Member since
09-27-2024
16
Posts
9
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
396 | 10-01-2024 05:42 AM |
12-09-2024
12:36 PM
1 Kudo
Thanks again @MattWho . I tried to incorporate the same , and the error still exists . Additionally , I dont see much on the Debug logs , even after I have enabled it to get more info on that . What kind of information could I provide you in regards to Ldap search and I can try to gather this information ? Thanks
... View more
12-09-2024
12:04 AM
Hello @MattWho , Yes , I have set my page size as 500 . Please find my ldap-user-group-provider config below : <userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Manager Password">xxxx</property>
<property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password">xxxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password">xxxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
<property name="Page Size">500</property>
<property name="Sync Interval">30 mins</property>
<property name="User Search Base"></property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(objectClass=*)</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(member=*)(uniqueMember=*))</property>
<property name="Group Name Attribute">sAMAccountName</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider> Leading me to the error Caused by: org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0 │
│ app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0 │
│ app-log ]; remaining name 'CN=xxxx,OU=LocalWorkstationAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net' │
│ app-log at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:212) │
│ app-log at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:824) │
│ app-log at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:807) │
│ app-log at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:848) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:620) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:570) │
│ app-log at org.springframework.ldap.core.support.AbstractContextMapper.mapFromContext(AbstractContextMapper.java:43) │
│ app-log at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:69) │
│ app-log at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50) │
│ app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:371) │
│ app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:332) │
│ app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:633) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.load(LdapUserGroupProvider.java:570) │
│ app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.onConfigured(LdapUserGroupProvider.java:386) │
│ app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) │
│ app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) │
│ app-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) │
│ app-log at java.base/java.lang.reflect.Method.invoke(Unknown Source) │
│ app-log at org.apache.nifi.authorization.UserGroupProviderInvocationHandler.invoke(UserGroupProviderInvocationHandler.java:38) │
│ app-log at com.sun.proxy.$Proxy81.onConfigured(Unknown Source) │
│ app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.loadProviderProperties(AuthorizerFactoryBean.java:199) │
│ app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:168) │
│ app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:72) │
│ app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:169) │
│ app-log ... 107 common frames omitted Is there something else that I am missing here ?
... View more
12-06-2024
02:39 AM
1 Kudo
Hello @MattWho , Thank you for your response . I have made the changes as you suggested , however I see the below Debug message each time : 2024-12-06 10:07:02,187 DEBUG [main] o.a.n.ldap.tenants.LdapUserGroupProvider Group member attribute [member] does not exist for [AG-RANDOMADMIN]. This may be due to misconfiguration or the group may not have any members. Ignoring group membership. I do see that this group does not have any memebers at all . Is there a way I can filter out or ignore the groups that do not have any members at all ? The only other change I did was to change <property name="Group Search Filter">(|(cn=AG*)(cn=UG*))</property> to <property name="Group Search Filter">(|(member=*)(uniqueMember=*))</property> to do this filtering out , but Nifi service keeps dying after throwing some of these exceptions : app-log 2024-12-06 10:28:47,557 INFO [main] o.a.nifi.properties.NiFiPropertiesLoader Loading Application Properties [/opt/nifi/nifi-current/./conf/nifi.properties]
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:214)
app-log at org.springframework.aop.framework.autoproxy.BeanFactoryAdvisorRetrievalHelper.findAdvisorBeans(BeanFactoryAdvisorRetrievalHelper.java:91)
app-log at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findCandidateAdvisors(AbstractAdvisorAutoProxyCreator.java:111)
app-log at org.springframework.aop.aspectj.annotation.AnnotationAwareAspectJAutoProxyCreator.findCandidateAdvisors(AnnotationAwareAspectJAutoProxyCreator.java:92)
app-log at org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator.shouldSkip(AspectJAwareAdvisorAutoProxyCreator.java:101)
app-log at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessBeforeInstantiation(AbstractAutoProxyCreator.java:255)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInstantiation(AbstractAutowireCapableBeanFactory.java:1160)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.resolveBeforeInstantiation(AbstractAutowireCapableBeanFactory.java:1135)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:531)
app-log ... 48 common frames omitted
app-log Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
app-log at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:794)
app-log at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:220)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:336)
app-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:209)
app-log at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:401)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1352)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1195)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getSingletonFactoryBeanForTypeCheck(AbstractAutowireCapableBeanFactory.java:1027)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryBean(AbstractAutowireCapableBeanFactory.java:907)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.isTypeMatch(AbstractBeanFactory.java:638)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:583)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:550)
app-log at org.springframework.beans.factory.BeanFactoryUtils.beanNamesForTypeIncludingAncestors(BeanFactoryUtils.java:265)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1557)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1354)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
app-log at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:904)
app-log at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:781)
app-log ... 74 common frames omitted
app-log Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:176)
app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:101)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1899)
