Pierre, Something that bit me this morning using ApacheDS to try this out: I didn't realize that the "group" object class specified in the official guide doesn't work with ApacheDS. I had to change it to groupOfUniqueNames. My LDAP experience is next to nil, so maybe it's a misunderstanding on my end, but it didn't work for me until I made that change (and I couldn't add objectClass: group either).
On Mon, Dec 4, 2017 at 4:30 AM, Pierre Villard <[email protected]> wrote: > Hey guys, > > I'll try to write a new blog with all the new features coming with NiFi > 1.4.0. > All the new stuff to have LDAP sync is really nice. > > Pierre > > 2017-12-03 19:12 GMT+01:00 Kevin Doran <[email protected]>: > >> Hi Mike, >> >> You also have to enable the LdapUserGroupProvider in authorizes xml by >> uncommenting it, configuring the properties, and changing the >> FileAccessPolicyProvider (also in authorizers.xml) to use the >> ldap-user-group-provider instead of the default file-user-group-provider. >> >> Then delete users.xml and authorizations.xml and restart. >> >> This will disable any certificate-based identities you have configured, >> so you will need to choose an ldap-based user to be your initial admin. Or >> configure a CompositeUserGroupProvider so that you can use certificates and >> only require ldap login in absence of a client certificate. >> >> -Kevin >> >> ------------------------------ >> *From:* Mike Thomsen <[email protected]> >> *Sent:* Sunday, December 3, 2017 9:45:18 AM >> >> *To:* [email protected] >> *Subject:* Re: Buttons are greyed out when initial admin account logs in >> >> I added the ldap-provider to the identity provider line in >> nifi.properties, but I don't see any users from LDAP. I tried deleting >> users.xml and authorizations.xml and restarting, but the user listing >> doesn't show any of the users from LDAP. Any ideas on how to troubleshoot? >> >> Thanks, >> >> Mike >> >> On Fri, Dec 1, 2017 at 7:05 PM, Kevin Doran <[email protected]> >> wrote: >> >>> Mike, >>> >>> >>> >>> I should also mention that since the time of Pierre's inital blog post >>> on LDAP integration, support for user & group syncing with LDAP has been >>> added to NiFi. See the instructions for the "LdapUserGroupProvider" in >>> Authorizers.xml section of the the Admin Guide [1]. >>> >>> >>> >>> You will still need to set per-group or per-user policies as the initial >>> admin, but you do not need to manually add users and groups in order to set >>> policies. Also, your initial admin can use an identity from LDAP rather >>> than a certificate (if that is preferred, otherwise, you can still use >>> certificates alongside LDAP by using a CompositeUserGroupProvider as >>> described in the Admin Guide). >>> >>> >>> >>> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-g >>> uide.html#authorizers-setup >>> >>> >>> >>> -Kevin >>> >>> >>> >>> *From: *Kevin Doran <[email protected]> >>> *Date: *Friday, December 1, 2017 at 18:43 >>> *To: *<[email protected]> >>> *Subject: *Re: Buttons are greyed out when initial admin account logs in >>> >>> >>> >>> Hi Mike, >>> >>> >>> >>> Your authorizers.xml and nifi.properties look correct to me to establish >>> the certificate "CN=admin, OU=NIFI" as an admin user. >>> >>> >>> >>> Here's one idea that you may have already thought of... the initial >>> admin is only granted admin policies if users/policies are empty on >>> startup. Try deleting conf/users.xml and conf/authorizations.xml and >>> restarting NiFi. >>> >>> >>> >>> Hope this helps! If you have any other questions about configuring LDAP >>> or authorizers, let me know. >>> >>> >>> >>> Kevin >>> >>> >>> >>> >>> >>> >>> >>> *From: *Mike Thomsen <[email protected]> >>> *Reply-To: *<[email protected]> >>> *Date: *Friday, December 1, 2017 at 18:27 >>> *To: *<[email protected]> >>> *Subject: *Buttons are greyed out when initial admin account logs in >>> >>> >>> >>> I'm following Pierre's blog post that shows how to set up LDAP w/ >>> ApacheDS: >>> >>> https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap >>> >>> I've tried this with 1.4.0 and 1.5.0-SNAPSHOT (toolkits built for each >>> too) for what it's worth. >>> >>> Built the certs with this command: >>> >>> bin/tls-toolkit.sh standalone -n localhost -C "CN=admin,OU=NIFI" -O -o >>> ../security_output >>> >>> Copied security_output/localhost/* to $NIFI_ROOT/conf >>> >>> With or without the identity provider set to use the LDAP configuration, >>> it's greyed out. >>> >>> >>> >>> Any ideas on what I'm doing wrong? >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Mike >>> >> >> >
