Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

NiFi User Authentication with LDAP issue

Labels:
avatar
author-rank juliocedeno
Explorer

Created ‎06-19-2017 08:10 PM

Hi @Matt Clarke I am configured Nifi User Authenticationwith with ldap and I am seeing the following in my logs:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginIdentityProvider': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified login identity provider 'ldap-provider' could not be found.

Please, can you help me?

5,966 Views
0 Kudos
6 REPLIES 6

avatar
author-rank pvillard author-rank
Guru

Created ‎06-20-2017 07:00 AM

Hi @Julio Cedeno,

In nifi.properties, you have two properties for login authentication: 

nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml
nifi.security.user.login.identity.provider=ldap-provider

The first one points to the file where you are defining your login identity providers. The second one must be the name of the login identity provider you want to use from the definition file.

In your file, you must have something like:

<loginIdentityProviders>
    <provider>
        <identifier>myProvider1</identifier>
        <class>...</class>
        <property name="...">...</property>
    </provider>
    <provider>
        <identifier>myProvider2</identifier>
        <class>...</class>
        <property name="...">...</property>
    </provider>
<loginIdentityProviders>

The error you have is probably due to the fact there is no provider named "ldap-provider" in your configuration file. Are you sure you un-commented the content of the file?

Hope this helps.

4,885 Views
0 Kudos

avatar
author-rank juliocedeno
Explorer

Created ‎06-20-2017 07:17 PM

Thanks so much Pierre Villard you are great!

I had commented on a line. Now Already got nifi on https, but I can't connect. Present the following errror in nifi-user.log:

Caused by: org.springframework.ldap.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580]; nested exception is javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580]; remaining name '' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:223) at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:148) at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159) at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:316) at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126) at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:94) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:189) ... 66 common frames omitted Caused by: javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3201) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3261) at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:184) at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:132) at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:143) ... 72 common frames omitted

The conection with ldap from SO was correct.

Do you know what the problem might be?

Please help me.

4,885 Views
0 Kudos

avatar
author-rank pvillard author-rank
Guru

Created ‎06-20-2017 07:58 PM

Looks like your LDAP configuration is incorrect. Is it LDAPS or LDAP? It seems to be an error related to SSL/TLS parameters.

4,885 Views
0 Kudos

avatar
author-rank juliocedeno
Explorer

Created ‎06-21-2017 06:24 PM

It is LDAP.

one question, the configuration of the property in login-identity-providers.xml must be :

<property name="Authentication Strategy">START_TLS</property>

or

<property name="Authentication Strategy">SIMPLE</property>

Aditionalitty my configuration:

<provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">cn=OTECEL\user,dc=otecel,dc=com,dc=ec</property> <property name="Manager Password">clave</property> <property name="TLS - Keystore">/root/scripts/cert.p12</property> <property name="TLS - Keystore Password">hadoop</property> <property name="TLS - Keystore Type">PKCS12</property> <property name="TLS - Truststore">/root/scripts/cacert.jks</property> <property name="TLS - Truststore Password">hadoop</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol">TLS</property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://direccion:389</property> <property name="User Search Base">dc=otecel,dc=com,dc=ec</property> <property name="User Search Filter">cn=*</property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Expiration">12 hours</property> </provider>

Thanks.

4,885 Views
0 Kudos

avatar
author-rank pvillard author-rank
Guru

Created ‎06-21-2017 08:04 PM

If it's LDAP, then you should use SIMPLE and you can ignore the TLS properties.

4,885 Views

avatar
author-rank juliocedeno
Explorer

Created ‎06-21-2017 06:59 PM

It is LDAP. one question,

the configuration of the property in login-identity-providers.xml must be:

<property name="Authentication Strategy">START_TLS</property>

or

<property name="Authentication Strategy">SIMPLE</property>

because in SIMPLE presente other error:

Aditionalitty my configuration:

<provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">cn=OTECEL\user,dc=otecel,dc=com,dc=ec</property> <property name="Manager Password">clave</property> <property name="TLS - Keystore">/root/scripts/cert.p12</property> <property name="TLS - Keystore Password">hadoop</property> <property name="TLS - Keystore Type">PKCS12</property> <property name="TLS - Truststore">/root/scripts/cacert.jks</property> <property name="TLS - Truststore Password">hadoop</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol">TLS</property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://direccion:389</property> <property name="User Search Base">dc=otecel,dc=com,dc=ec</property> <property name="User Search Filter">cn=*</property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Expiration">12 hours</property> </provider>

Other question:

Should the security certificate be signed? because running the following command:

curl -v https://10.112.152.181:8443/nifi/login

present the following:

* About to connect() to 10.112.152.181 port 8443 (#0) * Trying 10.112.152.181... * Connected to 10.112.152.181 (10.112.152.181) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: L=Quito,C=EC,CN=otecelbdatayhdp * start date: Jun 20 23:07:15 2017 GMT * expire date: Jun 20 23:07:15 2018 GMT * common name: otecelbdatayhdp * issuer: L=Quito,C=EC,CN=otecelbdatayhdp * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
4,885 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements