Member since
08-01-2023
12
Posts
1
Kudos Received
1
Solution
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 10343 | 08-23-2023 12:49 PM |
01-31-2025
08:41 AM
@MattWho Is there anywhere I can find what types of filters I can use in the "User Search Filter" or the Group one? I am trying to widdle down the amount of objects that are populated from LDAP into my Users. In my AD Server, users are in 2 different OU's. So, for example, I'll have users in ou=Admin Accounts,ou=Domain Admins,dc=my,dc=network,dc=com but I'll also have users in ou=Regular Users,ou=Testers,dc=my,dc=network,dc=com. And the only way to really pull both are to have my base search set to dc=my,dc=network,dc=com. Doing this pulls computer accounts and all users, even users that would never need access (like service type accounts). I can filter out the computer accounts by using this filter: (objectCategory=cn=Person,cn=Schema,cn=Configuration,dc=my,dc=network,dc=com) But I'd like to also filter out the accounts, or OU's that aren't needed. Or, if possible just use the 2 NiFi groups I have in AD (Nifi Admins/Nifi Users) without having to populate all of my AD users, if that makes sense.
... View more
Labels:
- Labels:
-
Apache NiFi
01-31-2025
07:11 AM
@MattWhoWhile I am still on the topic, is there anywhere I can find what types of filters I can use in the "User Search Filter" or the Group one? I am trying to widdle down the amount of objects that are populated from LDAP into my Users. In my AD Server, users are in 2 different OU's. So, for example, I'll have users in ou=Admin Accounts,ou=Domain Admins,dc=my,dc=network,dc=com but I'll also have users in ou=Regular Users,ou=Testers,dc=my,dc=network,dc=com. And the only way to really pull both are to have my base search set to dc=my,dc=network,dc=com. Doing this pulls computer accounts and all users, even users that would never need access (like service type accounts). I can filter out the computer accounts by using this filter: (objectCategory=cn=Person,cn=Schema,cn=Configuration,dc=my,dc=network,dc=com) But I'd like to also filter out the accounts, or OU's that aren't needed. Or, if possible just use the 2 NiFi groups I have in AD (Nifi Admins/Nifi Users) without having to populate all of my AD users, if that makes sense.
... View more
01-30-2025
01:45 PM
1 Kudo
Thanks for the response! I went ahead and configured with option 2, and was able to get it working. Thank you very much!
... View more
01-28-2025
10:13 AM
Hello, I have setup NiFI 2.1.0, and am trying to figure out how to allow users in a NiFi Microsoft AD Group to authenticate to the GUI. I have it setup so users can log in if I add their LDAP account. But, I'd rather just have users in the group I created in AD be able to login instead of having to go in and add new users to NiFi each time. Here are the configs I have setup for my authorizers.xml: <userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">ldapuser</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=NiFiUser,OU=Accounts,DC=my,DC=network,DC=com</property>
<property name="Manager Password">PasswordHere</property>
<property name="TLS - Keystore">./conf/keystore.p12</property>
<property name="TLS - Keystore Password">KSPasswordHere</property>
<property name="TLS - Keystore Type">PKCS12</property>
<property name="TLS - Truststore">./conf/truststore.p12</property>
<property name="TLS - Truststore Password">TSPasswordHere</property>
<property name="TLS - Truststore Type">PKCS12</property>
<property name="TLS - Client Auth">REQUIRED</property>
<property name="TLS - Protocol">TLSv1.2</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://ldapserver.my.network.com:636</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="User Search Base">DC=my,DC=network,DC=com</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups,DC=my,DC=network,DC=com</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">SUBTREE</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">sAMAccountName</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">ldapuser</property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer> I've also tried it with setting the "Group Member Attribute" to 'cn' with the same result. Here is my login-identity-providers.xml as well: <provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=NiFiUser,OU=Accounts,DC=my,DC=network,DC=com</property>
<property name="Manager Password">PasswordHere</property>
<property name="TLS - Keystore">./conf/keystore.p12</property>
<property name="TLS - Keystore Password">KSPasswordHere</property>
<property name="TLS - Keystore Type">PKCS12</property>
<property name="TLS - Truststore">./conf/truststore.p12</property>
<property name="TLS - Truststore Password">TSPasswordHere</property>
<property name="TLS - Truststore Type">PKCS12</property>
<property name="TLS - Client Auth">REQUIRED</property>
<property name="TLS - Protocol">TLSv1.2</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://ldapserver.my.network.com:636</property>
<property name="User Search Base">DC=my,DC=network,DC=com</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider> After I configure these I am not really sure what else I would need to do as the documentation doesn't provide much instruction on what to expect after configuring these. Are the AD groups supposed to be automatically added to NiFi? Or do I need to add the group to NiFi manually? I tried manually adding to just to see but the account I was using to test still couldn't login. Thanks in advance for helping!
