nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Doran <kdo...@apache.org>
Subject Re: LDAP provider not recognizing the u/p combination
Date Tue, 13 Feb 2018 16:33:24 GMT
Hi Mike,

 

I don’t know enough about Active Directory and LDAP in general to answer your question off
the type of my help, but I’m familiar with how the NiFi LDAP client is configured using
the fields you’ve mentioned, so I may be able to help you figure it out.

 

I think you’re on the right track, but you may need to use the User Identity Attribute as
well.

 

It would be helpful for me if I could try to reproduce the environment you are working in.
As I don’t know the details of the Active Directory structure, would you be able to provide
an example snippet of the directory in LDIF format [1] [2]? Please scrub any sensitive information
(actual names or password hashes) before sending, I just need a better sense of the structure
of the directory, not the value of fields themselves.

 

If that’s not possible for you, just let me know and I can try to follow up without those
details as soon as I get a chance to dig into the specifics of AD a bit more.

 

Thanks,

Kevin

 

[1] https://support.microsoft.com/en-us/help/555636 

[2] https://docs.oracle.com/cd/A97630_01/network.920/a96579/comtools.htm#631224 

 

From: Mike Thomsen <mikerthomsen@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Tuesday, February 13, 2018 at 11:18
To: <users@nifi.apache.org>
Subject: LDAP provider not recognizing the u/p combination

 

We're using AD, and I have verified that we can actually pull the users and groups by logging
in as the initial admin and checking the users. It shows the users and the LDAP groups we
assigned. Looks fine there.

 

When a user goes to login with their domain account, it says invalid username and password.

 

So if their domain account is like this:

 

LOCALSITE\john.smith

 

I expect them to be able to put "john.smith" in the username field.

 

These are the search settings:

 

Search Filter: (CN={0})

Identity Strategy: USE_USERNAME

 

Based on the documentation, I would expect that that would take the username and password,
put the username into the CN attribute of the search filter and filter on the search base
(exact copy of the one that is working in the user/group search configuration).

 

Any suggestions on what might be wrong and/or how to debug this?

 

Thanks,

 

Mike


Mime
View raw message