Support Questions

JorgeO · ‎01-25-2021

Good afternoon everyone

I am trying to configure 2 containers (Openldap and NIFI) but it is impossible to find what the error is because the nifi screen does not show any change.
I have read several incidences about this issue and I have taken those examples as a reference without getting the expected success, so I will need your help to see if I can make it work.
It's like all the configuration in the 3 files is not read and executed so that an unknown user can log in.

Thanks in advance for any ideas to help me solve this problem.

I leave you the data:

Apache nifi version 1.12.1
OpenLDAP version OpenLDAP 2.4.50

Open Ldap configuration

ou=nifi,dc=example,dc=local
* User usernifi
* Pass nifi

root@44266e786b13:/# ldapsearch -x -W ldap://localhost -D "uid=usernifi,ou=nifi,dc=example,dc=local"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ldap://localhost
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Nifi configuration files

Nifi properties

nifi.security.user.login.identity.provider=ldap-provider

authorizers.xml

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1"></property>
    </userGroupProvider>
    
   <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">cn=admin,dc=example,dc=local</property>
        <!-- <property name="Initial Admin Identity"></property> -->
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>
    
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

login-identity-providers.xml

<provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">cn=admin,dc=example,dc=local</property>
        <property name="Manager Password">admin</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
        
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://localhost:389</property>
        <property name="User Search Base">dc=example,dc=local</property>
        <property name="User Search Filter">(cn={0})</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

MattWho · ‎01-26-2021

@JorgeO

I am not clear on what "nifi screen does not show any change" means.

Some things to keep in mind:
1. NiFi must first be secured before NiFi will even support any form of user authentication or authorization.
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_properties
2. Authentication and authorization processes are handled independently. A user must first successfully authenticate and only then will the user identity be passed to the authorization process to verify authorized policies granted for that user.
3. The ldap-provider does not sync users from ldap, it is only used to validate user credentials supplied at a login prompt with ldap to authenticate that user. Are you seeing a login window with your NiFi? (will not see this if NiFi is not yet secured).
4. Once your user successfully authenticates then authorization comes in to play. Looking at your authorizers.xml, one issue stands out to me:
- You configured:

<property name="Initial Admin Identity">cn=admin,dc=example,dc=local</property>

This is set in the "file-access-policy-provider". This provider is used to seed the initial minimum required policy that an admin user would need in order to access the UI, add additional users to the authorizer through UI and associate those additional users to various NiFi authorization policies.
- If you are a multi-node NiFi cluster, the node certificate DNs for each of yoru secured nodes also need to be configured in the "file-access-policy-provider":

<property name="Node Identity 1">CN=node1, OU=nifi</property>
<property name="Node Identity 2">CN=node2, OU=nifi</property>
etc...

- Problem here is that I don't see where you create that initial admin user. NiFi can not seed policies for a user that does not exist yet as a known identity to NiFi. Multiple methods are available for adding users and groups to NiFi for policy assignment. Your setup shared is using the "file-user-group-provider" which uses locally defined user/client identities. However, you did not add your admin user DN to the file-user-group-provider so that NiFi adds it to the users.xml. It needs to exist before the "file-access-policy-provider" can associate policies to that user identity.

<property name="Initial User Identity 1">cn=admin,dc=example,dc=local</property>

- Additionally, if you have setup a NiFi multi-node cluster, the DNs from the certificate used to secure each of the nodes must also be added as "Initial User Identity 2,3,4..." properties in the file-user-group-provider also.

All authentication and authorization actions would be logged in the nifi-user.log. So check that to see what is happening if you are having access or authorization exceptions. If this log does not exist or is empty, odds are that your NiFi was not secured.
In addition to the security properties I provided the link to above, you also need to make sure you set the following additional properties in the nifi.properties:

nifi.web.https.host	The HTTPS host. It is blank by default.
nifi.web.https.port	The HTTPS port. It is blank by default. When configuring NiFi to run securely, this port should be configured.

The "nifi.web.https.port" is essentially the switch that enables secured NiFi when set.
The default is "nifi.web.http.port" which is a non-secured port.

Hope this helps,

Matt

View solution in original post

MattWho · ‎02-01-2021

@JorgeO

Looking at your nifi-user.log output we see the caused by line as:

Caused by: org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2

This means that your LDAP/AD returned two results instead of only one. NiFi then has not idea which of those returns is the correct one it should be using.

