nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Re: Integrating nifi with cloud based LDAP JumpCloud
Date Mon, 09 Apr 2018 20:14:44 GMT
Scott,

One note is that since you are using port 389 (plaintext LDAP), your credentials are being
transmitted in cleartext unless you are enforcing START_TLS, and as there is no truststore
populated in your config, it does not appear you are doing this.

You should read the Jumpcloud instructions on configuring LDAP-as-a-service (including creating
an LDAP Binding User Account) using SSL/TLS and there are some additional resources on configuring
this for LDAP below:

https://support.jumpcloud.com/customer/en/portal/articles/2439911 <https://support.jumpcloud.com/customer/en/portal/articles/2439911>
https://support.jumpcloud.com/customer/en/portal/articles/2440898-jumpcloud-ldaps-ssl-certificate
<https://support.jumpcloud.com/customer/en/portal/articles/2440898-jumpcloud-ldaps-ssl-certificate>
https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Apr 9, 2018, at 1:04 PM, Scott Howell <scotthowell@mobilgov.com> wrote:
> 
> That is what is inside of <loginIdentityProviders></loginIdentityProviders>
> 
>> On Apr 9, 2018, at 3:03 PM, Scott Howell <scotthowell@mobilgov.com> wrote:
>> 
>> Yep let me send it over.
>> 
>> <provider>
>>       <identifier>ldap-provider</identifier>
>>       <class>org.apache.nifi.ldap.LdapProvider</class>
>>       <property name="Authentication Strategy">ANONYMOUS</property>
>> 
>>       <property name="Manager DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>>       <property name="Manager Password”>{redacted}</property>
>> 
>>       <property name="TLS - Keystore"></property>
>>       <property name="TLS - Keystore Password"></property>
>>       <property name="TLS - Keystore Type"></property>
>>       <property name="TLS - Truststore"></property>
>>       <property name="TLS - Truststore Password"></property>
>>       <property name="TLS - Truststore Type"></property>
>>       <property name="TLS - Client Auth"></property>
>>       <property name="TLS - Protocol"></property>
>>       <property name="TLS - Shutdown Gracefully"></property>
>> 
>>       <property name="Referral Strategy">FOLLOW</property>
>>       <property name="Connect Timeout">10 secs</property>
>>       <property name="Read Timeout">10 secs</property>
>> 
>>       <property name="Url">ldap://ldap.jumpcloud.com:389</property>
>>       <property name="User Search Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>>       <property name="User Search Filter">uid={0}</property>
>> 
>>       <property name="Identity Strategy">USE_USERNAME</property>
>>       <property name="Authentication Expiration">12 hours</property>
>>   </provider>
>> 
>> 
>> 
>>> On Apr 9, 2018, at 3:01 PM, Kevin Doran <kdoran@apache.org> wrote:
>>> 
>>> Scott,
>>> 
>>> I've never implemented NiFi with JumpCloud, but speculating as to what could
be the cause of your error, it could be the User Search Base/Filter configuration values.
Can you share the contents of your login-identity-providers.xml (removing any sensitive values
such as ldap credentials)?
>>> 
>>> Thanks,
>>> Kevin
>>> 
>>> On 4/9/18, 14:53, "Scott Howell" <scotthowell@mobilgov.com> wrote:
>>> 
>>>  I was wondering if there was anyone on the user group that had successfully
integrated their NIFI authentication to work with Jumpcloud LDAP. I have followed the steps
Jumpcloud provides with adding the correct credentials to the the NIFI login-identity-providers.xml
but I am getting an error of “Unable to validate the supplied credentials. Please contact
the system administrator.” In the UI in my nifi-user.log I am seeing [LDAP: error code 32
- No Such Object] when its trying to look up the LDAP user.
>>> 
>>>  Scott
>>> 
>>> 
>> 
> 


Mime
View raw message