I have Nifi instance and Nifi registry. Both use LDAP for authentication.
The problem is - "anonymous" user, and I cant get rid of it.
enter image description here
Nifi logs when I try to add version control of proccess group in Nifi
enter image description here
Nifi does not show any bucket
If I add anonymous user to Nifi registry, buckets will appear, but it's not behavior I want.
I have tried to add DC of my Nifi cert to LDAP, it also didn't help.
Configurations below.
authorizers
\\<?xml version="1.0" encoding="UTF-8" standalone="yes"?\>
\<authorizers\>
\<userGroupProvider\>
\<identifier\>file-user-group-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider\</class\>
\<property name="Users File"\>./conf/users.xml\</property\>
\<property name="Initial User Identity 1"/\>
\</userGroupProvider\>
\<userGroupProvider\>
\<identifier\>ldap-user-group-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider\</class\>
\<property name="Authentication Strategy"\>SIMPLE\</property\>
\<property name="Manager DN"\>CN=nifi-admin,OU=Service,OU=Users,OU=###,DC=###,DC=###\</property\>
\<property name="Manager Password"\>#####\<PASSWORD\>###\</property\>
\<property name="TLS - Keystore"/\>
\<property name="TLS - Keystore Password"/\>
\<property name="TLS - Keystore Type"/\>
\<property name="TLS - Truststore"/\>
\<property name="TLS - Truststore Password"/\>
\<property name="TLS - Truststore Type"/\>
\<property name="TLS - Client Auth"/\>
\<property name="TLS - Protocol"/\>
\<property name="TLS - Shutdown Gracefully"/\>
\<property name="Referral Strategy"\>FOLLOW\</property\>
\<property name="Connect Timeout"\>10 secs\</property\>
\<property name="Read Timeout"\>10 secs\</property\>
\<property name="Url"\>####ldap://\<address\>:\<port\>####\</property\>
\<property name="Page Size"/\>
\<property name="Sync Interval"\>30 mins\</property\>
\<property name="Group Membership - Enforce Case Sensitivity"\>false\</property\>
\<property name="User Search Base"\>DC=#,DC=#\</property\>
\<property name="User Object Class"\>user\</property\>
\<property name="User Search Scope"\>SUBTREE\</property\>
\<property name="User Search Filter"\>(|(memberOf=CN=NiFi-Admins,OU=NiFi,OU=Ordinary,OU=Groups,OU=#,DC=#,DC=#)(memberOf=CN=NiFi-Developers,OU=NiFi,OU=Ordinary,OU=Groups,OU=#,DC=#,DC=#))\</property\>
\<property name="User Identity Attribute"\>cn\</property\>
\<property name="User Group Name Attribute"/\>
\<property name="User Group Name Attribute - Referenced Group Attribute"/\>
\<property name="Group Search Base"\>OU=NiFi,OU=Ordinary,OU=Groups,OU=#,DC=#,DC=#\</property\>
\<property name="Group Object Class"\>group\</property\>
\<property name="Group Search Scope"\>SUBTREE\</property\>
\<property name="Group Search Filter"/\>
\<property name="Group Name Attribute"\>cn\</property\>
\<property name="Group Member Attribute"\>member\</property\>
\<property name="Group Member Attribute - Referenced User Attribute"/\>
\</userGroupProvider\>
\<userGroupProvider\>
\<identifier\>composite-configurable-user-group-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider\</class\>
\<property name="Configurable User Group Provider"\>file-user-group-provider\</property\>
\<property name="User Group Provider 1"\>ldap-user-group-provider\</property\>
\</userGroupProvider\>
\<accessPolicyProvider\>
\<identifier\>file-access-policy-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider\</class\>
\<property name="User Group Provider"\>composite-configurable-user-group-provider\</property\>
\<property name="Authorizations File"\>./conf/authorizations.xml\</property\>
\<property name="Initial Admin Identity"\>nifi-admin\</property\>
\<property name="NiFi Group Name"\>NIFI-Admins\</property\>
\<!--\<property name="NiFi Identity 1"\>\</property\>--\>
\</accessPolicyProvider\>
\<authorizer\>
\<identifier\>managed-authorizer\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer\</class\>
\<property name="Access Policy Provider"\>file-access-policy-provider\</property\>
\</authorizer\>
\</authorizers\>
identityProviders
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<identityProviders>
<provider>
<identifier>ldap-identity-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=nifi-admin,OU=Service,OU=Users,OU=#,DC=#,DC=#</property>
<property name="Manager Password">#####\<PASSWORD\>###</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">####ldap://\<address\>:\<port\>####</property>
<property name="User Search Base">DC=#,DC=#</property>
<property name="User Search Filter">(sAMAccountName={0})</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</identityProviders>
Related
I have successfully configured the NIFI to use HTTPS. But after this i am trying to configure LDAP authentication. I have modified the below files and while starting i am facing the exception as given below. Please help.
