@emaxwell  A few suggested additions to this excellent article: 1. The keystore password is not required to list the keystore via the keytool command.  When prompted for a password, you can just hit "enter" without entering a password.  The password would be needed if you want to export the actual privateCertEntry from the keystore which is not necessary in this procedure. 2. The ldap-provider configured in the login-identity-providers.xml file has two options for how to identify the authenticated ldap user: <property name="Identity Strategy">USE_DN</property> Above will use the full Distinguished Name (DN) as you mention in the article. <property name="Identity Strategy">USE_USERNAME</property>  Above will use the string entered by user at the login window as the user identity. 3. Identity mapping properties in the nifi.properties file have three properties: nifi.security.identity.mapping.pattern.<unique string>=<Java regex> nifi.security.identity.mapping.value.<unique string>=<Resulting string when java regex matches, Java Regex capture groups can be used here> nifi.security.identity.mapping.transform.<unique string>=<NONE, LOWER, UPPER> The <unique string> can be anything but must be same exact string for all three properties.  Also patterns are checked in alphanumeric order against the identity strings. First matching pattern has its value and transform applied. So you want to make sure the more complex patterns come first to avoid having wrong pattern's value and transform being applied.  So a pattern like "^(.*)$" should definitely come last. The "transform" property allows you to apply an all uppercase, all lowercase, or no transform to the resulting value string. Thanks, Matt ... View more