[
https://issues.apache.org/jira/browse/NIFI-4847?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Georgy updated NIFI-4847:
-------------------------
Description:
Hi guys,
Have a problem when using LDAP Auth with LDAP Authorization in NiFi secure
cluster mode.
My DN in AD looks so:
CN=Lastname Firstname Middlename, OU=..., ...
where CN consists of cyrillic chars (russian alphabet)
After successful ldap auth and applying specified mappings NiFi passes CN only
(only 1st, last, middle name) to ldap authorizer. In single mode I have no
problems, my CN successfully passes authorization. But in cluster mode I have
such error:
Unknown user with identity 'Ð<U+0091>езÑ<U+0080>Ñ<U+0083>киÑ<U+0085>
Ð<U+0093>еоÑ<U+0080>гийÐ<U+0093>еннадÑ<U+008C>евиÑ<U+0087>'.
Returning Forbidden response.
See attached screenshot with error message in UI.
It seems that there is ISO-8859-1 chars but NiFi tries to implement it as UTF-8
sequence. Can't understand what is the reason of this transformation in cluster
mode.
I've tried ldap auth with "Identity Strategy = USE_USERNAME" witthout any
mappings and specified my sAMAccountName in file-user-group-provider as Initial
User Identity. Such workaround works but I have to create other ldap users
manually. So I would prefer ldap authorization.
Can you help me to find solution?
You can find conf & logs in attachment.
Env:
2 node cluster
NiFi 1.5.0
RHEL 7.3
Windows AD
was:
Hi guys,
Have a problem when using LDAP Auth with LDAP Authorization in NiFi secure
cluster mode.
My DN in AD looks so:
CN=Lastname Firstname Middlename, OU=..., ...
where CN consists of cyrillic chars (russian alphabet)
After successful ldap auth and applying specified mappings NiFi passes CN only
(only 1st, last, middle name) to ldap authorizer. In single mode I have no
problems, my CN successfully passes authorization. But in cluster mode I have
such error:
Unknown user with identity 'Ð<U+0091>езÑ<U+0080>Ñ<U+0083>киÑ<U+0085>
Ð<U+0093>еоÑ<U+0080>гийÐ<U+0093>еннадÑ<U+008C>евиÑ<U+0087>'.
Returning Forbidden response.
See attached screenshot with error message in UI.
It seems that there is ISO-8859-1 chars but NiFi tries to implement it as UTF-8
sequence. Can't understand what is the reason of this transformation in cluster
mode.
I've tried ldap auth with "Identity Strategy = USE_USERNAME" witthout any
mappings and specified my sAMAccountName in file-user-group-provider as Initial
User Identity. Such workaround works but I have to create other ldap users
manually. So I would prefer ldap authorization.
Can you help me to find out a solution?
You can find conf & logs in attachment.
Env:
2 node cluster
NiFi 1.5.0
RHEL 7.3
Windows AD
> Ldap authorization problem in secure cluster
> --------------------------------------------
>
> Key: NIFI-4847
> URL: https://issues.apache.org/jira/browse/NIFI-4847
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.5.0
> Environment: 2 node cluster
> RHEL 7.3
> NiFi 1.5.0
> Windows AD
> Reporter: Georgy
> Priority: Major
> Attachments: nifi.zip, nifi_error.PNG
>
>
> Hi guys,
> Have a problem when using LDAP Auth with LDAP Authorization in NiFi secure
> cluster mode.
> My DN in AD looks so:
> CN=Lastname Firstname Middlename, OU=..., ...
> where CN consists of cyrillic chars (russian alphabet)
> After successful ldap auth and applying specified mappings NiFi passes CN
> only (only 1st, last, middle name) to ldap authorizer. In single mode I have
> no problems, my CN successfully passes authorization. But in cluster mode I
> have such error:
> Unknown user with identity 'Ð<U+0091>езÑ<U+0080>Ñ<U+0083>киÑ<U+0085>
> Ð<U+0093>еоÑ<U+0080>гийÐ<U+0093>еннадÑ<U+008C>евиÑ<U+0087>'.
> Returning Forbidden response.
> See attached screenshot with error message in UI.
> It seems that there is ISO-8859-1 chars but NiFi tries to implement it as
> UTF-8 sequence. Can't understand what is the reason of this transformation in
> cluster mode.
> I've tried ldap auth with "Identity Strategy = USE_USERNAME" witthout any
> mappings and specified my sAMAccountName in file-user-group-provider as
> Initial User Identity. Such workaround works but I have to create other ldap
> users manually. So I would prefer ldap authorization.
> Can you help me to find solution?
> You can find conf & logs in attachment.
>
> Env:
> 2 node cluster
> NiFi 1.5.0
> RHEL 7.3
> Windows AD
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
