Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Questions on configuring LDAP Authentication in NiFi

avatar
Explorer

 

Hello All,

I am new to NiFi. I have set up NiFi with LDAP authentication and NiFi starts with no issues but I don't know how to log into NiFi as "Initial Admin Identity" user "user_admin" as shown in my setup below. What should I use as the login credentials as NiFi presently rejects user_admin/<password>?

nifi.properties

nifi.security.user.authorizer=file-provider
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider

 

login-identity-providers.xml      
 
<identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">START_TLS</property>
 
        <property name="Manager DN">uid=test_admin,OU=users,DC=abc,DC=com</property>
        <property name="Manager Password">*******</property>
 
        <property name="TLS - Keystore">./conf/keystore.p12</property>
        <property name="TLS - Keystore Password">*****</property>
        <property name="TLS - Keystore Type">PKCS12</property>
        <property name="TLS - Truststore">./conf/truststore.p12</property>
        <property name="TLS - Truststore Password">******</property>
        <property name="TLS - Truststore Type">PKCS12</property>
        <property name="TLS - Client Auth">REQUIRED</property>
        <property name="TLS - Protocol">TLS</property>
        <property name="TLS - Shutdown Gracefully"></property>
        
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
 
        <property name="Url">ldaps://test.com</property>
        <property name="User Search Base">DC=abc,DC=net</property>
        <property name="User Search Filter">sAMAccountName={0}</property>
        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
 
-----------------------
 
authorizer.xml
    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">uid=user_admin,OU=USERS,DC=abc,DC=com</property>
        <property name="Legacy Authorized Users File"></property>
 
        <property name="Node Identity 1"></property>
    </authorizer>

LKB_0-1694778674080.png

 

 

5 REPLIES 5

avatar
Super Mentor

@LKB 

Does the user "uid=user_admin,OU=USERS,DC=abc,DC=com" exist in your LDAP server?

Also I have never seen a LDAP user entry that used a full DistinquishedName (DN) in the sAMAccountName attribute.  sAMAccountName is typically a short name for the user.

NiFi does not install a LDAP/AD server or create/add users and groups to an existing LDAP/AD .  NiFi can be configured to authenticate user that already exists in some external existing LDAP/AD server.

So if the login username and password would be whatever was setup in your externally installed and managed LDAP server.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Explorer

Yes, user_admin exists in LDAP server but when I try to use it's password from the server to log on, NiFi rejects even though I know it's correct. 

Should I change this: sAMAccountName to just {0}?

Also, how do I use the contents of the user.xml and authorizations.xml that were generated by NiFi? What do those mean? Sorry for my very basic questions. I really appreciate your help

avatar
Super Mentor

@LKB 
I am not clear what you mean by "NiFi rejects" it.  What is the exact exception you are seeing. NiFi does not reject anything, the ldap endpoint would be what would be responding to the query.

The "{0}" is replaced with the username string you enter in the "user" field presented by NiFi.   So let's assume you login with "user_admin".  Your configured LDAP endpoint would be queried for user with "sAMAccountName=user_admin" as an attribute.

I would get the ldap listing for your user_admin user from ldap server and verify that "sAMAccountName=user_admin" exists.   sAMAccountName is an attribute more commonly associated with Active Directory (AD), but can be added to LDAP as a useable attribute with some custom ldifs.

Two authentication happen here:
First is the Manager DN along with Manager password is used to facilitate a connection to your ldap.  Then the supplied username via login UI is used to lookup the specific user record for password verification.  

Additionally, since you are using LDAPS instead of LDAP, you are enabling a TLS encrypted connection to your LDAPS. So something else you'll want to verify is that the keystore and truststore you configured in your ldap-provider contains the necessary entries to facilitate that successful TLS connection.

Something other configs that strikes me as incorrect:
1. Your user DN is "uid=user_admin,OU=USERS,DC=abc,DC=com"; however, your configured user search base is "DC=abc,DC=net".  That means your user you are trying to authenticate would not be found under that search base.
2. Your LDAPS url is missing the port number "ldaps://test.com:<port>" (commonly 636 and 3269 are defaults for ldaps).   If your LDAP support unencrypted connections you could change your "Authentication Strategy" from "START_TLS" to "SIMPLE" and then set your LDAP URL to ldap://test.com:389 (389 is default unencrypted port).

Make sure you are checking your nifi-app.log and nifi-user.log for any exceptions that may be thrown as you try to login to help you troubleshoot further.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Explorer

Thanks @MattWho 

The ldap listing without the port number was a typo in my text message here but not in the server

I just checked the nifi-user log (after failed log on attempts) as advised and this is the error I got. So apparently, even though Nifi starts, the user set up is not right. Can you suggest what my ldap parameters should be based on sample I provided above? Your help  will be appreciated

2023-09-15 15:57:58,201 ERROR [NiFi Web Server-25] o.a.n.w.a.c.AdministrationExceptionMapper org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator.. Returning Internal Server Error response.
org.apache.nifi.admin.service.AdministrationException: Unable to validate the supplied credentials. Please contact the system administrator..

 

avatar
Super Mentor

@LKB 
I'd expect a full stack trace in the nifi-app.log following that ERROR.

The ldap-provider is configured inside the login-identity-providers.xml file.  Does your LDAP Manager password happen to contain any XML special characters?  If so, you should escape them.
https://xml.silmaril.ie/specials.html

Have you tried using ldapsearch to manually make a connection to your LDAPS from the server where you have NiFi installed using same manager DN, Manager password, and keystore and trustsore?  Was it successful?

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt