I'm trying to configure ldap authentication on Apache Nifi 1.7.1. The TLS is configured, ldap connection works when I'm not trying to configure an initial admin (obviously I can manage nifi).
Server fails to startup with the following error:
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable to locate initial admin adehay to seed policies
at org.apache.nifi.authorization.FileAccessPolicyProvider.populateInitialAdmin(FileAccessPolicyProvider.java:569)
at org.apache.nifi.authorization.FileAccessPolicyProvider.load(FileAccessPolicyProvider.java:512)
at org.apache.nifi.authorization.FileAccessPolicyProvider.onConfigured(FileAccessPolicyProvider.java:225)
... 104 common frames omitted
I've removed the users.xml and authorizations.xml between each test, like described in https://community.hortonworks.com/articles/81184/understanding-the-initial-admin-identity-access-po.html but I'm still stuck.
The login-identity-provider.xml, configured like the following, works fine when I'm not trying to configure a initial admin (I can connect on the nifi login page but I get Insufficient Permissions error):
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">uid=fau_bind,cn=users,cn=accounts,dc=soft,dc=fau</property>
<property name="Manager Password">xxx</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">IGNORE</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://xxx:389</property>
<property name="User Search Base">cn=users,cn=accounts,dc=soft,dc=fau</property>
<property name="User Search Filter">uid={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
My authorizers.xml (remaining unchanged from installation):
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">adehay</property>
<property name="Legacy Authorized Users File"></property>
</accessPolicyProvider>
I've tried replacing "adehay" by the LDAP DN with no luck.
The mapping in nifi.properties (does not work with or without that):
nifi.security.identity.mapping.pattern.dn=^uid=(.*?),cn=users,cn=accounts,dc=soft,dc=fau$
nifi.security.identity.mapping.value.dn=$1
I must have missed something but I can's see what.
Thanks for any help.
There are two separate parts here, authentication and authorization.
The login-identity-providers.xml is for authenticating users against LDAP.
The authorizers.xml is for configuring an authorizer to authorize authenticated users which may or may not have come from LDAP.
The current problem is that you are telling the access-policy-provider that your initial admin is 'adehay', but the access-policy-provider doesn't know anything about your login-identity-provider, it only knows about the user-group-providers defined in authorizers.xml.
You could either define a file-based user-group-provider in authorizers.xml where you manually define your user 'adehay', see the "Initial User Identity 1" example here:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity
The second way, which makes more sense for your case, is to define an LDAP user-group-provider in your authorizers.xml, see the example in the same section linked above that says "Here is an example loading users and groups from LDAP."
Related
I have successfully configured the NIFI to use HTTPS. But after this i am trying to configure LDAP authentication. I have modified the below files and while starting i am facing the exception as given below. Please help.
nifi.properties
nifi.security.user.login.identity.provider=ldap-provider
login-identity-providers.xml
<loginIdentityProvider>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=username,ou=xxx,ou=xxx,ou=Applications,dc=xxxxxx,dc=net</property>
<property name="Manager Password">password</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://hostname.net:636</property>
<property name="User Search Base">dc=xxxxxx,dc=net</property>
<property name="User Search Filter">(&(objectclass=inetOrgPerson)(groupMembership=cn=group,ou=xxx,ou=xxx,ou=groups,dc=xxxxxxx,dc=net))</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
Errors:
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginIdentityProvider': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: Unable to load the login identity provider configuration file at: /local/apache/nifi-1.11.4/./conf/login-identity-providers.xml
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1086)
at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:93)
... 37 common frames omitted
Caused by: java.lang.Exception: Unable to load the login identity provider configuration file at: /local/apache/nifi-1.11.4/./conf/login-identity-providers.xml
at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean.loadLoginIdentityProvidersConfiguration(LoginIdentityProviderFactoryBean.java:151)
at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean.getObject(LoginIdentityProviderFactoryBean.java:108)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178)
... 43 common frames omitted
The problem is likely the User Search Filter you have provided. I would suggest trying with a simple filter which does not contain any special characters to narrow down the issue, then attempt to escape those characters if that is the case.
