Support Questions

Find answers, ask questions, and share your expertise

NIFI LDAP Groups not showing the users

avatar
Contributor

Hi ,
I have an issue integrating NIFI with LDAP groups, I created two groups in LDAP and added users to those groups but the NIFI shows those groups empty without users. I started DEBUG level, and I can see from the debug the following message 

devops-nifi-general-users-viewer contains member CN=Edi,OU=XX,OU=XX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXXX,DC=XXXX,DC=local but that user was not found while searching users. This may be due to a misconfiguration or it's possible the user is not a NiFi user. Ignoring group membership.

 

Any suggestion on what can be the issue ? why can't I see the users in the groups?

(attaching the configuration files )


full log messages 

2023-08-14 14:52:11,537 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider devops-nifi-general-users-viewer contains member CN=Edi,OU=XX,OU=XX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XXXX,DC=XXXX,DC=local but that user was not found while searching users. This may be due to a misconfiguration or it's possible the user is not a NiFi user. Ignoring group membership.
2023-08-14 14:52:11,556 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider nifi-admins contains member CN=Edi,OU=XX,OU=XXX,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=XX,DC=local but that user was not found while searching users. This may be due to a misconfiguration or it's possible the user is not a NiFi user. Ignoring group membership.
2023-08-14 14:52:11,559 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider -------------------------------------
2023-08-14 14:52:11,559 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following users from LDAP:
2023-08-14 14:52:11,559 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider --------------------------------------
2023-08-14 14:52:11,559 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following groups from LDAP:
2023-08-14 14:52:11,560 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider  - identifier[606a319b-d23f-327b-bd0e-069f1019a42b], name[devops-nifi-general-users-viewer], users[]
2023-08-14 14:52:11,560 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider  - identifier[fd4aa4e9-598f-39a5-b218-83801e57978f], name[nifi-admins], users[]
2023-08-14 14:52:11,561 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider --------------------------------------

 

authorizers.xml

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">CN=XXX</property>
        <property name="Initial User Identity 2">CN=XXX</property>
    </userGroupProvider>



    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>
        <property name="Group Membership - Enforce Case Sensitivity">false</property>

        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN">XXX</property>
        <property name="Manager Password">XXX</property>
        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
        <property name="Url">ldap:XXX</property>
        <property name="User Search Base">XXX</property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter">(sAMAccountName={0})</property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute"></property>
        <property name="Authentication Expiration">12 hours</property>

        <property name="User Group Name Attribute - Referenced Group Attribute"></property>
        <property name="Group Search Base">XXX</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute">cn</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

    </userGroupProvider>


      <userGroupProvider>
        <identifier>composite-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">ldap-user-group-provider</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">composite-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">XXX</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1">XXX</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

 

nifi.properties

nifi.security.keystore=/opt/nifi/cert-all/xxx
nifi.security.keystorePasswd=xxx
nifi.security.keyPasswd=xxx
nifi.security.truststore=/opt/nifi/cert-all/xxx
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=xxx
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

 

Screenshot nifi.png

2 ACCEPTED SOLUTIONS

avatar
Master Mentor

@edim2525 

You have a configuration issue in your ldap-user-group-provider within the authorizers.xml.
The following filter will not work in this provider.

 <property name="User Search Filter">(sAMAccountName={0})</property>


"{0}" can only be used in the ldap-provider within the login-identity-providers.xml configuration file.  That string gets replaced with the username entered at the NiFi login window.  The ldap-user-group-provider executes independent of any input every 30 mins to sync current users and groups.  So here is is literally looking for a user with that sAMAccountName which does not exist, so no users are be synced.  All you are getting back is groups.  A more common User Search Filter would be an "or" of select groups that you will be using  to authorize various levels of access to your NiFi.  Leaving blank would sync all users at ONE_LEVEL of your configured User Search Base.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

avatar
Master Mentor

@edim2525 
It would be very difficult to tell you exactly what is wrong without seeing your AD entries.
The User Search Base should be set to what ever base level is needed to be able to search on all user DNs that are members of your nifi-admins group.  This may require you to change the "User Search Scope" to " SUBTREE", but again I can't say for sure for your AD.  I see you set up an or in your "User Search Filter" even though you only have one filter, but that should not be an issue.

Are you also trying to return only that one group "nifi-admins"?
If so, you could also add the following "Group Search Filter" to limit your returned groups to just one.

