Looks like you are using CompositeUserGroup provider which lets you combine multiple user group providers.

The error message is saying the same user identity exists in more than one of the user group providers which is not allowed.

The identity in the message looks like an LDAP user, so make sure you didn't define that same user in the file user group provider.

On Tue, Aug 13, 2019 at 3:08 AM Felipe Garcia <felipe@garcia-lind.com> wrote:

Issue #1 - You should be able to specify an LDAP user as your initial admin, what is the error you get? 

Keep in mind it is case and white-space sensitive, and also depends on whether you are returning full DN or short name, it must match exactly.

error
Multiple UserGroupProviders claim to provide user uid=XXXXXX,cn=users,cn=accounts,dc=XXXX

logfile

2019-08-13 16:49:40,976 INFO [NiFi Web Server-23] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Multiple UserGroupProviders claim to provide user uid=612442779,cn=users,cn=accounts,dc=ace. Returning Conflict response.

2019-08-13 16:49:40,977 DEBUG [NiFi Web Server-23] o.a.n.w.a.c.IllegalStateExceptionMapper 

java.lang.IllegalStateException: Multiple UserGroupProviders claim to provide user uid=XXXXXX,cn=users,cn=accounts,dc=XXXX

        at org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider.getUserAndGroups(CompositeConfigurableUserGroupProvider.java:195)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)




On Mon, Aug 5, 2019 at 10:38 PM Bryan Bende <bbende@gmail.com> wrote:
Hello,

Issue #1 - You should be able to specify an LDAP user as your initial admin, what is the error you get?

Keep in mind it is case and white-space sensitive, and also depends on whether you are returning full DN or short name, it must match exactly.

Issue #2 - Since you are able to query the API with the client cert, it seems like your cert is setup correctly.

Is there an error in nifi-app.log or nifi-user.log when you try to modify the policy? Can you modify policies through the UI without issues?

Tokens are only issued for login methods that are based on username and password, so it is expected behavior that you could not issue one for a cert user.

Thanks,

Bryan


On Sun, Aug 4, 2019 at 8:30 PM Felipe Garcia <felipe@garcia-lind.com> wrote:

Setup


a cluster of a few nifi boxes 


setup to authenticate with LDAP 

users and groups in LDAP


Issue 1: unable to specify an LDAP user as Initial User


I have only been able to set up the cluster with a client certificate user.


Issue 2: I am unable to use the API with the initial certificate user to add an LDAP group.


I exported the cert and key into a usable format for curl


# openssl pkcs12 -in /opt/nifi-certs/CN\=admin_OU\=NIFI.p12  -out /opt/nifi-certs/CN\=admin_OU\=NIFI.key -nocerts -nodes

# openssl pkcs12 -export -in /opt/nifi-certs/CN\=admin_OU\=NIFI.p12 -out /opt/nifi-certs/CN\=admin_OU\=NIFI.pem -clcerts -nokeys -passin  'changeme'


I am able to query the API 


curl -k -X GET https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/policies/read/flow --cert /opt/nifi-certs/CN=admin_OU=NIFI.pem --key /opt/nifi-certs/CN=admin_OU=NIFI.key --compressed



But I am unable to change or add via the API


 curl -k -X PUT -H 'Content-Type: application/json' https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/policies/f99bccd1-a30e-3e4a-98a2-dbc708edc67f --cert /opt/nifi-certs/CN=admin_OU=NIFI.pem --key /opt/nifi-certs/CN=admin_OU=NIFI.key -d @/tmp/newpolicy.json

Unable to save Authorizations



I cannot create a token for a cert user


curl -k -X POST 'https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/access/token' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --cert /opt/nifi-certs/CN\=admin_OU\=NIFI.pem --key /opt/nifi-certs/CN\=admin_OU\=NIFI.key --compressed

The username and password must be specified.