Support Questions

Yes, user_admin exists in LDAP server but when I try to use it's password from the server to log on, NiFi rejects even though I know it's correct. 

Should I change this: sAMAccountName to just {0}?

Also, how do I use the contents of the user.xml and authorizations.xml that were generated by NiFi? What do those mean? Sorry for my very basic questions. I really appreciate your help

@LKB 
I am not clear what you mean by "NiFi rejects" it.  What is the exact exception you are seeing. NiFi does not reject anything, the ldap endpoint would be what would be responding to the query.

The "{0}" is replaced with the username string you enter in the "user" field presented by NiFi.   So let's assume you login with "user_admin".  Your configured LDAP endpoint would be queried for user with "sAMAccountName=user_admin" as an attribute.

I would get the ldap listing for your user_admin user from ldap server and verify that "sAMAccountName=user_admin" exists.   sAMAccountName is an attribute more commonly associated with Active Directory (AD), but can be added to LDAP as a useable attribute with some custom ldifs.

Two authentication happen here:
First is the Manager DN along with Manager password is used to facilitate a connection to your ldap.  Then the supplied username via login UI is used to lookup the specific user record for password verification.  

Additionally, since you are using LDAPS instead of LDAP, you are enabling a TLS encrypted connection to your LDAPS. So something else you'll want to verify is that the keystore and truststore you configured in your ldap-provider contains the necessary entries to facilitate that successful TLS connection.

Something other configs that strikes me as incorrect:
1. Your user DN is "uid=user_admin,OU=USERS,DC=abc,DC=com"; however, your configured user search base is "DC=abc,DC=net".  That means your user you are trying to authenticate would not be found under that search base.
2. Your LDAPS url is missing the port number "ldaps://test.com:<port>" (commonly 636 and 3269 are defaults for ldaps).   If your LDAP support unencrypted connections you could change your "Authentication Strategy" from "START_TLS" to "SIMPLE" and then set your LDAP URL to ldap://test.com:389 (389 is default unencrypted port).

Make sure you are checking your nifi-app.log and nifi-user.log for any exceptions that may be thrown as you try to login to help you troubleshoot further.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Thanks @MattWho 

The ldap listing without the port number was a typo in my text message here but not in the server

I just checked the nifi-user log (after failed log on attempts) as advised and this is the error I got. So apparently, even though Nifi starts, the user set up is not right. Can you suggest what my ldap parameters should be based on sample I provided above? Your help  will be appreciated

2023-09-15 15:57:58,201 ERROR [NiFi Web Server-25] o.a.n.w.a.c.AdministrationExceptionMapper org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator.. Returning Internal Server Error response.
org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator..