[ https://issues.apache.org/jira/browse/NIFI-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15714157#comment-15714157 ]
ASF GitHub Bot commented on NIFI-2325: -------------------------------------- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/1275 I set up a Docker container running OpenLDAP with certificates I generated using the NiFI TLS toolkit. If I configure `TLS_VERIFY_CLIENT=never` on OpenLDAP and `<property name="TLS - Client Auth">NONE</property>` in `login-identity-providers.xml`, the LDAP login provider works fine. <img width="1920" alt="Successful user authentication via LDAPS" src="https://cloud.githubusercontent.com/assets/798465/20823670/2c913e58-b80b-11e6-8353-a98746c5dfb6.png"> However, if I switch to `TLS_VERIFY_CLIENT=demand` and `<property name="TLS - Client Auth">REQUIRED</property>`, I get a "Unable to validate the supplied credentials" error on login and the `logs/nifi-bootstrap.log` fills with TLS negotiation output including the lines below: ``` 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** CertificateVerify 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut Signature Algorithm SHA256withRSA 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 264 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Change Cipher Spec, length = 1 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 12, 201, 103, 33, 205, 116, 165, 164, 117, 65, 44, 206 } 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 96 2016-12-01 21:19:12,956 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Change Cipher Spec, length = 1 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Handshake, length = 96 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 67, 162, 103, 118, 253, 199, 182, 215, 157, 89, 207, 22 } 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut *** 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut %% Cached client session: [Session-346, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, setSoTimeout(0) called 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 112 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, received EOFException: ignored 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(false) 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, SEND TLSv1.2 ALERT: warning, description = close_notify 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, WRITE: TLSv1.2 Alert, length = 80 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeSocket(false) 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called close() 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(true) 2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 250 2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 7 ``` I want to continue investigating this tomorrow because I can produce odd results even using the `ldapsearch` tool locally (OpenLDAP configured with client verify `never`): ``` ### Trying on port 389 (no TLS) hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto 🔓 4s @ 21:41:04 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 389 -v ldap_initialize( ldap://localhost:389 ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.org dn: dc=example,dc=org objectClass: top objectClass: dcObject objectClass: organization o: Example Inc. dc: example # admin, example.org dn: cn=admin,dc=example,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9NWsyemxnYmc3dk1wR2RqVERRQkJCVVlIQ0tQYm04aUo= # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 ### Trying on port 636 (LDAPS) hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto 🔓 23s @ 21:41:28 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v ldap_initialize( ldap://localhost:636 ) ldap_result: Can't contact LDAP server (-1) ### Trying to force TLS (-Z is actually for START_TLS) hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto 🔓 6s @ 21:42:54 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v -Z ldap_initialize( ldap://localhost:636 ) ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ### Verifying that a successful TLS session is negotiated on port 636 hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto 🔓 3s @ 21:42:57 $ openssl s_client -connect localhost:636 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x7f87c1dc3a00 [0x7f87c2811600] (308 bytes => 308 (0x134)) 0000 - 16 03 01 01 2f 01 00 01-2b 03 03 09 b3 3c a2 de ..../...+....<.. ... --- SSL handshake has read 2195 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4B35F1...5641E8 Session-ID-ctx: Master-Key: DBCB82...996654 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1480657473 Timeout : 300 (sec) Verify return code: 0 (ok) --- Q DONE write to 0x7f87c1dc3a00 [0x7f87c281b203] (31 bytes => 31 (0x1F)) 0000 - 15 03 03 00 1a 0b 43 b5-33 0f 65 b2 0a 9d 80 e5 ......C.3.e..... 0010 - ef e5 54 12 a9 e5 a9 da-1f d5 87 31 5f 5c d7 ..T........1_\. SSL3 alert write:warning:close notify ### Verifying that a TLS session is not negotiated over port 389 hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto 🔓 102s @ 21:44:40 $ openssl s_client -connect localhost:389 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x7f9808700450 [0x7f9809001c00] (308 bytes => 308 (0x134)) 0000 - 16 03 01 01 2f 01 00 01-2b 03 03 98 11 20 40 b6 ..../...+.... @. ... --- SSL handshake has read 0 bytes and written 308 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1480657486 Timeout : 300 (sec) Verify return code: 0 (ok) --- ``` > Add support for LDAPS in authentication provider > ------------------------------------------------ > > Key: NIFI-2325 > URL: https://issues.apache.org/jira/browse/NIFI-2325 > Project: Apache NiFi > Issue Type: Improvement > Affects Versions: 1.0.0 > Reporter: Joseph Witt > Assignee: Matt Gilman > Fix For: 1.2.0 > > > [~mcgilman] [~alopresto] please add thoughts if you have them. > I propose we add support for LDAPS despite StartTLS being the now preferred > approach. This offers more flexibility for use with many of the long > standing LDAP environments out there. -- This message was sent by Atlassian JIRA (v6.3.4#6332)