So this either an issue within your LDAP/AD or an issue within your current login-identity-providers.xml filters. But your last shared file looks fine to me.

I would suggest using the ldapsearch command to run a ldap query outside of NiFi to see what returns you get for your admin user (cn=<admin user>)

Hope this helps,

Matt

View solution in original post

MattWho · ‎01-26-2021

@JorgeO

I am not clear on what "nifi screen does not show any change" means.

Some things to keep in mind:
1. NiFi must first be secured before NiFi will even support any form of user authentication or authorization.
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_properties
2. Authentication and authorization processes are handled independently. A user must first successfully authenticate and only then will the user identity be passed to the authorization process to verify authorized policies granted for that user.
3. The ldap-provider does not sync users from ldap, it is only used to validate user credentials supplied at a login prompt with ldap to authenticate that user. Are you seeing a login window with your NiFi? (will not see this if NiFi is not yet secured).
4. Once your user successfully authenticates then authorization comes in to play. Looking at your authorizers.xml, one issue stands out to me:
- You configured:

<property name="Initial Admin Identity">cn=admin,dc=example,dc=local</property>

This is set in the "file-access-policy-provider". This provider is used to seed the initial minimum required policy that an admin user would need in order to access the UI, add additional users to the authorizer through UI and associate those additional users to various NiFi authorization policies.
- If you are a multi-node NiFi cluster, the node certificate DNs for each of yoru secured nodes also need to be configured in the "file-access-policy-provider":

<property name="Node Identity 1">CN=node1, OU=nifi</property>
<property name="Node Identity 2">CN=node2, OU=nifi</property>
etc...

- Problem here is that I don't see where you create that initial admin user. NiFi can not seed policies for a user that does not exist yet as a known identity to NiFi. Multiple methods are available for adding users and groups to NiFi for policy assignment. Your setup shared is using the "file-user-group-provider" which uses locally defined user/client identities. However, you did not add your admin user DN to the file-user-group-provider so that NiFi adds it to the users.xml. It needs to exist before the "file-access-policy-provider" can associate policies to that user identity.

<property name="Initial User Identity 1">cn=admin,dc=example,dc=local</property>

- Additionally, if you have setup a NiFi multi-node cluster, the DNs from the certificate used to secure each of the nodes must also be added as "Initial User Identity 2,3,4..." properties in the file-user-group-provider also.

All authentication and authorization actions would be logged in the nifi-user.log. So check that to see what is happening if you are having access or authorization exceptions. If this log does not exist or is empty, odds are that your NiFi was not secured.
In addition to the security properties I provided the link to above, you also need to make sure you set the following additional properties in the nifi.properties:

nifi.web.https.host	The HTTPS host. It is blank by default.
nifi.web.https.port	The HTTPS port. It is blank by default. When configuring NiFi to run securely, this port should be configured.

The "nifi.web.https.port" is essentially the switch that enables secured NiFi when set.
The default is "nifi.web.http.port" which is a non-secured port.

Hope this helps,

Matt

JorgeO · ‎01-28-2021

First of all thank you very much @MattWho for your reply, sorry I have not responded before but I was analyzing everything and doing the appropriate tests and it has worked. Clearly until there is no security in nifi will not connect to anything.
I followed the tutorial that marks the web and using the example that is in dockerhub nifi I created the container correctly.
Now there is a new challenge and I think it is between nifi and ldap with respect to user authentication because I do not pass the login screen.

admin user
password admin

and the answer of nifi " Unable to validate the supplied credentials. Please contact the system administrator." 😞

Could you tell me what the problem is, as I have made many configurations that I have read on different websites but none solves the problem.

Thanks in advance 🙂

I leave you the data as a guideline.

