Mike,
Glad to hear you got this working and thanks for the information. Perhaps this is an area that could be improved so that it is easier to configure or troubleshoot, or better documented. That’s something worth taking a look at. Good tip on Apache Directory Studio, I agree that being able to easily browse the directory helps when configuring LDAP integration in a new environment. Regards, Kevin From: Mike Thomsen <mikerthom...@gmail.com> Reply-To: <users@nifi.apache.org> Date: Friday, February 16, 2018 at 07:49 To: <users@nifi.apache.org> Subject: Re: LDAP provider not recognizing the u/p combination Kevin, The issue was that I forgot that there is also a separate configuration file for looking up the users (config-something-providers.xml). After a little tweaking to that, u/p works fine now. Apache Directory Studio worked really well for the debugging. I would strongly recommend it to new users in the documentation as a tool for connecting to LDAP and poking around to verify the LDAP settings against the live schema. Mike On Tue, Feb 13, 2018 at 11:33 AM, Kevin Doran <kdo...@apache.org> wrote: Hi Mike, I don’t know enough about Active Directory and LDAP in general to answer your question off the type of my help, but I’m familiar with how the NiFi LDAP client is configured using the fields you’ve mentioned, so I may be able to help you figure it out. I think you’re on the right track, but you may need to use the User Identity Attribute as well. It would be helpful for me if I could try to reproduce the environment you are working in. As I don’t know the details of the Active Directory structure, would you be able to provide an example snippet of the directory in LDIF format [1] [2]? Please scrub any sensitive information (actual names or password hashes) before sending, I just need a better sense of the structure of the directory, not the value of fields themselves. If that’s not possible for you, just let me know and I can try to follow up without those details as soon as I get a chance to dig into the specifics of AD a bit more. Thanks, Kevin [1] https://support.microsoft.com/en-us/help/555636 [2] https://docs.oracle.com/cd/A97630_01/network.920/a96579/comtools.htm#631224 From: Mike Thomsen <mikerthom...@gmail.com> Reply-To: <users@nifi.apache.org> Date: Tuesday, February 13, 2018 at 11:18 To: <users@nifi.apache.org> Subject: LDAP provider not recognizing the u/p combination We're using AD, and I have verified that we can actually pull the users and groups by logging in as the initial admin and checking the users. It shows the users and the LDAP groups we assigned. Looks fine there. When a user goes to login with their domain account, it says invalid username and password. So if their domain account is like this: LOCALSITE\john.smith I expect them to be able to put "john.smith" in the username field. These are the search settings: Search Filter: (CN={0}) Identity Strategy: USE_USERNAME Based on the documentation, I would expect that that would take the username and password, put the username into the CN attribute of the search filter and filter on the search base (exact copy of the one that is working in the user/group search configuration). Any suggestions on what might be wrong and/or how to debug this? Thanks, Mike
