[
https://issues.apache.org/jira/browse/NIFI-6860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16984219#comment-16984219
]
Josef Zahner commented on NIFI-6860:
------------------------------------
Hi Nathan
Of course I can share the config (I have replaced some secure keywords like
passwords).
Yes we have a keystore configured in authorizers.xml. The same as as in the
nifi.properties. To be honest I never thought about it, we just copied the
keystore/truststore config. One speciality about the keystore, even if I think
its not relevant. We are using as CN the following name "*.corproot.net", but
as SAN (subject alternative name) we have all the hostnames we use for nifi,
eg. nifi-01.corproot.net and nifi-02.corproot.net,.... So at the end we can use
only one keystore for all our nifi nodes, doesn't matter whether cluster or
single node. Ah and the keystore is a client & server cert, that's a
requirement because we use it as well for the cluster communication.
For a test I've removed the keystore from authorizers.xml config with java-11,
same result - error 13.
*nifi.properties:*
{code:java}
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=ldap-provider
{code}
*authorizers.xml -> (attached to ticket; header xml lines are missing, sorry)*
*login-identity-providers.xml:* *-> attached to ticket***
What else do you need?
> Upgrade NiFi 1.9.2 to 1.10.0 - Java11 LDAP (START_TLS) Issue
> ------------------------------------------------------------
>
> Key: NIFI-6860
> URL: https://issues.apache.org/jira/browse/NIFI-6860
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.10.0
> Environment: NiFi Single Node with HTTPS/LDAP enabled; CentOS 7.x
> Reporter: Josef Zahner
> Assignee: Nathan Gough
> Priority: Blocker
> Labels: Java11, LDAP, Nifi, START-TLS
> Attachments: Screenshot 2019-11-11 at 11.14.52.png, authorizers.xml,
> login-identity-providers.xml
>
>
> We would like to upgrade from NiFi 1.9.2 to 1.10.0 and we have HTTPS with
> LDAP (START_TLS) authentication successfully enabled on 1.9.2. Now after
> upgrading, we have an issue which prevents nifi from startup:
> {code:java}
> 2019-11-11 08:29:30,447 ERROR [main] o.s.web.context.ContextLoader Context
> initialization failed
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
> Unsatisfied dependency expressed through method
> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
> org.springframework.beans.factory.BeanExpressionException: Expression parsing
> failed; nested exception is
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency
> expressed through method 'setJwtAuthenticationProvider' parameter 0; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'jwtAuthenticationProvider' defined in class path
> resource [nifi-web-security-context.xml]: Cannot resolve reference to bean
> 'authorizer' while setting constructor argument; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'authorizer': FactoryBean threw exception on object creation;
> nested exception is
> org.springframework.ldap.AuthenticationNotSupportedException: [LDAP: error
> code 13 - confidentiality required]; nested exception is
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 -
> confidentiality required]
> at
> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:666)
> at
> org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:87)
> at
> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1269)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:551)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
> at
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
> at
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761)
> at
> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
> at
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543)
> at
> org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:443)
> at
> org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:325)
> at
> org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107){code}
> In authorizers.xml we added the line “{{<property name="Group Membership -
> Enforce Case Sensitivity">false</property>}}”, but beside of that at least
> the authorizers.xml is the same. Anybody an idea what could cause the error?
> NiFi-5839 seems to be related to the property above. Other than that I found
> no change regarding LDAP authentication...
> https://issues.apache.org/jira/browse/NIFI-5839
> Any help would be appreciated
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
