[GitHub] nifi issue #1275: NIFI-2325 - Add support for LDAPS

2016-12-02 Thread alopresto 
Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1275
  
I coordinated with @mcgilman this morning and he demoed LDAPS with client 
verify `demand` and LIP `REQUIRED` as working successfully (for TLS 
negotiation, not `SASL EXTERNAL` client authentication for LDAPS). I think it 
may have been a hostname resolution issue on my machine. We also verified 
`START_TLS` still works with these changes, and that ldapsearch worked 
successfully over port 636 when the ldaps protocol was explicitly indicated. 

```
root@80da99977283:/# ldapsearch -x -b dc=example,dc=org -D 
"cn=admin,dc=example,dc=org" -w admin -v -H ldaps://localhost:636
ldap_initialize( ldaps://localhost:636/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base

[GitHub] nifi issue #1275: NIFI-2325 - Add support for LDAPS

2016-12-01 Thread alopresto 
Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1275
  
I set up a Docker container running OpenLDAP with certificates I generated 
using the NiFI TLS toolkit. If I configure `TLS_VERIFY_CLIENT=never` on 
OpenLDAP and `NONE` in 
`login-identity-providers.xml`, the LDAP login provider works fine. 

https://cloud.githubusercontent.com/assets/798465/20823670/2c913e58-b80b-11e6-8353-a98746c5dfb6.png;>

However, if I switch to `TLS_VERIFY_CLIENT=demand` and `REQUIRED`, I get a "Unable to validate the supplied 
credentials" error on login and the `logs/nifi-bootstrap.log` fills with TLS 
negotiation output including the lines below:

```
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
*** CertificateVerify
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Signature Algorithm SHA256withRSA
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 264
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
*** Finished
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
verify_data:  { 12, 201, 103, 33, 205, 116, 165, 164, 117, 65, 44, 206 }
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
***
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 96
2016-12-01 21:19:12,956 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, READ: TLSv1.2 Change Cipher Spec, length = 1
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, READ: TLSv1.2 Handshake, length = 96
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut 
*** Finished
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut 
verify_data:  { 67, 162, 103, 118, 253, 199, 182, 215, 157, 89, 207, 22 }
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut 
***
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut 
%% Cached client session: [Session-346, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, setSoTimeout(0) called
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 112
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Thread-36, received EOFException: ignored
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Thread-36, called closeInternal(false)
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Thread-36, SEND TLSv1.2 ALERT:  warning, description = close_notify
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Thread-36, WRITE: TLSv1.2 Alert, length = 80
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Thread-36, called closeSocket(false)
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Thread-36, called close()
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut 
Thread-36, called closeInternal(true)
2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 250
2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut 
NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 7
```

I want to continue investigating this tomorrow because I can produce odd 
results even using the `ldapsearch` tool locally (OpenLDAP configured with 
client verify `never`):

```
### Trying on port 389 (no TLS)

hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
🔓 4s @ 21:41:04 $ ldapsearch -x -h localhost -b dc=example,dc=org -D 
"cn=admin,dc=example,dc=org" -w admin -p 389 -v
ldap_initialize( ldap://localhost:389 )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base