Response to additional information 2020-06-11
The complete login-identity-providers.xml file should look like:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url"></property>
<property name="User Search Base"></property>
<property name="User Search Filter"></property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders>
i'm trying login to nifi with LDAP. but NiFi UI say username/password is not valid. but ldapsearch command is working good, so i think my login-identity-providers.xml file have something wrong syntax.
using nifi-1.8.0, 3-node secured cluster(node01 is ldap server), centos7.
all node have hosts info each other(/etc/hosts)
below code is my login-identity-providers.xml
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=ldap_admin,DC=mapr,DC=com</property>
<property name="Manager Password">****</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://node01:389/</property>
<property name="User Search Base">OU=NIFI,DC=mapr,DC=com</property>
<property name="User Search Filter">(uid={0})</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
i tried ldapsearch -h node01 -p 389 -D 'CN=ldap_admin, DC=mapr, DC=com' -w **** -b 'OU=NIFI, DC=mapr, DC=com' -s sub uid='test03' command
it give me a test03 user info,
test03, NIFI, mapr.com
dn: cn=test03,ou=NIFI,dc=mapr,dc=com
//skip//
uid: test03
mail: test03#nifi.com
userPassword:: /passwd/
search result
search: 2
result: 0 Success
numResponses: 2
numEntries: 1
so i tried to login with " user : test03, password ----------- ", but didn't working "The supplied username and password are not valid."
file is wrong? or maybe my ldap server setting is wrong?
I installed NiFi 1.7.1 and NiFi ToolKit.
And, I try to add LDAP auth in NiFi.
But, I try to login NiFI login page, but it occurs error "
The supplied username and password are not valid."
login-identity-providers.xml :
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=admin,OU=NIFI,DC=evidnet,DC=com</property>
<property name="Manager Password">passwd</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://myhost:389</property>
<property name="User Search Base">OU=NIFI,DC=evidnet,DC=com</property>
<property name="User Search Filter">(sAMAccountName={0})</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
and, My LDAP Server table is:
Why does not it work?
I entered the correct password, but it does not work.
(id: admin, password: passwd)
Your configured "User Search Filter" is referencing the entry's sAMAccountName. What is admin's sAMAccountName? Did you mean to reference the cn like your showing in the screenshot?
I have been working on this problem for quite some time and I would like answers and suggestions from you guys on the issue I am facing. I am trying to get my Nifi standalone instance on my VM, which is in my company's network, authenticated using the ldap-provider in login-identity-providers.xml. I input all the required values except for the truststores and keystores because the company has an LDAP and not LDAPS . So, I figured I wouldn't need those certificates. I have set the initial admin identity in the authorizers.xml too. And, of course, set the https port and host(0.0.0.0). But, when I try to run and call the server from the browser using the url, the Site can't be reached , ERR_CONNECTION_REFUSED pops up. Basically, can't reach the server. I have checked the DN, LDAP url and other properties to be correct and working when I queried through ldapsearch.
So, is it because I don't specify the truststore and keystore in the configuration? If so, do i need to manually create these certs for each client that wish to access Nifi. I thought the LDAP certificate would be enough for a person to authenticate to Nifi. Please advise me on how to go about getting the CA for truststore, server and client certificates for the employees to use Nifi through LDAP.
My ldap-provider looks like this(scrubbed) :
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=user-name,ou=Accounts,dc=domain,dc=company-name,dc=com</property>
<property name="Manager Password">My-account-password</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">IGNORE</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">the-ldap-url-of-company</property>
<property name="User Search Base">cn=Users,ou=Accounts,dc=corp,dc=company-name,dc=com</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
Nifi version - 1.0.0
Running in a Ubuntu Trusty VM.
When using LDAP authentication you should reach a login page for NiFi where you supply the username and password to authenticate against LDAP. Since you are not even reaching that page, something else is wrong before it is even getting to the LDAP part.