app-log at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1284)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:346)
app-log at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:209)
app-log at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1391)
app-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
app-log at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:904)
app-log at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:781)
app-log ... 97 common frames omitted
app-log Caused by: org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
app-log at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:212)
app-log at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:824)
app-log at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:807)
app-log at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:848)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:620)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider$3.doMapFromContext(LdapUserGroupProvider.java:570)
app-log at org.springframework.ldap.core.support.AbstractContextMapper.mapFromContext(AbstractContextMapper.java:43)
app-log at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:69)
app-log at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50)
app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:371)
app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:332)
app-log at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:633)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.load(LdapUserGroupProvider.java:570)
app-log at org.apache.nifi.ldap.tenants.LdapUserGroupProvider.onConfigured(LdapUserGroupProvider.java:386)
app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
app-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
app-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
app-log at java.base/java.lang.reflect.Method.invoke(Unknown Source)
app-log at org.apache.nifi.authorization.UserGroupProviderInvocationHandler.invoke(UserGroupProviderInvocationHandler.java:38)
app-log at com.sun.proxy.$Proxy81.onConfigured(Unknown Source)
app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.loadProviderProperties(AuthorizerFactoryBean.java:199)
app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:168)
app-log at org.apache.nifi.authorization.AuthorizerFactoryBean.getObject(AuthorizerFactoryBean.java:72)
app-log at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:169)
app-log ... 107 common frames omitted
app-log Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
app-log ]
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
app-log at java.naming/com.sun.jndi.ldap.LdapCtx.c_lookup(Unknown Source)
app-log at java.naming/com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(Unknown Source)
app-log at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(Unknown Source)
app-log at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(Unknown Source)
app-log at java.naming/javax.naming.InitialContext.lookup(Unknown Source)
app-log at java.base/jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
app-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
app-log at java.base/java.lang.reflect.Method.invoke(Unknown Source)
app-log at org.springframework.ldap.core.support.SingleContextSource$NonClosingDirContextInvocationHandler.invoke(SingleContextSource.java:197)
app-log at com.sun.proxy.$Proxy84.lookup(Unknown Source)
app-log at org.springframework.ldap.core.LdapTemplate$10.executeWithContext(LdapTemplate.java:850)
app-log at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:821)
app-log ... 129 common frames omitted
app-log 2024-12-06 10:29:48,297 INFO [Thread-0] org.apache.nifi.NiFi Application Server shutdown started
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-03140454, problem 5010 (UNAVAIL_EXTENSION), data 0
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr ]; remaining name 'CN=XYZ1234,OU=DummyAdministrators,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net'
bootstrap-log 2024-12-06 10:29:48,296 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...
user-log 2024-12-06 10:29:48,077 ERROR [main] o.a.n.a.AuthorizerFactoryBean User Group Provider [composite-configurable-user-group-provider] destruction failed
user-log java.lang.NullPointerException: null
user-log at org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider.preDestruction(CompositeConfigurableUserGroupProvider.java:244)
user-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
user-log at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
user-log at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
user-log at java.base/java.lang.reflect.Method.invoke(Unknown Source)
user-log at org.apache.nifi.authorization.UserGroupProviderInvocationHandler.invoke(UserGroupProviderInvocationHandler.java:38)
user-log at com.sun.proxy.$Proxy80.preDestruction(Unknown Source)
user-log at org.apache.nifi.authorization.AuthorizerFactoryBean.lambda$destroy$2(AuthorizerFactoryBean.java:566)
user-log at java.base/java.util.HashMap.forEach(Unknown Source)
user-log at org.apache.nifi.authorization.AuthorizerFactoryBean.destroy(AuthorizerFactoryBean.java:564)
user-log at org.springframework.beans.factory.support.DisposableBeanAdapter.destroy(DisposableBeanAdapter.java:213)
user-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroyBean(DefaultSingletonBeanRegistry.java:587)
user-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingleton(DefaultSingletonBeanRegistry.java:559)
user-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingleton(DefaultListableBeanFactory.java:1163)
user-log at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingletons(DefaultSingletonBeanRegistry.java:520)
user-log at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingletons(DefaultListableBeanFactory.java:1156)
user-log at org.springframework.context.support.AbstractApplicationContext.destroyBeans(AbstractApplicationContext.java:1123)
user-log at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:604)
user-log at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:399)
user-log at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:278)
user-log at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)
user-log at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:1073)
user-log at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:572)
user-log at org.eclipse.jetty.server.handler.ContextHandler.contextInitialized(ContextHandler.java:1002)
user-log at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:765)
user-log at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
user-log at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
user-log at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
user-log at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:916)
user-log at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
user-log at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:426)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
user-log at org.eclipse.jetty.server.Server.start(Server.java:423)
user-log at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
user-log at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
user-log at org.eclipse.jetty.server.Server.doStart(Server.java:387)