nifi.properties
nifi.security.user.login.identity.provider=ldap-provider
login-identity-providers.xml
<loginIdentityProvider>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=username,ou=xxx,ou=xxx,ou=Applications,dc=xxxxxx,dc=net</property>
<property name="Manager Password">password</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://hostname.net:636</property>
<property name="User Search Base">dc=xxxxxx,dc=net</property>
<property name="User Search Filter">(&(objectclass=inetOrgPerson)(groupMembership=cn=group,ou=xxx,ou=xxx,ou=groups,dc=xxxxxxx,dc=net))</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
Errors:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginIdentityProvider': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: Unable to load the login identity provider configuration file at: /local/apache/nifi-1.11.4/./conf/login-identity-providers.xml
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1086)
at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:93)
... 37 common frames omitted
Caused by: java.lang.Exception: Unable to load the login identity provider configuration file at: /local/apache/nifi-1.11.4/./conf/login-identity-providers.xml
at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean.loadLoginIdentityProvidersConfiguration(LoginIdentityProviderFactoryBean.java:151)
at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean.getObject(LoginIdentityProviderFactoryBean.java:108)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
... 43 common frames omitted
The problem is likely the User Search Filter you have provided. I would suggest trying with a simple filter which does not contain any special characters to narrow down the issue, then attempt to escape those characters if that is the case.
Response to additional information 2020-06-11
The complete login-identity-providers.xml file should look like:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url"></property>
<property name="User Search Base"></property>
<property name="User Search Filter"></property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders>
i'm trying login to nifi with LDAP. but NiFi UI say username/password is not valid. but ldapsearch command is working good, so i think my login-identity-providers.xml file have something wrong syntax.
using nifi-1.8.0, 3-node secured cluster(node01 is ldap server), centos7.
all node have hosts info each other(/etc/hosts)
below code is my login-identity-providers.xml
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=ldap_admin,DC=mapr,DC=com</property>
<property name="Manager Password">****</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://node01:389/</property>
<property name="User Search Base">OU=NIFI,DC=mapr,DC=com</property>
<property name="User Search Filter">(uid={0})</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
i tried ldapsearch -h node01 -p 389 -D 'CN=ldap_admin, DC=mapr, DC=com' -w **** -b 'OU=NIFI, DC=mapr, DC=com' -s sub uid='test03' command
it give me a test03 user info,
test03, NIFI, mapr.com
dn: cn=test03,ou=NIFI,dc=mapr,dc=com
//skip//
uid: test03
mail: test03#nifi.com
userPassword:: /passwd/
search result
search: 2
result: 0 Success
numResponses: 2
numEntries: 1
so i tried to login with " user : test03, password ----------- ", but didn't working "The supplied username and password are not valid."
file is wrong? or maybe my ldap server setting is wrong?
I installed NiFi 1.7.1 and NiFi ToolKit.
And, I try to add LDAP auth in NiFi.
But, I try to login NiFI login page, but it occurs error "
The supplied username and password are not valid."
login-identity-providers.xml :
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=admin,OU=NIFI,DC=evidnet,DC=com</property>
<property name="Manager Password">passwd</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://myhost:389</property>
<property name="User Search Base">OU=NIFI,DC=evidnet,DC=com</property>
<property name="User Search Filter">(sAMAccountName={0})</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
and, My LDAP Server table is:
Why does not it work?
I entered the correct password, but it does not work.
(id: admin, password: passwd)
Your configured "User Search Filter" is referencing the entry's sAMAccountName. What is admin's sAMAccountName? Did you mean to reference the cn like your showing in the screenshot?
