProvider' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginIdentityProviderFactoryBean': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified login identity provider 'ldap-provider-1, ldap-provider-2' could not be found.
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
        ... 53 common frames omitted
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginIdentityProviderFactoryBean': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified login identity provider 'ldap-provider-1, ldap-provider-2' could not be found.

MattWho · ‎02-13-2025

@mks27

What you are trying to do above is not possible in Apache NiFi. Apache NiFi only supports defining one login identity provider

nifi.security.user.login.identity.provider

It does not support a comma separated list of multiple login providers, so what is happening is NiFi is expecting to find a login provider in the "login-identity-providers.xml" file with:

<identifier>ldap-provider-1, ldap-provider-2</identifier>

which does not exist and thus the error you are seeing.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

mks27 · ‎02-13-2025

Hi @MattWho ,

Thank you for your reply, is there any way we can use 2 LDAP URL and Manager DN for Nifi ?

Mohit Kumar

MattWho · ‎02-13-2025

@mks27

What you are trying accomplish is not possible in NiFi.
In my 15 years of working with NiFi, I believe this is first time I have seen such a request.

So what you are expecting to happen is NiFi presents the login window and a user supplies a username and password. You then expect NiFi to attempt authentication via one ldap provider and if that results in unknown username or bad password response, move on to next ldap provider an attempt again?

The users that will need access to your NiFi don't all exist in just one of your ldaps?

I suppose if you have a multi node NiFi cluster setup, you could configure the ldap-provider on one node to use one of the ldap servers and the ldap-provider on another node to use the other ldap server. Since the NiFi cluster can be accessed from any node, you would just need make sure your users access the NIFi cluster from the appropriate node that is configured with their ldap server.

NOTE: Authorization (happens after successful authentication) need to be identical on all nodes in a cluster, but that is not an issue here. You'll just configure the authorizers.xml so that all user and group identities from both ldaps are authorized appropriately.

This bootleg way of facilitating authentication via multiple LDAPs, is not something I have ever tested/tried, but believe would work.

You could also raise an improvement jira in Apache Jira NiFi project to see if the community might be interested in implementing this change, but I don't anticipate there is much demand for it.
https://issues.apache.org/jira/browse/NIFI

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Cloudera Community

Support Questions

LDAP Integration with 2 Identifier