Re: Unknown user w/ Docker image

[Kevin Doran]

Yeah, from looking at your Docker compose file, your LDAP search base/filter is 
configured as:


LDAP_USER_SEARCH_BASE='ou=people,dc=nifi,dc=com'
LDAP_USER_SEARCH_FILTER='uid={0}'

 

This means that NiFi is going to search the directory for any nodes that are 
children of 'ou=people,dc=nifi,dc=com', match any LDAP entry with an attribute 
uid={0}, and use the substring matched by {0} as the identity.

 

In this case that is “test”. So that is the user identity (“test”) you want to 
add to NiFi using the initial admin. Grant them access to the right resources 
(e.g., the UI), and then you should be able to login with test/password.

 

From: Mike Thomsen <mikerthom...@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Thursday, March 22, 2018 at 10:03
To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image

 

I added two entries:

uid=test

cn=test, ou=people, dc=nifi, dc=com

 

Tried logging in w/ test/password (what the LDIF uses)

 

Got: Unknown user with identity 'test'. Contact the system administrator.

 

Any ideas?

 

On Thu, Mar 22, 2018 at 9:34 AM, Kevin Doran <kdo...@apache.org> wrote:

Mike,

 

To my knowledge, the Docker image does not yet have support for adding the 
LdapUserGroupProvider to authorizers.xml. It only adds the LdapProvider to 
login-identity-provider.xml. This means you should be able to 
login/authenticate as an LDAP user, but users and group will not sync in order 
to create authorization rules. You will have to manually add users (with 
identities that match how your login-identity-provider is configured) using the 
initial admin.

 

I’ve opened a JIRA to add LdapUserGroupProvider support to the NiFi Docker 
image [1].

 

Also, it looks like there is already a JIRA for the AUTH=ldap documentation 
issue [2].

 

Kevin

 

[1] https://issues.apache.org/jira/browse/NIFI-5002 

[2] https://issues.apache.org/jira/browse/NIFI-4934 

 

From: Mike Thomsen <mikerthom...@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Thursday, March 22, 2018 at 09:26


To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image

 

Thanks. I fixed that, but it's still not returning any users from the LDAP. 
It's weird because the LDAP docker image is set up using the same configuration 
from Pierre's blog posts that I've gotten to work outside of Docker. I'm also 
not seeing anything in the logs indicating that it's trying the LDAP query.

 

On Thu, Mar 22, 2018 at 8:30 AM, Kevin Doran <kdo...@apache.org> wrote:

Sorry, meant to include the link to start.sh, which is in our codebase [1].  
I’m only pointing it out b/c it looked like in your Docker compose file that 
you wanted this to be an LDAP demo.

 

[1] 
https://github.com/apache/nifi/blob/master/nifi-docker/dockerhub/sh/start.sh#L30

 

From: Kevin Doran <kdo...@apache.org>
Date: Thursday, March 22, 2018 at 08:27
To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image

 

Good eye, Pierre.

 

Mike, unrelated to the initial admin question, but anticipating something you 
might run int o after you get that part working. Change the "AUTH=tls" 
environment variable value to "AUTH=ldap". (I know the README file for the 
docker image uses ‘AUTH=tls’ in the documentation for LDAP setup; that is an 
error.­ I’ll open a PR to correct the documentation. To confirm how it works, 
look at the start.sh file)

 

Cheers,
Kevin

 

From: Mike Thomsen <mikerthom...@gmail.com>
Reply-To: <users@nifi.apache.org>
Date: Thursday, March 22, 2018 at 08:25
To: <users@nifi.apache.org>
Subject: Re: Unknown user w/ Docker image

 

They were. I did a copy from the Docker Hub page and didn't think they'd harm 
anything in the YAML. Removing them got initialAdmin to work.

 

On Thu, Mar 22, 2018 at 8:20 AM, Pierre Villard <pierre.villard...@gmail.com> 
wrote:

Hmmm no... the single quotes must be the issue here... I would expect
identity="CN=initialAdmin, OU=NIFI"

In your yaml file, I'd try to use double quotes around your property values.

 

2018-03-22 13:16 GMT+01:00 Mike Thomsen <mikerthom...@gmail.com>:

Yeah, that's the weird part. It looks valid to me:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<tenants>

    <groups/>

    <users>

        <user identifier="f481771c-47d3-323f-b1c0-902b68e221e1" 
identity="'CN=initialAdmin, OU=NIFI'"/>

    </users>

</tenants>

 

 

On Thu, Mar 22, 2018 at 8:07 AM, Pierre Villard <pierre.villard...@gmail.com> 
wrote:

Hey Mike,

Can you check the users.xml file created by NiFi when it started for the first 
time?

 

2018-03-22 12:41 GMT+01:00 Mike Thomsen <mikerthom...@gmail.com>:

I'm trying to use the Docker image to set up a secure NiFi demo, and am running 
into this error:

 

Unknown user with identity 'CN=initialAdmin, OU=NIFI'. Contact the system 
administrator.

 

SSL works, I verified that the owner in the cert is "CN=initialAdmin, OU=NIFI"

 

I've attached the Docker Compose configuration that I'm using. Any input would 
be appreciated.

 

Thanks,

 

Mike