So interesting thing just happened. I added my TLS parts of the identity-provider.xml and I restarted the server and everything is working fine.

I don’t want you digging into it too much but it is a strange issue I was receiving. 

On Apr 10, 2018, at 3:21 PM, Kevin Doran <> wrote:

Thanks; that certainly narrows it down. It could be that you’ve uncovered a bug with the LdapIdentityProvider when using START_TLS. I’ll try to recreate it and dig into it on my end. Thanks for sharing all this info.
From: Scott Howell <>
Reply-To: <>
Date: Tuesday, April 10, 2018 at 16:05
To: <>
Subject: Re: Nifi Registry LDAP
I was able to remove the TLS information in the identity-provider.xml and was able to use my remote LDAP to login. So I think I am narrowing down the issue.

On Apr 10, 2018, at 2:57 PM, Kevin Doran <> wrote:
Thanks Scott,
I don’t see anything wrong with your configuration. I created a free jumpcloud account, so I’ll try to recreate this issue and get back to you if I have any other insights.
From: Scott Howell <>
Reply-To: <>
Date: Tuesday, April 10, 2018 at 15:54
To: <>
Subject: Re: Nifi Registry LDAP
        <property name="Authentication Strategy">SIMPLE</property>
        <property name="Manager DN">cn=Manager,dc={redacted},dc=com</property>
        <property name="Manager Password">{redacted}</property>
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
        <property name="Url">ldap://{redacted}:389</property>
        <property name="User Search Base">ou=users,dc={redacted},dc=com</property>
        <property name="User Search Filter">uid={0}</property>
        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
This is a super strange issue as to why nifi works with the remote LDAP and nifi-registry does not. 

On Apr 10, 2018, at 2:18 PM, Scott Howell <> wrote:
Thanks Kevin for sending that back,
This is what I see when looking at the Headers on the login. 
<Screen Shot 2018-04-10 at 2.15.35 PM.png>
The version of Nifi-Registry I am running is 0.1.0. What confuses me is that this was working with my local LDAP fine. It just stopped working when I switched to setting up the identity-provider.xml with the same credentials as my nifi-cluster. 

On Apr 10, 2018, at 2:10 PM, Kevin Doran <> wrote:
If everything is configured correctly, this error usually indicates that the server did not locate your login credentials when processing the login request. That usually means it will not even attempt to authenticate the credentials, so I'm not sure it is an LDAP configuration error.
If you want to check this manually using developer tools in a browser (e.g., Chrome or Firefox) you can look at the HTTP traffic to see if credentials are being passed to the server. NiFi Registry uses the HTTP Basic Auth protocol to login (credentials are encoded in the Authorization header and passed to the server from the login page to generate a temporary authentication token). 
So after clicking "Login", you should look for an HTTP POST to <base_url>/nifi-registry-api/access/token/login, which should have an "Authorization" header with the value "Basic {encoded-username-and-password}"
If the credentials are there, it is likely something is misconfigured on the server side with the identity provider so that login credentials are not even being looked for. If the credentials are not there... well I've never seen that. I would probably as if your NiFi Registry Server running behind a load balancer or proxy that could be interfering with HTTP headers?
What version of NiFi Registry are you using? 0.1.0 or a version built from source?
Hope this helps,
On 4/10/18, 14:59, "Scott Howell" <> wrote:
    Yes I did, I had Nifi-registry working with a local instances of LDAP running. It’s now not cooperating since I moved to using Jumpcloud. 
    > On Apr 10, 2018, at 1:56 PM, Kevin Doran <> wrote:
    > Hi Scott,
    > Did you configure with:
    > On 4/10/18, 14:53, "Scott Howell" <> wrote:
    >    Thanks for the all the help yesterday standing up LDAP for NIFI. I was able to troubleshoot and fix the issues myself. I am running into a unique issue with my Nifi-Registry when I try to login with my LDAP credentials like I do for the nifi cluster I get in my logs with this:
    >    2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18] o.a.n.r.w.s.NiFiRegistrySecurityConfig AuthenticationEntryPoint invoked as no user identity credentials were found in the request.
    >    My identity-providers.xml is this:
    >    <identityProviders>
    >         <provider> 
    >                          <identifier>ldap-identity-provider</identifier>                                                                                                                                                                   <class></class> 
    >                          <property name="Authentication Strategy">START_TLS</property>
    >                          <property name="Manager DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
    >                          <property name="Manager Password">{redacted}</property> 
    >                          <property name="TLS - Keystore”>
    >                         </property>
    >                          <property name="TLS - Keystore Password"></property> 
    >                          <property name="TLS - Keystore Type"></property>
    >                          <property name="TLS - Truststore">/opt/certs/jumpcloud.jks</property> 
    >                          <property name="TLS - Truststore Password">{redacted}</property>                     
    >                         <property name="TLS - Truststore Type">JKS</property> 
    >                          <property name="TLS - Client Auth"></property> 
    >                          <property name="TLS - Protocol">TLSv1.2</property>
    >                          <property name="TLS - Shutdown Gracefully"></property>
    >                          <property name="Referral Strategy">FOLLOW</property> 
    >                          <property name="Connect Timeout">10 secs</property> 
    >                          <property name="Read Timeout">10 secs</property> 
    >                          <property name="Url">ldap://</property> 
    >                          <property name="User Search Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property> 
    >                          <property name="User Search Filter">uid={0}</property> 
    >                          <property name="Identity Strategy">USE_USERNAME</property> 
    >                          <property name="Authentication Expiration">12 hours</property> 
    >          </provider>
    >    </identityProviders>
    >    For the most part I grabbed most of this from my Nifi node login-identity-providers.xml but I seem to have something messed up.