[jira] [Resolved] (NIFI-8228) Microsoft Active Directory LDAP integration bug

Mon, 05 Jan 2026 02:42:10 -0800 


     [ 
https://issues.apache.org/jira/browse/NIFI-8228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pierre Villard resolved NIFI-8228.
----------------------------------
    Resolution: Feedback Received

Apache NiFi 1.x is no longer maintained and no new release is planned on the 
1.x release line. Marking as resolved as part of a cleanup operation. Please 
open a new one with an updated description if this is still relevant for NiFi 
2.x.

> Microsoft Active Directory LDAP integration bug
> -----------------------------------------------
>
>                 Key: NIFI-8228
>                 URL: https://issues.apache.org/jira/browse/NIFI-8228
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.12.1
>            Reporter: Rafael Micó
>            Priority: Major
>              Labels: security
>             Fix For: 1.12.1
>
>
> Hi
>  
> When trying to integrate both Authentication and Authorization of NiFi with 
> Microsoft Active Directory via LDAP, we have seen that NiFi is unable to 
> relate a valid Authentication done via ldap-provider 
> (org.apache.nifi.ldap.LdapProvider) with an Authorization (user to group 
> relationship) done via ldap-user-group-provider 
> (org.apache.nifi.ldap.tenants.LdapUserGroupProvider).
>  
> As we have seen in the NiFi logs (enabling DEBUG mode) and on TCPDUMP dumps, 
> the issue seems to be related on the ldap-provider authentication. 
> Summarizing:
> 1.- ldap-provider binds to the LDAP service with the "Manager DN" credentials.
> 2.- LDAP server (Microsoft Active Directory) responses with a successful bind
> 3.- ldap-provider searches for the user trying to log in (using 
> sAMAccountName attribute)
> 4.- LDAP server (Microsoft Active Directory) responses with the information 
> of the relevant user. In this information, the attribute "distinghuishedName" 
> is provided like "CN=John,OU=Users,OU=domain,OU=internal"
> 5.- ldap-provider binds to the LDAP service with the logged user credentials 
> but using the distiguishedName "cn=John,ou=Users,ou=domain,ou=internal", 
> *with lowercase LDAP prefixes*
> 6.- LDAP server (Microsoft Active Directory) responses with a successful bind 
> as the LDAP prefixes are accepted in uppercase or lowercase
> 7.- ldap-user-group-provider searches for 
> "CN=John,OU=Users,OU=domain,OU=internal", the authenticated user, against 
> "CN=John,OU=Users,OU=domain,OU=internal", the user that has been found in the 
> LDAP authorization. The difference in the LDAP prefixes causes the 
> "CN=John,OU=Users,OU=domain,OU=internal" not to belong to any authorized 
> group, thereafter rejecting the user.
>  
> The solution will be that ldap-provider performs the bind to the Active 
> Directory LDAP server using the same string for distinghishedName as it 
> received it from the LDAP server, not changing it to lowercase.
>  
> Our configuration
> NiFi login-identity-providers.xml:
>  
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <loginIdentityProviders>
>     <!-- 
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider
>  -->
>     <provider>
>         <identifier>ldap-provider</identifier>
>         <class>org.apache.nifi.ldap.LdapProvider</class>
>         <property name="Authentication Strategy">SIMPLE</property>
>         <property name="Manager DN">CN=Nifi,OU=Special 
> Accounts,DC=domain,DC=internal</property>
>         <property name="Manager Password">*****************</property>
>         <property name="Referral Strategy">FOLLOW</property>
>         <property name="Connect Timeout">10 secs</property>
>         <property name="Read Timeout">10 secs</property>
>         <property name="Url">ldap://adserver.domain.internal:389</property>
>         <property name="User Search 
> Base">OU=Users,DC=domain,DC=internal</property>
>         <property name="User Search Filter">sAMAccountName={0}</property>
>         <property name="Identity Strategy">USE_DN</property>
>         <property name="Authentication Expiration">12 hours</property>
>     </provider>
> </loginIdentityProviders>
> {code}
>  
>  
> NiFi authorizers.cml:
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
> <!-- 
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider
>  -->
>     <userGroupProvider>
>         <identifier>file-user-group-provider</identifier>
>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>         <property name="Users File">./conf/users.xml</property>
>         <property name="Legacy Authorized Users File"></property>
>         <property name="Initial User Identity Node1">CN=nifi_admin, 
> OU=nifi</property>
>     </userGroupProvider>
>     <userGroupProvider>
>         <identifier>ldap-user-group-provider</identifier>
>         <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>         <property name="Authentication Strategy">SIMPLE</property>        
>         <property name="Manager DN">CN=Nifi,OU=Special 
> Accounts,DC=domain,DC=internal</property>
>         <property name="Manager Password">*****************</property>        
>         <property name="Referral Strategy">FOLLOW</property>
>         <property name="Connect Timeout">10 secs</property>
>         <property name="Read Timeout">10 secs</property>        
