nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Doran <>
Subject Re: Nifi Registry LDAP
Date Tue, 10 Apr 2018 20:21:22 GMT
Thanks; that certainly narrows it down. It could be that you’ve uncovered a bug with the
LdapIdentityProvider when using START_TLS. I’ll try to recreate it and dig into it on my
end. Thanks for sharing all this info.




From: Scott Howell <>
Reply-To: <>
Date: Tuesday, April 10, 2018 at 16:05
To: <>
Subject: Re: Nifi Registry LDAP


I was able to remove the TLS information in the identity-provider.xml and was able to use
my remote LDAP to login. So I think I am narrowing down the issue.



On Apr 10, 2018, at 2:57 PM, Kevin Doran <> wrote:


Thanks Scott,


I don’t see anything wrong with your configuration. I created a free jumpcloud account,
so I’ll try to recreate this issue and get back to you if I have any other insights.




From: Scott Howell <>
Reply-To: <>
Date: Tuesday, April 10, 2018 at 15:54
To: <>
Subject: Re: Nifi Registry LDAP


I was able to switch back to my local LDAP server and was able to login successfully. The
provider I am using in identity-providers.xml is as follows:





        <property name="Authentication Strategy">SIMPLE</property>


        <property name="Manager DN">cn=Manager,dc={redacted},dc=com</property>

        <property name="Manager Password">{redacted}</property>



        <property name="Referral Strategy">FOLLOW</property>

        <property name="Connect Timeout">10 secs</property>

        <property name="Read Timeout">10 secs</property>


        <property name="Url">ldap://{redacted}:389</property>

        <property name="User Search Base">ou=users,dc={redacted},dc=com</property>

        <property name="User Search Filter">uid={0}</property>


        <property name="Identity Strategy">USE_DN</property>

        <property name="Authentication Expiration">12 hours</property>



This is a super strange issue as to why nifi works with the remote LDAP and nifi-registry
does not. 


On Apr 10, 2018, at 2:18 PM, Scott Howell <> wrote:


Thanks Kevin for sending that back,


This is what I see when looking at the Headers on the login. 

<Screen Shot 2018-04-10 at 2.15.35 PM.png>


The version of Nifi-Registry I am running is 0.1.0. What confuses me is that this was working
with my local LDAP fine. It just stopped working when I switched to setting up the identity-provider.xml
with the same credentials as my nifi-cluster. 



On Apr 10, 2018, at 2:10 PM, Kevin Doran <> wrote:


If everything is configured correctly, this error usually indicates that the server did not
locate your login credentials when processing the login request. That usually means it will
not even attempt to authenticate the credentials, so I'm not sure it is an LDAP configuration


If you want to check this manually using developer tools in a browser (e.g., Chrome or Firefox)
you can look at the HTTP traffic to see if credentials are being passed to the server. NiFi
Registry uses the HTTP Basic Auth protocol to login (credentials are encoded in the Authorization
header and passed to the server from the login page to generate a temporary authentication


So after clicking "Login", you should look for an HTTP POST to <base_url>/nifi-registry-api/access/token/login,
which should have an "Authorization" header with the value "Basic {encoded-username-and-password}"


If the credentials are there, it is likely something is misconfigured on the server side with
the identity provider so that login credentials are not even being looked for. If the credentials
are not there... well I've never seen that. I would probably as if your NiFi Registry Server
running behind a load balancer or proxy that could be interfering with HTTP headers?


What version of NiFi Registry are you using? 0.1.0 or a version built from source?


Hope this helps,




On 4/10/18, 14:59, "Scott Howell" <> wrote:


    Yes I did, I had Nifi-registry working with a local instances of LDAP running. It’s
now not cooperating since I moved to using Jumpcloud. 


    > On Apr 10, 2018, at 1:56 PM, Kevin Doran <> wrote:


    > Hi Scott,


    > Did you configure with:




    > On 4/10/18, 14:53, "Scott Howell" <> wrote:


    >    Thanks for the all the help yesterday standing up LDAP for NIFI. I was able to
troubleshoot and fix the issues myself. I am running into a unique issue with my Nifi-Registry
when I try to login with my LDAP credentials like I do for the nifi cluster I get in my logs
with this:


    >    2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18] o.a.n.r.w.s.NiFiRegistrySecurityConfig
AuthenticationEntryPoint invoked as no user identity credentials were found in the request.


    >    My identity-providers.xml is this:

    >    <identityProviders>

    >         <provider> 

    >                          <identifier>ldap-identity-provider</identifier>

    >                          <property name="Authentication Strategy">START_TLS</property>

    >                          <property name="Manager DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>

    >                          <property name="Manager Password">{redacted}</property>

    >                          <property name="TLS - Keystore”>

    >                         </property>

    >                          <property name="TLS - Keystore Password"></property>

    >                          <property name="TLS - Keystore Type"></property>

    >                          <property name="TLS - Truststore">/opt/certs/jumpcloud.jks</property>

    >                          <property name="TLS - Truststore Password">{redacted}</property>

    >                         <property name="TLS - Truststore Type">JKS</property>

    >                          <property name="TLS - Client Auth"></property>

    >                          <property name="TLS - Protocol">TLSv1.2</property>

    >                          <property name="TLS - Shutdown Gracefully"></property>

    >                          <property name="Referral Strategy">FOLLOW</property>

    >                          <property name="Connect Timeout">10 secs</property>

    >                          <property name="Read Timeout">10 secs</property>

    >                          <property name="Url">ldap://</property>

    >                          <property name="User Search Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property>

    >                          <property name="User Search Filter">uid={0}</property>

    >                          <property name="Identity Strategy">USE_USERNAME</property>

    >                          <property name="Authentication Expiration">12 hours</property>

    >          </provider>

    >    </identityProviders>


    >    For the most part I grabbed most of this from my Nifi node login-identity-providers.xml
but I seem to have something messed up.




View raw message