Support Questions
Find answers, ask questions, and share your expertise

Nifi LDAPS Configuration

Explorer

Hi,

Im trying to connect LDAP from Nifi.

I've done most of the instructions in the official documentation and read most posts on the Cloudera Community. However, I couldn't connect to my company's LDAP system. 

I configured login-entity-providers and authorizers for LDAP.

When I start Nifi, it starts successfully and gives no error. 

When I try to log in with my initial admin it gives me

"Unable to validate the supplied credentials. Please contact the system administrator." error.

 

My questions are:

1- When we are setting up initial admin, we are not setting password of that user. How do we log in without password?

2- I'm using USE_DN for identity strategy for ldap-provider. My initial admin name and ldap user are same. So I'm trying to login with my user like: 

Username: CN=K015576,CN=Users,DC=tcmb,DC=gov,DC=tr
Password: "my_ldap_password"
 

What path should I follow? Is there a mistake in my configure files?

I have added my conf files below: nifi.properties, login-entity-provider and authorizers. Removed sensitive data.

 

nifi-propertiesnifi-propertieslogin-identity-providerslogin-identity-providersauthorizers-1authorizers-1authorizers-2authorizers-2

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Master Guru

@Yemre 

The following response you see in the NiFi UI after supplying a username and password in the tells you that the issue happened during the user authentication process:

"Unable to validate the supplied credentials. Please contact the system administrator."


NiFi has not even tried to do any authorization yet, so your authorizers.xml setup has not come in to the equation yet.

Unfortunately, the error produced by the openldap client is rather generic and could mean any of the following could be the issue:
1. incorrect ldap/AD manager DN
2. Incorrect ldap/AD manager password
3. Incorrect username
4. Incorrect user password
5. Incorrect user search filter in the login-identity-providers.xml file

In your case it looks like number 5 may be your issue:

MattWho_0-1635858497041.png

The ldap-provider expects that the username typed in the login window is passed via the "User Search Filter" so that the entered user's credentials can be verified.

I noticed you are using full DNs to login with which is extremely rare.  The more common approach here is to configure your ldap-provider with "Identity strategy" of "USE_USERNAME" instead of "USE_DN".  This means upon successful user authentication, it is the user string entered in the login window that is used to authorize your user instead of the user's full DN.  This means your initial admin string should match your username as you would type it in at the login prompt.

In order to pass the entered string at the login prompt to the ldap-provider, your "User Search Filter" would need to look something like this:

<property name="User Search Filter">(cn={0})</property>

or

<property name="User Search Filter">(sAMAccountName={0})</property>

You should inspect your user ldap/AD entry to see which attribute in your ldap entry contain your username that you type in the login prompt.

The user entered username at login is substituted in place of "{0}" in the User Search Filter.

When you change the initial admin user string from the full DN to just the username, you would need to remove the old authorizations.xml (NOT the authoirizers.xml) file that was built originally with the full DN by the file-access-policy-provider in your authorizers.xml.  The authorizatiions.xml file is only seeded via the file-access-policy-provider if the file does not already exist.  Once it exist all future edits to content of this file is handled via changes made from within the NiFi UI.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

View solution in original post

2 REPLIES 2

Master Guru

@Yemre 

The following response you see in the NiFi UI after supplying a username and password in the tells you that the issue happened during the user authentication process:

"Unable to validate the supplied credentials. Please contact the system administrator."


NiFi has not even tried to do any authorization yet, so your authorizers.xml setup has not come in to the equation yet.

Unfortunately, the error produced by the openldap client is rather generic and could mean any of the following could be the issue:
1. incorrect ldap/AD manager DN
2. Incorrect ldap/AD manager password
3. Incorrect username
4. Incorrect user password
5. Incorrect user search filter in the login-identity-providers.xml file

In your case it looks like number 5 may be your issue:

MattWho_0-1635858497041.png

The ldap-provider expects that the username typed in the login window is passed via the "User Search Filter" so that the entered user's credentials can be verified.

I noticed you are using full DNs to login with which is extremely rare.  The more common approach here is to configure your ldap-provider with "Identity strategy" of "USE_USERNAME" instead of "USE_DN".  This means upon successful user authentication, it is the user string entered in the login window that is used to authorize your user instead of the user's full DN.  This means your initial admin string should match your username as you would type it in at the login prompt.

In order to pass the entered string at the login prompt to the ldap-provider, your "User Search Filter" would need to look something like this:

<property name="User Search Filter">(cn={0})</property>

or

<property name="User Search Filter">(sAMAccountName={0})</property>

You should inspect your user ldap/AD entry to see which attribute in your ldap entry contain your username that you type in the login prompt.

The user entered username at login is substituted in place of "{0}" in the User Search Filter.

When you change the initial admin user string from the full DN to just the username, you would need to remove the old authorizations.xml (NOT the authoirizers.xml) file that was built originally with the full DN by the file-access-policy-provider in your authorizers.xml.  The authorizatiions.xml file is only seeded via the file-access-policy-provider if the file does not already exist.  Once it exist all future edits to content of this file is handled via changes made from within the NiFi UI.

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

View solution in original post

Explorer

Thanks a lot Matt. It worked finally after trying for 2 weeks. I was tired of trying to get this to work. I really appreciate it.