>         <property name="Url">ldap://adserver.domain.internal:389</property>
>         <property name="Page Size"></property>
>         <property name="Sync Interval">10 mins</property>
>         <property name="Group Membership - Enforce Case 
> Sensitivity">false</property>
>         <property name="User Search 
> Base">OU=Users,DC=domain,DC=internal</property>
>         <property name="User Object Class">user</property>
>         <property name="User Search Scope">SUBTREE</property>
>         <property name="User Search 
> Filter">(memberOf=CN=GG_NIFI_Allowed_Users,OU=Nifi,OU=Admin 
> Rights,OU=Groups,DC=domain,DC=internal)</property>
>         <property name="User Identity Attribute">distinguishedName</property>
>         <property name="User Group Name Attribute">memberOf</property>
>         <property name="User Group Name Attribute - Referenced Group 
> Attribute">distinguishedName</property>
>         <property name="Group Search 
> Base">OU=NIFI_App_Groups,OU=Nifi,OU=Admin 
> Rights,OU=Groups,DC=domain,DC=internal</property>
>         <property name="Group Object Class">group</property>
>         <property name="Group Search Scope">ONE_LEVEL</property>
>         <property name="Group Search Filter"></property>
>         <property name="Group Name Attribute"></property>
> <!--        <property name="Group Member Attribute">member</property>
>         <property name="Group Member Attribute - Referenced User 
> Attributee">distinguishedName</property>-->
>     
>      </userGroupProvider>   
>      <userGroupProvider>
>         <identifier>composite-user-group-provider</identifier>
>         
> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
>         <property name="User Group Provider 
> 1">ldap-user-group-provider</property>
>         <property name="User Group Provider 
> 2">file-user-group-provider</property>
>     </userGroupProvider>    
>     <accessPolicyProvider>
>         <identifier>file-access-policy-provider</identifier>
>         <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>         <property name="User Group 
> Provider">composite-user-group-provider</property>
>         <property name="Authorizations 
> File">./conf/authorizations.xml</property>
>         <property name="Initial Admin Identity">CN=nifi_admin, 
> OU=nifi</property>
>         <property name="Legacy Authorized Users File"></property>
>         <property name="Node Identity 1"></property>
>         <property name="Node Group"></property>
>     </accessPolicyProvider>
>     <authorizer>
>         <identifier>managed-authorizer</identifier>
>         <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>         <property name="Access Policy 
> Provider">file-access-policy-provider</property>
>     </authorizer>
> </authorizers>
> {code}
> Extract of NiFi nifi-app.log:
>  
> {noformat}
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider 
> -------------------------------------
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following users 
> from LDAP:
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider  - 
> identifier[e4e7bd27-cad9-37c1-af53-a5fb7898de66], 
> identity[CN=Peter,OU=Development,OU=Users,DC=domain,DC=internal]
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider  - 
> identifier[1f8d8309-31d9-3831-a3c0-2a9909500d7f], 
> identity[CN=Frank,OU=Development,OU=Users,DC=domain,DC=internal]
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider  - 
> identifier[7c635418-5897-32a9-8e5b-5a7d9594b7f9], 
> identity[CN=John,OU=Users,DC=domain,DC=internal]
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider 
> --------------------------------------
> 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following groups 
> from LDAP:
> 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider  - 
> identifier[f26c7633-396e-3bdd-83b3-1e395606346d], 
> name[CN=GG_NIFI_Admins,OU=NIFI_App_Groups,OU=Nifi,OU=Admin 
> Rights,OU=Groups,DC=domain,DC=internal], 
> users[7c635418-5897-32a9-8e5b-5a7d9594b7f9]
> 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider  - 
> identifier[39854ab9-993e-3523-8c52-193e7e1fdb89], 
> name[CN=GG_NIFI_Users,OU=NIFI_App_Groups,OU=Nifi,OU=Admin 
> Rights,OU=Groups,DC=domain,DC=internal], 
> users[1f8d8309-31d9-3831-a3c0-2a9909500d7f, 
> e4e7bd27-cad9-37c1-af53-a5fb7898de66]
> 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync 
> thread] o.a.n.ldap.tenants.LdapUserGroupProvider 
> --------------------------------------{noformat}
> Extract of NiFi nifi-user.log:
>  
> {noformat}
> 2021-02-15 14:07:59,252 INFO [NiFi Web Server-170] 
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET 
> https://nifi.domain.internal:9443/nifi-api/flow/current-user (source ip: 
> X.Y.Z.W)
> 2021-02-15 14:07:59,260 INFO [NiFi Web Server-170] 
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for 
> cn=John,ou=Users,ou=domain,ou=internal
> 2021-02-15 14:07:59,301 INFO [NiFi Web Server-170] 
> o.a.n.w.a.c.AccessDeniedExceptionMapper 
> identity[cn=John,ou=Users,ou=domain,ou=internal], groups[] does not have 
> permission to access the requested resource. Unknown user with identity 
> 'cn=John,ou=Users,ou=domain,ou=internal'. Returning Forbidden response.
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to