I have been working on this problem for quite some time and I would like answers and suggestions from you guys on the issue I am facing. I am trying to get my Nifi standalone instance on my VM, which is in my company's network, authenticated using the ldap-provider in login-identity-providers.xml. I input all the required values except for the truststores and keystores because the company has an LDAP and not LDAPS . So, I figured I wouldn't need those certificates. I have set the initial admin identity in the authorizers.xml too. And, of course, set the https port and host(0.0.0.0). But, when I try to run and call the server from the browser using the url, the Site can't be reached , ERR_CONNECTION_REFUSED pops up. Basically, can't reach the server. I have checked the DN, LDAP url and other properties to be correct and working when I queried through ldapsearch.
So, is it because I don't specify the truststore and keystore in the configuration? If so, do i need to manually create these certs for each client that wish to access Nifi. I thought the LDAP certificate would be enough for a person to authenticate to Nifi. Please advise me on how to go about getting the CA for truststore, server and client certificates for the employees to use Nifi through LDAP.
My ldap-provider looks like this(scrubbed) :
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=user-name,ou=Accounts,dc=domain,dc=company-name,dc=com</property>
<property name="Manager Password">My-account-password</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">IGNORE</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">the-ldap-url-of-company</property>
<property name="User Search Base">cn=Users,ou=Accounts,dc=corp,dc=company-name,dc=com</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
Nifi version - 1.0.0
Running in a Ubuntu Trusty VM.
When using LDAP authentication you should reach a login page for NiFi where you supply the username and password to authenticate against LDAP. Since you are not even reaching that page, something else is wrong before it is even getting to the LDAP part.
Some things to check...
In NiFi properties the active identity provider should be set with the following property:
nifi.security.user.login.identity.provider=ldap-provider
When you are using any kind of authentication NiFi must be configured to use https which requires providing the following configuration:
nifi.web.https.host=
nifi.web.https.port=
nifi.security.keystore=
nifi.security.keystoreType=
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.trustStorePassword=
The hostname that you set in nifi.web.https.host should also line up with the hostname of the certificate being used for the nifi.security.keystore. I have a feeling that setting the https host to 0.0.0.0 is not what you want, but I'm not totally sure what that does.
Once you get the https configuration correct, then you should reach the login page when going to https://yourhost:post/nifi and after that is where your LDAP configuration will come into play.
I'm trying to configure ldap authentication on Apache Nifi 1.7.1. The TLS is configured, ldap connection works when I'm not trying to configure an initial admin (obviously I can manage nifi).
Server fails to startup with the following error:
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin adehay to seed policies
at org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:569)
at org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:512)
at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:225)
... 104 common frames omitted
I've removed the users.xml and authorizations.xml between each test, like described in https://community.hortonworks.com/articles/81184/understanding-the-initial-admin-identity-access-po.html but I'm still stuck.
The login-identity-provider.xml, configured like the following, works fine when I'm not trying to configure a initial admin (I can connect on the nifi login page but I get Insufficient Permissions error):
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">uid=fau_bind,cn=users,cn=accounts,dc=soft,dc=fau</property>
<property name="Manager Password">xxx</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">IGNORE</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://xxx:389</property>
<property name="User Search Base">cn=users,cn=accounts,dc=soft,dc=fau</property>
<property name="User Search Filter">uid={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
My authorizers.xml (remaining unchanged from installation):
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">adehay</property>
<property name="Legacy Authorized Users File"></property>
</accessPolicyProvider>
I've tried replacing "adehay" by the LDAP DN with no luck.
The mapping in nifi.properties (does not work with or without that):
nifi.security.identity.mapping.pattern.dn=^uid=(.*?),cn=users,cn=accounts,dc=soft,dc=fau$
nifi.security.identity.mapping.value.dn=$1
I must have missed something but I can's see what.
Thanks for any help.
There are two separate parts here, authentication and authorization.
The login-identity-providers.xml is for authenticating users against LDAP.
The authorizers.xml is for configuring an authorizer to authorize authenticated users which may or may not have come from LDAP.
The current problem is that you are telling the access-policy-provider that your initial admin is 'adehay', but the access-policy-provider doesn't know anything about your login-identity-provider, it only knows about the user-group-providers defined in authorizers.xml.
You could either define a file-based user-group-provider in authorizers.xml where you manually define your user 'adehay', see the "Initial User Identity 1" example here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity
The second way, which makes more sense for your case, is to define an LDAP user-group-provider in your authorizers.xml, see the example in the same section linked above that says "Here is an example loading users and groups from LDAP."