Docker-compose.yml

version: '3.3'
services:
    run:
        container_name: nifi
        volumes:
            - 'D:\Proyectos\prueba\code\DevOps-NIFI\certs\localhost:/opt/certs'
            - 'D:\Proyectos\prueba\code\DevOps-NIFI\conf:/opt/nifi/nifi-current/conf'
        ports:
            - '8443:8443'
        environment:
            - AUTH=ldap
            - KEYSTORE_PATH=/opt/certs/keystore.jks
            - KEYSTORE_TYPE=JKS
            - KEYSTORE_PASSWORD=PHOLoN27sv5Y+vGJMb8foz9fsMm6tYG+vUfQUX2Pejo
            - TRUSTSTORE_PATH=/opt/certs/truststore.jks
            - TRUSTSTORE_PASSWORD=XRIkyNPL3JrPmY9O6ZMbpgQCT2zbOEbvTpm6InXgInU
            - TRUSTSTORE_TYPE=JKS
            - 'INITIAL_ADMIN_IDENTITY=cn=admin,dc=example,dc=local'
            - LDAP_AUTHENTICATION_STRATEGY=SIMPLE
            - 'LDAP_MANAGER_DN=cn=admin,dc=example,dc=local'
            - LDAP_MANAGER_PASSWORD=admin
            - 'LDAP_USER_SEARCH_BASE=dc=example,dc=local'
            - 'LDAP_USER_SEARCH_FILTER=(cn={0})'
            - LDAP_IDENTITY_STRATEGY=USE_DN
            - 'LDAP_URL=ldap://192.168.0.23:389'
        image: apache/nifi:latest

authorizations.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="35abdefa-c3db-3275-add7-dd027b2af2df" resource="/data/process-groups/49766c26-0177-1000-96ee-e7e3cd1d2779" action="R">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="3818fc5b-9df0-3d11-a291-bc8a018455f1" resource="/data/process-groups/49766c26-0177-1000-96ee-e7e3cd1d2779" action="W">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="5cdc6d64-b287-3939-a413-1edea5b1c359" resource="/process-groups/49766c26-0177-1000-96ee-e7e3cd1d2779" action="R">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="896bb72a-fd18-3272-89bd-52dd071a6cc6" resource="/process-groups/49766c26-0177-1000-96ee-e7e3cd1d2779" action="W">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
            <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad"/>
        </policy>
    </policies>
</authorizations>

users.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="8e4a8efe-1a6a-3fde-b46e-3f8fa50065ad" identity="cn=admin,dc=example,dc=local"/>
    </users>
</tenants>

authorizers.xml

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1">cn=admin,dc=example,dc=local</property>
    </userGroupProvider>
    
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">cn=admin,dc=example,dc=local</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>
    
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
    
        <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">cn=admin,dc=example,dc=local</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1"></property>
    </authorizer>

Logs

nifi-user.log

2021-01-28 16:25:53,940 ERROR [NiFi Web Server-22] o.a.n.w.a.c.AdministrationExceptionMapper org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator.. Returning Internal Server Error response.
org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator.
        at org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:743)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
        at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
        at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
        at org.eclipse.jetty.servlet.ServletHolder$NotAsyncServlet.service(ServletHolder.java:1395)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
        at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1596)
        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.apache.nifi.web.security.headers.StrictTransportSecurityFilter.doFilter(StrictTransportSecurityFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.apache.nifi.web.security.headers.XContentTypeOptionsFilter.doFilter(XContentTypeOptionsFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.apache.nifi.web.security.headers.XSSProtectionFilter.doFilter(XSSProtectionFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.apache.nifi.web.security.headers.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:767)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
        at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
        at org.eclipse.jetty.server.Server.handle(Server.java:500)
        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.nifi.authentication.exception.IdentityAccessException: Unable to validate the supplied credentials. Please contact the system administrator.
        at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:309)
        at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:315)
        at org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:733)
        ... 93 common frames omitted
Caused by: org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2
        at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:365)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:318)
        at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:817)
        at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:803)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:316)
        at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:127)
        at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:95)
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
        at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:279)
        ... 95 common frames omitted

MattWho · ‎02-01-2021

@JorgeO

Looking at your nifi-user.log output we see the caused by line as:

Caused by: org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2

This means that your LDAP/AD returned two results instead of only one. NiFi then has not idea which of those returns is the correct one it should be using.

So this either an issue within your LDAP/AD or an issue within your current login-identity-providers.xml filters. But your last shared file looks fine to me.

I would suggest using the ldapsearch command to run a ldap query outside of NiFi to see what returns you get for your admin user (cn=<admin user>)

Hope this helps,

Matt

Cloudera Community

Support Questions

Nifi simple authentication NOT SSL with Openldap

Open Ldap configuration

Nifi configuration files

Nifi properties

authorizers.xml

login-identity-providers.xml