[
https://issues.apache.org/jira/browse/NIFIREG-71?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16290980#comment-16290980
]
ASF GitHub Bot commented on NIFIREG-71:
---------------------------------------
Github user kevdoran commented on the issue:
https://github.com/apache/nifi-registry/pull/56
Hey @bbende, I tried this out and it worked for me. Using a NiFi Registry
server I had configured for LDAP login authentication, I was able to access the
server using a certificate trusted by the server without a token generated from
login credentials, which was pretty cool.
In testing different scenarios (e.g., could I still authenticate with a JWT
based on LDAP credentials without providing a client cert), it was difficult
for me to change the behavior of what my browser was doing. Chrome still wanted
to send the certificate I had previously selected from my Mac's System Keychain
and ultimately I had to delete that certificate there to force it to prompt me
again. Likewise, once I selected no certificate, I had to delete the server's
cert that I had previously. This is quite
> Unable to use client cert when needClientAuth is false
> ------------------------------------------------------
>
> Key: NIFIREG-71
> URL: https://issues.apache.org/jira/browse/NIFIREG-71
> Project: NiFi Registry
> Issue Type: Bug
> Reporter: Bryan Bende
> Assignee: Bryan Bende
> Fix For: 0.0.1
>
>
> When configuring the registry for LDAP or Kerberos you need to set
> needClientAuth to false, but you should still be able to optionally use a
> client cert.
> Currently it appears that JettyServer is setting needClientAuth to true or
> false based on the value in nifi-registry.properties, but it should be
> setting wantClientAuth to true when needClientAuth is false so that certs are
> still optional.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
