Hi Mike,


I don’t know enough about Active Directory and LDAP in general to answer your 
question off the type of my help, but I’m familiar with how the NiFi LDAP 
client is configured using the fields you’ve mentioned, so I may be able to 
help you figure it out.


I think you’re on the right track, but you may need to use the User Identity 
Attribute as well.


It would be helpful for me if I could try to reproduce the environment you are 
working in. As I don’t know the details of the Active Directory structure, 
would you be able to provide an example snippet of the directory in LDIF format 
[1] [2]? Please scrub any sensitive information (actual names or password 
hashes) before sending, I just need a better sense of the structure of the 
directory, not the value of fields themselves.


If that’s not possible for you, just let me know and I can try to follow up 
without those details as soon as I get a chance to dig into the specifics of AD 
a bit more.





[1] https://support.microsoft.com/en-us/help/555636 

[2] https://docs.oracle.com/cd/A97630_01/network.920/a96579/comtools.htm#631224 


From: Mike Thomsen <mikerthom...@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Tuesday, February 13, 2018 at 11:18
To: <users@nifi.apache.org>
Subject: LDAP provider not recognizing the u/p combination


We're using AD, and I have verified that we can actually pull the users and 
groups by logging in as the initial admin and checking the users. It shows the 
users and the LDAP groups we assigned. Looks fine there.


When a user goes to login with their domain account, it says invalid username 
and password.


So if their domain account is like this:




I expect them to be able to put "john.smith" in the username field.


These are the search settings:


Search Filter: (CN={0})

Identity Strategy: USE_USERNAME


Based on the documentation, I would expect that that would take the username 
and password, put the username into the CN attribute of the search filter and 
filter on the search base (exact copy of the one that is working in the 
user/group search configuration).


Any suggestions on what might be wrong and/or how to debug this?





Reply via email to