Support Questions

Find answers, ask questions, and share your expertise

NiFi LDAP Authentication Error

avatar
Super Collaborator

Hi ,

I am in the process of setting up my windows NiFi instance to use LDAP Authentication . I am getting the error below when i type in my userid and pwd.

i am also copying my ldap-identity-providers.xml login-identity-providers.xml,

app.log ,user log and authorizers.xml authorizers.xml

i followed this url https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif.... to create keystore,truststore. i didn't create any client certificates as i am planning to use LDAP.

---Error from App log

017-08-15 12:02:50,322 INFO [NiFi Web Server-39] c.s.j.s.i.application.WebApplicationImpl Initiating Jersey application, version 'Jersey: 1.19 02/11/2015 03:25 AM' 2017-08-15 12:03:08,040 ERROR [NiFi Web Server-33] org.apache.nifi.ldap.LdapProvider Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 2017-08-15 12:03:21,908 ERROR [NiFi Web Server-53] org.apache.nifi.ldap.LdapProvider Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetested target 2017-08-15 12:03:21,908 ERROR [NiFi Web Server-53] org.apache.nifi.ldap.LdapProvider Failed to negotiate TLS session; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 2017-08-15 12:03:26,884 INFO [Write-Ahead Local State Provider Maintenance] org.wali.MinimalLockingWriteAheadLog org.wali.MinimalLockingWriteAheadLog@63b85d97 checkpointed with 1 Records and 0 Swap Files in 72 milliseconds (Stop-the-world time = 15 milliseconds, Clear Edit Logs time = 47 millis), max Transaction ID 2 2017-08-15 12:03:29,257 INFO [pool-10-thread-1] o.a.n.c.r.WriteAheadFlowFileRepository Initiating checkpoint of FlowFile Repository 2017-08-15 12:03:30,244 INFO [pool-10-thread-1] org.wali.MinimalLockingWriteAheadLog org.wali.MinimalLockingWriteAheadLog@61868687 checkpointed with 0 Records and 0 Swap Files in 978 milliseconds (Stop-the-world time = 224 milliseconds, Clear Edit Logs time = 738 millis), max Transaction ID -1

User log is attached.nifi-user.txt

Regards,

Sai

27470-ldaplogin.jpg

3 REPLIES 3

avatar

The error you pasted indicates that the truststore you configured for NiFi does not know any valid signers of the LDAP server's certificate. You can show this certificate by connecting to the LDAP server using OpenSSL s_client with the "-debug -state -showcerts" flags. Once you have that public certificate, you can examine the certificate chain and find an intermediate or root CA which signed it. You need to import that CA public certificate into the truststore you configure NiFi to use. "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" is the error which indicates this.

avatar
Super Collaborator

@Andy LoPresto

I am not an expert with SSL and certificates. where can i get more help on this.?

Regards,

Sai

avatar

Pierre Villard has written multiple tutorials about securing your NiFi instances with various authorizers. I would recommend following this Guide to Integrating NiFi and LDAP and refer to Secure Cluster Setup if necessary. The guide you were following originally was not designed to handle the LDAP certificates in your NiFi truststore, which is why you cannot make a secure connection to the LDAP server.