Support Questions

Find answers, ask questions, and share your expertise

Nifi login error ( when ldap login is applied )

avatar
Explorer

Hi Guys ,i have a problem with Nifi login   please can´t help me ?

this problem start when open the web interface of Nifi later config ldap login  .Present the next message 
has been attached imagen .

 

noekmc_0-1663253765063.png

for fix the problem -> select log out  

is there any other solution ?

Regards!

 

4 REPLIES 4

avatar
Master Mentor

@noekmc 
The UI you are seeing is telling you that your ldap user credentials have successfully been authenticated; however, your user identity is not authorized within NiFi to "view the UI".
NiFi Access Policies 

The ldap-provider configured in the login-identity-providers.xml handles the authentication process.
The configuration within the authorizers.xml handles the authorizing of those authenticated user identities.
You can tail the nifi-user.log  while you login to see that your user identity that is resulting from your successful authentication.  You will also then see the not authorized log output with the missing access policy.

The following section of the Apache Documentation can help setting up authorization for the first time:
multi-tenant-authorization 

If you were to share the log lines from your nifi-user.log specific to your login attempt along with the contents of your authorizers.xml file, it may be easier to provide guidance on your setup.  The multi-tenant-authorization setup in the authorizers.xml has many configuration options and providers to choose from.  The very basic setup would use a managed-provider that uses the file-access-policy-provider and file-user-group-provider.  

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt



avatar
Explorer

Matt , the next steps mitigate the problem , but not its solution

Step 1

noekmc_0-1663273060870.png

Step 2 show the problem

noekmc_1-1663273113790.png

Step 3 Select" log out " option

noekmc_2-1663273156635.png

noekmc_3-1663273182957.png

Step 4 : in the Url delete "logout-complete" and add "login"

noekmc_4-1663273282243.png

noekmc_5-1663273340591.png


Do you know why this behavior occurs?


Regards!

 

 

 

avatar
New Contributor

You need to create an initial admin account , 

Go to your authorizers.xml file and add your ldap username "cn=xxx,ou=xx,dc=xxx,dc=xxx" in the Initial Admin Identity property, it will create admin user and you will log on to NiFi as admin and create policies for other users

avatar
Master Mentor

@noekmc 
I was not clear that when you accessed the NiFi Web address you were skipping the login window completely.  This means that your browser provided and alternative method of client/user authentication.

When you access the NiFi web address, NiFi will always negotiate a mutual TLS handshake. This is necessary because this is how NiFi nodes authenticate with one another.  If no other methods of client authentication have been configured, the mutual TLS handshake "Requires" a client certificate.  When other methods of authentication are configured  in NiFi, the mutual TLS handshake will "WANT" a client certificate.  If no client certificate is presented, then NiFi will move on to the next configured authentication method which would spnego.

Spnego based authentication is enabled when the following properties have been configured in the nifi.properties file:

MattWho_0-1663353868838.png

Make sure these two properties are clear to disable spnego auth challenge to your browser.

If Spnego auth challenge is not successful, NiFi moves on to next auth method such as a configured login provider like the ldap-provider you have setup.

The first step is figuring out which method (TLS client certificate or Spnego) is authenticating your user.
Typically a browser will prompt you when either if these methods are invoked the first time.  If you ack instead of cancel, the browser will remember that choice going forward.  For TLS client auth to work, your browser must have a client certificate loaded in to it that your NiFi's truststore file is capable of trusting.

For Spengo to work, Spnego must be configured in your browser.

Step one:
- Open an incognito browser tab (it will not have any retained cookies that would auto use a certificate or spnego) and provide the NiFi UI address.   Does it redirect you immediately to the login UI.  If so, you now know one of these other methods are being used.

- Clear the two Spnego properties if configured in the nifi.properties file. (if already blank, then we know a TLS certificate is what is being used.  

- Clear browser cache and cookies.  Access NiFi UI address, when prompted via browser for certifcate, cancel and you should get redirected to login window.  There is not configuration change that can be made in NiFi to stop a browser from doing this.   However, your decision to cancel and continue to URL without providing your certifcate should be cached by your browser so it does not ask you each time afterwards.

- Try a different browser.  While your certificate maybe loaded in one browser, it may not be loaded in another.  Same goes for Spnego, it may not be enabled in all browsers on your client.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt