Yeah, from looking at your Docker compose file, your LDAP search base/filter is
configured as:
LDAP_USER_SEARCH_BASE='ou=people,dc=nifi,dc=com'
LDAP_USER_SEARCH_FILTER='uid={0}'
This means that NiFi is going to search the directory for any nodes that are
children of 'ou=people,dc=nifi,dc=com', match any LDAP entry with an attribute
uid={0}, and use the substring matched by {0} as the identity.
In this case that is “test”. So that is the user identity (“test”) you want to
add to NiFi using the initial admin. Grant them access to the right resources
(e.g., the UI), and then you should be able to login with test/password.
From: Mike Thomsen <mikerthom...@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Thursday, March 22, 2018 at 10:03
To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image
I added two entries:
uid=test
cn=test, ou=people, dc=nifi, dc=com
Tried logging in w/ test/password (what the LDIF uses)
Got: Unknown user with identity 'test'. Contact the system administrator.
Any ideas?
On Thu, Mar 22, 2018 at 9:34 AM, Kevin Doran <kdo...@apache.org> wrote:
Mike,
To my knowledge, the Docker image does not yet have support for adding the
LdapUserGroupProvider to authorizers.xml. It only adds the LdapProvider to
login-identity-provider.xml. This means you should be able to
login/authenticate as an LDAP user, but users and group will not sync in order
to create authorization rules. You will have to manually add users (with
identities that match how your login-identity-provider is configured) using the
initial admin.
I’ve opened a JIRA to add LdapUserGroupProvider support to the NiFi Docker
image [1].
Also, it looks like there is already a JIRA for the AUTH=ldap documentation
issue [2].
Kevin
[1] https://issues.apache.org/jira/browse/NIFI-5002
[2] https://issues.apache.org/jira/browse/NIFI-4934
From: Mike Thomsen <mikerthom...@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Thursday, March 22, 2018 at 09:26
To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image
Thanks. I fixed that, but it's still not returning any users from the LDAP.
It's weird because the LDAP docker image is set up using the same configuration
from Pierre's blog posts that I've gotten to work outside of Docker. I'm also
not seeing anything in the logs indicating that it's trying the LDAP query.
On Thu, Mar 22, 2018 at 8:30 AM, Kevin Doran <kdo...@apache.org> wrote:
Sorry, meant to include the link to start.sh, which is in our codebase [1].
I’m only pointing it out b/c it looked like in your Docker compose file that
you wanted this to be an LDAP demo.
[1]
https://github.com/apache/nifi/blob/master/nifi-docker/dockerhub/sh/start.sh#L30
From: Kevin Doran <kdo...@apache.org>
Date: Thursday, March 22, 2018 at 08:27
To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image
Good eye, Pierre.
Mike, unrelated to the initial admin question, but anticipating something you
might run int o after you get that part working. Change the "AUTH=tls"
environment variable value to "AUTH=ldap". (I know the README file for the
docker image uses ‘AUTH=tls’ in the documentation for LDAP setup; that is an
error. I’ll open a PR to correct the documentation. To confirm how it works,
look at the start.sh file)
Cheers,
Kevin
From: Mike Thomsen <mikerthom...@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Thursday, March 22, 2018 at 08:25
To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image
They were. I did a copy from the Docker Hub page and didn't think they'd harm
anything in the YAML. Removing them got initialAdmin to work.
On Thu, Mar 22, 2018 at 8:20 AM, Pierre Villard <pierre.villard...@gmail.com>
wrote:
Hmmm no... the single quotes must be the issue here... I would expect
identity="CN=initialAdmin, OU=NIFI"
In your yaml file, I'd try to use double quotes around your property values.
2018-03-22 13:16 GMT+01:00 Mike Thomsen <mikerthom...@gmail.com>:
Yeah, that's the weird part. It looks valid to me:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="f481771c-47d3-323f-b1c0-902b68e221e1"
identity="'CN=initialAdmin, OU=NIFI'"/>
</users>
</tenants>
On Thu, Mar 22, 2018 at 8:07 AM, Pierre Villard <pierre.villard...@gmail.com>
wrote:
Hey Mike,
Can you check the users.xml file created by NiFi when it started for the first
time?
2018-03-22 12:41 GMT+01:00 Mike Thomsen <mikerthom...@gmail.com>:
I'm trying to use the Docker image to set up a secure NiFi demo, and am running
into this error:
Unknown user with identity 'CN=initialAdmin, OU=NIFI'. Contact the system
administrator.
SSL works, I verified that the owner in the cert is "CN=initialAdmin, OU=NIFI"
I've attached the Docker Compose configuration that I'm using. Any input would
be appreciated.
Thanks,
Mike