Some things to check...
In NiFi properties the active identity provider should be set with the following property:
nifi.security.user.login.identity.provider=ldap-provider
When you are using any kind of authentication NiFi must be configured to use https which requires providing the following configuration:
nifi.web.https.host=
nifi.web.https.port=
nifi.security.keystore=
nifi.security.keystoreType=
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.trustStorePassword=
The hostname that you set in nifi.web.https.host should also line up with the hostname of the certificate being used for the nifi.security.keystore. I have a feeling that setting the https host to 0.0.0.0 is not what you want, but I'm not totally sure what that does.
Once you get the https configuration correct, then you should reach the login page when going to https://yourhost:post/nifi and after that is where your LDAP configuration will come into play.
I would like modify the domain of the primary user storage (based on LDAP), but i can not get successfully.
The current domain in user-mgt.xml is dc=wso2,dc=org and I would like to change to dc=foobar,dc=com
My modified user-mgt.xml is:
...
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">FOOBAR.COM</Property>
<Property name="kdcEnabled">false</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserSearchBase">ou=Users,dc=foobar,dc=com</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
<Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=foobar,dc=com</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=foobar,dc=com</Property>
<Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="UserDNPattern">uid={0},ou=Users,dc=foobar,dc=com</Property>
<Property name="RoleDNPattern">cn={0},ou=Groups,dc=foobar,dc=com</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
</UserStoreManager>
...
The error when starting WSO2 IS is:
Caused by: org.wso2.carbon.user.core.UserStoreException: [LDAP: error code 32 - NO_SUCH_OBJECT: failed for SearchRequest
baseDn : 'ou=Groups,dc=foobar,dc=com'
filter : '(&(2.5.4.0=groupofnames)(2.5.4.3=*))'
scope : whole subtree
typesOnly : false
Size Limit : 100
Time Limit : 11
Deref Aliases : deref Always
attributes : 'cn'
: ERR_268 Cannot find a partition for ou=Groups,dc=foobar,dc=com]
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.getLDAPRoleNames(ReadOnlyLDAPUserStoreManager.java:1024)
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.doGetRoleNames(ReadOnlyLDAPUserStoreManager.java:1134)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2485)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2382)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2375)
at org.wso2.carbon.event.core.internal.subscription.registry.RegistrySubscriptionManager.<init>(RegistrySubscriptionManager.java:91)
... 65 more
What should I be missing?
Solved !
I have replaced older domain and defaultRealmName in the following files:
IS_HOME/repository/conf/user-mgt.xml
IS_HOME/repository/conf/tenant-mgt.xml
IS_HOME/repository/conf/embedded-ldap.xml
I have replaced dc=wso2,dc=org for dc=foobar,dc=com and defaultRealmName=WSO2.ORG for FOOBAR.COM, then I deleted the directory named root located in the IS_HOME/repository/data/org.wso2.carbon.directory
.. so a fresh default partition will be created again at the restart.
Now, if you connect to WSO2IS' embedded LDAP (10389 port) using any LDAP client, you will see the new domain FOOBAR.COM instead of WSO2.ORG.
I hope that be useful.
I guess, you are trying to change the "dc=wso2,dc=org" value. You can not change it using user-mgt.xml file. user-mgt.xml file is used to connect WSO2IS with LDAP or AD or JDBC user stores. It means there can be LDAP running externally and you need to configure user-mgt.xml file to connect that LDAP using proper configurations. By default WSO2IS is shipped with embedded LDAP server and by default user-mgt.xml file has been configured to point to that embedded LDAP server. This embedded LDAP is created with "dc=wso2,dc=org" value. You can find the configurations of this embedded LDAP in the "embedded-ldap.xml" file. But there is no parameter to configure the domain ""dc=wso2,dc=org". It means, we can not configure it. But you can still create your own LDAP server using ApacheDS, OpenDJ and OpenLDAP and can point it to WSO2 Identity Server.