Kevin, The issue was that I forgot that there is also a separate configuration file for looking up the users (config-something-providers.xml). After a little tweaking to that, u/p works fine now.
Apache Directory Studio worked really well for the debugging. I would strongly recommend it to new users in the documentation as a tool for connecting to LDAP and poking around to verify the LDAP settings against the live schema. Mike On Tue, Feb 13, 2018 at 11:33 AM, Kevin Doran <[email protected]> wrote: > Hi Mike, > > > > I don’t know enough about Active Directory and LDAP in general to answer > your question off the type of my help, but I’m familiar with how the NiFi > LDAP client is configured using the fields you’ve mentioned, so I may be > able to help you figure it out. > > > > I think you’re on the right track, but you may need to use the User > Identity Attribute as well. > > > > It would be helpful for me if I could try to reproduce the environment you > are working in. As I don’t know the details of the Active Directory > structure, would you be able to provide an example snippet of the directory > in LDIF format [1] [2]? Please scrub any sensitive information (actual > names or password hashes) before sending, I just need a better sense of the > structure of the directory, not the value of fields themselves. > > > > If that’s not possible for you, just let me know and I can try to follow > up without those details as soon as I get a chance to dig into the > specifics of AD a bit more. > > > > Thanks, > > Kevin > > > > [1] https://support.microsoft.com/en-us/help/555636 > > [2] https://docs.oracle.com/cd/A97630_01/network.920/a96579/ > comtools.htm#631224 > > > > *From: *Mike Thomsen <[email protected]> > *Reply-To: *<[email protected]> > *Date: *Tuesday, February 13, 2018 at 11:18 > *To: *<[email protected]> > *Subject: *LDAP provider not recognizing the u/p combination > > > > We're using AD, and I have verified that we can actually pull the users > and groups by logging in as the initial admin and checking the users. It > shows the users and the LDAP groups we assigned. Looks fine there. > > > > When a user goes to login with their domain account, it says invalid > username and password. > > > > So if their domain account is like this: > > > > LOCALSITE\john.smith > > > > I expect them to be able to put "john.smith" in the username field. > > > > These are the search settings: > > > > Search Filter: (CN={0}) > > Identity Strategy: USE_USERNAME > > > > Based on the documentation, I would expect that that would take the > username and password, put the username into the CN attribute of the search > filter and filter on the search base (exact copy of the one that is working > in the user/group search configuration). > > > > Any suggestions on what might be wrong and/or how to debug this? > > > > Thanks, > > > > Mike >
