@mks27  What you are trying accomplish is not possible in NiFi. In my 15 years of working with NiFi, I believe this is first time I have seen such a request. So what you are expecting to happen is NiFi presents the login window and a user supplies a username and password.  You then expect NiFi to attempt authentication via one ldap provider and if that results in unknown username or bad password response, move on to next ldap provider an attempt again? The users that will need access to your NiFi don't all exist in just one of your ldaps? I suppose if you have a multi node NiFi cluster setup, you could configure the ldap-provider on one node to use one of the ldap servers and the ldap-provider on another node to use the other ldap server.   Since the NiFi cluster can be accessed from any node, you would just need make sure your users access the NIFi cluster from the appropriate node that is configured with their ldap server. NOTE: Authorization (happens after successful authentication) need to be identical on all nodes in a cluster, but that is not an issue here. You'll just configure the authorizers.xml so that all user and group identities from both ldaps are authorized appropriately.  This bootleg way of facilitating authentication via multiple LDAPs, is not something I have ever tested/tried, but believe would work. You could also raise an improvement jira in Apache Jira NiFi project to see if the community might be interested in implementing this change, but I don't anticipate there is much demand for it. https://issues.apache.org/jira/browse/NIFI Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@jfs912 Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks. ... View more

@doora Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks. ... View more

@Darryl  You will certainly have issues using localhost even outside docker with a multi-node NiFi cluster since only the NiFi node installed in the same server as Keycloak would have any chance of connecting with Keycloak.   Understand that a NiFi cluster can bae accessed form any node in the NiFi cluster. So first thing i would have suggested is using the hostname of the actual server that is hosting Keycloak rather then localhost. I am not familiar with Keycloak myself and the article you reference (while i know the author) is very old. A lot has likely evolved/changes with regards to security since it was written.  Glad to hear you had some success even if it was outside of Docker and thank you with sharing what you learned with the community. Matt ... View more

@Darryl  Please start a new community question around your new keycloak integration issues with NiFi. Thank you, Matt ... View more

@BK84  The exception is caused by: Caused by: java.lang.IllegalStateException: The specified class 'org.apache.nifi.controller.state.providers.raft.RaftStateProvider' is not known to this nifi. Your NiFi knows nothing about this class meanung the nifi lib directory does not contain any nar that includes this class: org.apache.nifi.controller.state.providers.raft.RaftStateProvider I also see nothing in Apache NiFi Jira nor in the NiFi 2 documentation mentioning this class or any type of raft state provider. Looking at the properties configured with this provider class, they match the zookeeper properties.  So I suspect you should be using this class instead in your stet provider: org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider   Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@Ghilani  The Invalid SNI is caused by the server certificate presented in the TLS exchange not containing a SubjectAlternativeName (SAN) matching the hostname in the request URL. Valid SAN entries are required by the latest version of Java. The solution is to issue new certificates for your NiFi instance(s) that contain all possible SANs used when connecting to the NiFi. So you should have a SAN entry for you NiFi hostname as well as any alternative names used in connection URLs like "nifi" coming form your proxy to NiFi. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@Matt  Thank you so much this has been a big help! ... View more

@AbhiTryingAgain Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks. ... View more