user-log at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
user-log at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:818)
user-log at org.apache.nifi.NiFi.<init>(NiFi.java:172)
user-log at org.apache.nifi.NiFi.<init>(NiFi.java:83)
user-log at org.apache.nifi.NiFi.main(NiFi.java:332)
bootstrap-log 2024-12-06 10:29:49,275 INFO [main] org.apache.nifi.bootstrap.RunNiFi NiFi never started. Will not restart NiFi
... View more
12-04-2024
12:38 PM
1 Kudo
Hi @MattWho , Thank you for your reply . Here is the ldap-user-group-provider from my authorizers.xml <userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Manager Password">xxxx</property>
<property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password">xxxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.default.svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password">xxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
<property name="Page Size"></property>
<property name="Sync Interval">2 mins</property>
<property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(memberOf=CN=AG-X-SAMPLE-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(cn=AG*)(cn=UG*))</property>
<property name="Group Name Attribute"></property>
<property name="Group Member Attribute"></property>
<property name="Group Member Attribute - Referenced User Attribute">distinguishedName</property>
</userGroupProvider> and here is the sample from my ldapsearch : 21:27 $ ldapsearch -x -H ldaps://someldap.corp1.ad1.xyz.net:636 -D "CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net" -w "xxxxx" -b "OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net" "(memberOf=CN=AG-X-SAMPLE-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)"
# extended LDIF
#
# LDAPv3
# base <OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net> with scope subtree
# filter: (memberOf=CN=AG-X-SAMPLE-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)
# requesting: ALL
#
# W0YZ1, Solid Users, User Accounts, corp1.ad1.xyz.net
dn: CN=W0YZ1,OU=Solid Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: W0YZ1
sn: Jones
c: XY
l: Earth
title: Developer, Platform
givenName: Jack
distinguishedName: CN=W0YZ1,OU=Solid Users,OU=User Accounts,DC=corp1,DC=ad1,D
C=xyz,DC=net
instanceType: 4
displayName: Jones, Jack
uSNCreated: 123456
memberOf: CN=YG-COI-EMPL-PRD,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-123456-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-789101-ADMIN,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-111213-AGENT,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-131516-AGENT,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
memberOf: CN=AG-X-171819-AGENT,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net
sAMAccountName: W0YZ1
mail: Jack.Jones@xyz.se Please let me know in case you need additional information from me. Thanks in advance for all you help !
... View more
12-04-2024
05:58 AM
Hi , My Nifi loads all the AD groups from my LDAP server , but it doensn't load any member information of it . As per the image , one can see that the Members list is empty. How is it possible to get the users in the group too ? I can add it manually , but I would like the ldap to be able to retrieve the users as per the group.
... View more
Labels:
- Labels:
-
Apache NiFi
11-27-2024
06:07 AM
@MattWho : Could you please suggest on what could be missing ? Thanks in advance!
... View more
11-27-2024
02:39 AM
1 Kudo
Hello , I am trying to access Nifi in a way that all users in the AD group memberof=CN=AG-Y-DEF-LJKGH,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net can have access to it, since it is getting quite tedious for the admin to keep adding the users one by one and assigning them policies. My authorizers.xml looks like : <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./auth-conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 0">CN=my-nifi-0.my-nifi-headless.nifi-test.svc.cluster.local, OU=NIFI</property>
<property name="Initial User Identity 1">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Initial User Identity 2">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
<property name="Initial User Identity admin">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Manager Password">xxxxxxx</property>
<property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless..svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password">xxxxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless..svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password">xxxxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
<property name="Page Size">100</property>
<property name="Sync Interval">30 mins</property>
<property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(memberof=CN=AG-Y-DEF-LJKGH,OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net)</property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group Attribute">distinguishedName</property>
<property name="Group Search Base">OU=Groups,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">SUBTREE</property>
<property name="Group Search Filter">(|(cn=AG*)(cn=UG*))</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute">distinguishedName</property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./auth-conf/authorizations.xml</property>
<property name="Initial Admin Identity">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 0">CN=my-nifi-0.my-nifi-headless.nifi-test.svc.cluster.local, OU=NIFI</property>
<property name="Node Identity 1">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Node Identity 2">cn=DEF456,ou=Solid Users,ou=User Accounts,dc=corp1,dc=ad1,dc=xyz,dc=net</property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./auth-conf/authorizations.xml</property>
<property name="Users File">./auth-conf/users.xml</property>
<property name="Initial Admin Identity">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Legacy Authorized Users File"></property>
</authorizer>
</authorizers> and my login-identity-providers-ldap.xml is <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=ABC123,OU=Service Users,OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="Manager Password">xxxx</property>
<property name="TLS - Keystore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.nifi-test.svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type">JKS</property>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/my-nifi-nifi-0.my-nifi-nifi-headless.nifi-test.svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://someldap.corp1.ad1.xyz.net:636</property>
<property name="User Search Base">OU=User Accounts,DC=corp1,DC=ad1,DC=xyz,DC=net</property>
<property name="User Search Filter">(cn={0})</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders> What am I missing in my setup? Any help or input would be gretaly appreciated ! Thanks
... View more
Labels:
- Labels:
-
Apache NiFi
10-03-2024
12:16 AM
1 Kudo
@MattWho : Sorry that I missed replying to your questions early , I have made sure to fix the authorizers.xml and now I am able to access the registry UI . Thanks for all you detailed resposnes and suggestions.
... View more
10-02-2024
03:24 AM
Hey @MattWho : Could you please guide me on this ? thanks in advance!
... View more