(cn=nifi-admins)


The ldap-user-group-provider also does not require that your setup both "user" sync and "group" sync as it is often possible to make user to group associations with only setting up one or the other.

for example:

        <property name="User Search Base"></property>
        <property name="User Object Class"></property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base">XXX</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter">(|(cn=nifi-admins)(cn=nifi-team1))</property>
        <property name="Group Name Attribute">cn</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

What above config will do is initiate a group sync only execution returning a member user DNs from the "member" attributes found on the groups "nifi-admins" and "nifi-team1".  For each of those returned Member DNs, the provider will search those users in AD to retrieve thee user Identity string from the sAMAccountName attribute of each users AD entry.   Those sAMAccountName user strings then get associated with the appropriate group.

There are many ways to set this up, but they all depend on an individuals LDAP/AD entries, so all I can make are suggestions and examples based on commonly seen structures.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt


 

View solution in original post

5 REPLIES 5

avatar
Community Manager

Welcome to the community @edim2525. While I'm not an expert, I did find a post from @MattWho which hopefully get you closer while you await a community response. 


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Master Mentor

@edim2525 

You have a configuration issue in your ldap-user-group-provider within the authorizers.xml.
The following filter will not work in this provider.

 <property name="User Search Filter">(sAMAccountName={0})</property>


"{0}" can only be used in the ldap-provider within the login-identity-providers.xml configuration file.  That string gets replaced with the username entered at the NiFi login window.  The ldap-user-group-provider executes independent of any input every 30 mins to sync current users and groups.  So here is is literally looking for a user with that sAMAccountName which does not exist, so no users are be synced.  All you are getting back is groups.  A more common User Search Filter would be an "or" of select groups that you will be using  to authorize various levels of access to your NiFi.  Leaving blank would sync all users at ONE_LEVEL of your configured User Search Base.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

avatar
Contributor

Thank you @MattWho ,I left the "User Search Filter" empty and fixed 

the "User Serch Base" and now it's working, but I'm getting all the users under the Search Base .

 

I tried to set up a search base only for the user with the relevant group(e.g. nifi-admins) without success.

What is wrong with my user search filter ? 

 

authorizers.xml

 

 

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">CN=XXX</property>
        <property name="Initial User Identity 2">CN=XXX</property>
    </userGroupProvider>



    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>
        <property name="Group Membership - Enforce Case Sensitivity">false</property>

        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN">XXX</property>
        <property name="Manager Password">XXX</property>
        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
        <property name="Url">ldap:XXX</property>
        <property name="User Search Base">OU=XXX,OU=XXX,OU=XXX,OU=XXX Users,OU=XXX,DC=XXX,DC=XXX</property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter">(|(memberof=cn=nifi-admins,OU=XXX,OU=XXX,OU=XXX,OU=XXX Users,OU=XXX,DC=XXX,DC=XXX))</property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute">memberOf</property>
        <property name="Authentication Expiration">12 hours</property>

        <property name="User Group Name Attribute - Referenced Group Attribute"></property>
        <property name="Group Search Base">XXX</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute">cn</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

    </userGroupProvider>


      <userGroupProvider>
        <identifier>composite-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">ldap-user-group-provider</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">composite-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">XXX</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1">XXX</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

 

 

 

avatar
Master Mentor

@edim2525 
It would be very difficult to tell you exactly what is wrong without seeing your AD entries.
The User Search Base should be set to what ever base level is needed to be able to search on all user DNs that are members of your nifi-admins group.  This may require you to change the "User Search Scope" to " SUBTREE", but again I can't say for sure for your AD.  I see you set up an or in your "User Search Filter" even though you only have one filter, but that should not be an issue.

Are you also trying to return only that one group "nifi-admins"?
If so, you could also add the following "Group Search Filter" to limit your returned groups to just one.

(cn=nifi-admins)


The ldap-user-group-provider also does not require that your setup both "user" sync and "group" sync as it is often possible to make user to group associations with only setting up one or the other.

for example:

        <property name="User Search Base"></property>
        <property name="User Object Class"></property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute">sAMAccountName</property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base">XXX</property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter">(|(cn=nifi-admins)(cn=nifi-team1))</property>
        <property name="Group Name Attribute">cn</property>
        <property name="Group Member Attribute">member</property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>

What above config will do is initiate a group sync only execution returning a member user DNs from the "member" attributes found on the groups "nifi-admins" and "nifi-team1".  For each of those returned Member DNs, the provider will search those users in AD to retrieve thee user Identity string from the sAMAccountName attribute of each users AD entry.   Those sAMAccountName user strings then get associated with the appropriate group.

There are many ways to set this up, but they all depend on an individuals LDAP/AD entries, so all I can make are suggestions and examples based on commonly seen structures.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt


 

avatar
Contributor

I set up the authorizers.xml file as you suggested and it's working perfectly, Thank you very much @MattWho !!