nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Howell <scotthow...@mobilgov.com>
Subject Re: Nifi Registry LDAP
Date Tue, 10 Apr 2018 20:05:04 GMT
I was able to remove the TLS information in the identity-provider.xml and was able to use my
remote LDAP to login. So I think I am narrowing down the issue.



> On Apr 10, 2018, at 2:57 PM, Kevin Doran <kdoran@apache.org> wrote:
> 
> Thanks Scott,
>  
> I don’t see anything wrong with your configuration. I created a free jumpcloud account,
so I’ll try to recreate this issue and get back to you if I have any other insights.
>  
> Kevin
>  
> From: Scott Howell <scotthowell@mobilgov.com>
> Reply-To: <users@nifi.apache.org>
> Date: Tuesday, April 10, 2018 at 15:54
> To: <users@nifi.apache.org>
> Subject: Re: Nifi Registry LDAP
>  
> I was able to switch back to my local LDAP server and was able to login successfully.
The provider I am using in identity-providers.xml is as follows: <>
>  
> <provider>
>         <identifier>ldap-identity-provider</identifier>
>         <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
>         <property name="Authentication Strategy">SIMPLE</property>
>  
>         <property name="Manager DN">cn=Manager,dc={redacted},dc=com</property>
>         <property name="Manager Password">{redacted}</property>
>  
>  
>         <property name="Referral Strategy">FOLLOW</property>
>         <property name="Connect Timeout">10 secs</property>
>         <property name="Read Timeout">10 secs</property>
>  
>         <property name="Url">ldap://{redacted}:389</property>
>         <property name="User Search Base">ou=users,dc={redacted},dc=com</property>
>         <property name="User Search Filter">uid={0}</property>
>  
>         <property name="Identity Strategy">USE_DN</property>
>         <property name="Authentication Expiration">12 hours</property>
>     </provider>
>  
> This is a super strange issue as to why nifi works with the remote LDAP and nifi-registry
does not. 
>  
> 
>> On Apr 10, 2018, at 2:18 PM, Scott Howell <scotthowell@mobilgov.com <mailto:scotthowell@mobilgov.com>>
wrote:
>>  
>> Thanks Kevin for sending that back,
>>  
>> This is what I see when looking at the Headers on the login. 
>> <Screen Shot 2018-04-10 at 2.15.35 PM.png>
>>  
>> The version of Nifi-Registry I am running is 0.1.0. What confuses me is that this
was working with my local LDAP fine. It just stopped working when I switched to setting up
the identity-provider.xml with the same credentials as my nifi-cluster. 
>>  
>>  
>> 
>> 
>>> On Apr 10, 2018, at 2:10 PM, Kevin Doran <kdoran@apache.org <mailto:kdoran@apache.org>>
wrote:
>>>  
>>> If everything is configured correctly, this error usually indicates that the
server did not locate your login credentials when processing the login request. That usually
means it will not even attempt to authenticate the credentials, so I'm not sure it is an LDAP
configuration error.
>>>  
>>> If you want to check this manually using developer tools in a browser (e.g.,
Chrome or Firefox) you can look at the HTTP traffic to see if credentials are being passed
to the server. NiFi Registry uses the HTTP Basic Auth protocol to login (credentials are encoded
in the Authorization header and passed to the server from the login page to generate a temporary
authentication token). 
>>>  
>>> So after clicking "Login", you should look for an HTTP POST to <base_url>/nifi-registry-api/access/token/login,
which should have an "Authorization" header with the value "Basic {encoded-username-and-password}"
>>>  
>>> If the credentials are there, it is likely something is misconfigured on the
server side with the identity provider so that login credentials are not even being looked
for. If the credentials are not there... well I've never seen that. I would probably as if
your NiFi Registry Server running behind a load balancer or proxy that could be interfering
with HTTP headers?
>>>  
>>> What version of NiFi Registry are you using? 0.1.0 or a version built from source?
>>>  
>>> Hope this helps,
>>> Kevin
>>>  
>>>  
>>> On 4/10/18, 14:59, "Scott Howell" <scotthowell@mobilgov.com <mailto:scotthowell@mobilgov.com>>
wrote:
>>>  
>>>     Yes I did, I had Nifi-registry working with a local instances of LDAP running.
It’s now not cooperating since I moved to using Jumpcloud. 
>>>     
>>>     > On Apr 10, 2018, at 1:56 PM, Kevin Doran <kdoran@apache.org <mailto:kdoran@apache.org>>
wrote:
>>>     > 
>>>     > Hi Scott,
>>>     > 
>>>     > Did you configure nifi-registry.properties with:
>>>     > 
>>>     > nifi.registry.security.identity.provider=ldap-identity-provider
>>>     > 
>>>     > On 4/10/18, 14:53, "Scott Howell" <scotthowell@mobilgov.com <mailto:scotthowell@mobilgov.com>>
wrote:
>>>     > 
>>>     >    Thanks for the all the help yesterday standing up LDAP for NIFI.
I was able to troubleshoot and fix the issues myself. I am running into a unique issue with
my Nifi-Registry when I try to login with my LDAP credentials like I do for the nifi cluster
I get in my logs with this:
>>>     > 
>>>     >    2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18] o.a.n.r.w.s.NiFiRegistrySecurityConfig
AuthenticationEntryPoint invoked as no user identity credentials were found in the request.
>>>     > 
>>>     >    My identity-providers.xml is this:
>>>     >    <identityProviders>
>>>     >         <provider> 
>>>     >                          <identifier>ldap-identity-provider</identifier>
                                                                                         
                                                                        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>

>>>     >                          <property name="Authentication Strategy">START_TLS</property>
>>>     >                          <property name="Manager DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>>>     >                          <property name="Manager Password">{redacted}</property>

>>>     >                          <property name="TLS - Keystore”>
>>>     >                         </property>
>>>     >                          <property name="TLS - Keystore Password"></property>

>>>     >                          <property name="TLS - Keystore Type"></property>
>>>     >                          <property name="TLS - Truststore">/opt/certs/jumpcloud.jks</property>

>>>     >                          <property name="TLS - Truststore Password">{redacted}</property>
                    
>>>     >                         <property name="TLS - Truststore Type">JKS</property>

>>>     >                          <property name="TLS - Client Auth"></property>

>>>     >                          <property name="TLS - Protocol">TLSv1.2</property>
>>>     >                          <property name="TLS - Shutdown Gracefully"></property>
>>>     >                          <property name="Referral Strategy">FOLLOW</property>

>>>     >                          <property name="Connect Timeout">10 secs</property>

>>>     >                          <property name="Read Timeout">10 secs</property>

>>>     >                          <property name="Url">ldap://ldap.jumpcloud.com:389</property>
<ldap://ldap.jumpcloud.com:389%3c/property%3e> 
>>>     >                          <property name="User Search Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property>

>>>     >                          <property name="User Search Filter">uid={0}</property>

>>>     >                          <property name="Identity Strategy">USE_USERNAME</property>

>>>     >                          <property name="Authentication Expiration">12
hours</property> 
>>>     >          </provider>
>>>     >    </identityProviders>
>>>     > 
>>>     >    For the most part I grabbed most of this from my Nifi node login-identity-providers.xml
but I seem to have something messed up.
>>>     > 
>>>     >


Mime
View raw message