... View more
Labels:
- Labels:
-
Apache NiFi
08-23-2023
12:49 PM
@MattWho I was able to get this resolved. It didn't require adding any other certificates other than my CA server certificate to the truststore for each server. They share the same CA and so I used the same certificate in each truststore. First, I am not sure why, but, NiFi did not like using port 636 for LDAPS, so I set it up to use 3269 instead and the SAN error went away. Everything I tried prior did not resolve the error, it would give me an error that it couldn't find a SAN with my.network.com:636 along with partial LDAP result not being able to find my.network.com, which didn't make sense because all of the troubleshooting I did would come back good. I could even resolve SSL using my key entry from my truststore. Once I had it up and working after that, I had to figure out why the buckets weren't loading. So I combed through a bunch of posts and found one that you wrote to someone having a similar issue and mentions the node needs to exist in NiFi-Registry. So, I added the node as "CN=node.hostname.com" (how I have it on the certificate) as a user account in NiFi Registry with the ability to read buckets and proxy user requests and bam buckets showed up. Seems like everything is working great now. I appreciate your help.
... View more
08-18-2023
01:53 PM
Sorry I haven't responded I've been busy working on this and can still say I haven't gotten it working. Not sure what the problem is that I'm having. I even spun up a bran new Linux Server and put NiFi and NiFi Registry on the same server. Can't even NiFi to start with the certificates I've provided it. All I receive is: ==> nifi-bootstrap.log <== 2023-08-18 16:34:30,290 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: my.network.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching my.network.com found.]] Not really sure it is as difficult to do this as I am making it out to be but I can say it's frustrating. If there are any guides that show step-by-step how to setup SSL with LDAPS authentication (not using any user certificates or requiring browsers to import their certificates) I'd appreciate it. Everything I can find is either setting it up with Ranger, Ambari, or using standalone certificates.
... View more
08-09-2023
08:18 AM
@MattWho Thanks for that information, I think I have it partially figured out now. We only have 1 CA, so it is easier for me to sign certificates as needed while I work through this. So far this is what has been done: Each Server (NiFi and NiFi Registry) using Keystore Explorer, I generated a keypair in the Keyststore with the required extensions (ClientAuth, ServerAuth & SANs) Created a CSR and had it signed by the CA. Imported the CA reply back into the Keystore with the full chain In the Truststore, I imported the root certificate Each server has LDAPS authentication setup, with the same default admin account that is able to login using it's AD credentials Added the NiFi server to authorizations.xml for Node 1 using the full DN from AD There is still something I am struggling with though: The only way the NiFi and NiFi-Registry will authenticate with each other is through a mutual TLS exchange. The NiFi certificate DN(s) will need to be authorized within your NiFi-Registry and so will your NiFi user. The NiFi host(s) will proxy requests to NiFi-Registry on behalf of the authenticated user in NIFi. Even though the NiFi is acting as a proxy, the user will still need be properly authorized as the results form the proxy request will be for only the buckets and flows for which the proxied user is authorized against. How would I go about doing this? I've tried importing each server's certificate into the others truststore but I started receiving errors about certificate path not being found and the most recent error is certificate_unknown.
... View more
08-03-2023
07:15 AM
That would explain why I am seeing an error about an anonymous user now. Would this also be the reason that NiFi cannot see the buckets created in NiFi registry? Our setup NiFi and NiFi Registry on separate servers, with users authenticating through LDAPS (Active Directory) instead of using certificate authentication. The unfortunate part is that I was handed off this project with NiFi and Registry already installed and "configured" so I am not sure exactly how far they went into the secure setup; or if they actually did it at all so, I have been trying to find time to work through the secure configurations. When I change: nifi.registry.security.needClientAuth= to true I cannot even get the registry page to load, I see the error: Error code: SSL_ERROR_BAD_CERT_ALERT and longs don't show any errors that I can see. I think the problem I am struggling with is that I can't find any documentation on how I should be setting up NiFi and the Registry with an internal CA and using LDAP for user authentication. The documentation that I find seems to be geared towards generating user certificates to configure SSL and authentication with both products on the same server.
... View more
08-02-2023
08:22 AM
Hi, Thanks for your response. I believe I may have figured out what the issue was. I added false to nifi.registry.security.needClientAuth= since we are not using client authentication for users or systems.
... View more