Yeah, from looking at your Docker compose file, your LDAP search base/filter is configured as:
LDAP_USER_SEARCH_BASE='ou=people,dc=nifi,dc=com' LDAP_USER_SEARCH_FILTER='uid={0}' This means that NiFi is going to search the directory for any nodes that are children of 'ou=people,dc=nifi,dc=com', match any LDAP entry with an attribute uid={0}, and use the substring matched by {0} as the identity. In this case that is “test”. So that is the user identity (“test”) you want to add to NiFi using the initial admin. Grant them access to the right resources (e.g., the UI), and then you should be able to login with test/password. From: Mike Thomsen <mikerthom...@gmail.com> Reply-To: <users@nifi.apache.org> Date: Thursday, March 22, 2018 at 10:03 To: <users@nifi.apache.org> Subject: Re: Unknown user w/ Docker image I added two entries: uid=test cn=test, ou=people, dc=nifi, dc=com Tried logging in w/ test/password (what the LDIF uses) Got: Unknown user with identity 'test'. Contact the system administrator. Any ideas? On Thu, Mar 22, 2018 at 9:34 AM, Kevin Doran <kdo...@apache.org> wrote: Mike, To my knowledge, the Docker image does not yet have support for adding the LdapUserGroupProvider to authorizers.xml. It only adds the LdapProvider to login-identity-provider.xml. This means you should be able to login/authenticate as an LDAP user, but users and group will not sync in order to create authorization rules. You will have to manually add users (with identities that match how your login-identity-provider is configured) using the initial admin. I’ve opened a JIRA to add LdapUserGroupProvider support to the NiFi Docker image [1]. Also, it looks like there is already a JIRA for the AUTH=ldap documentation issue [2]. Kevin [1] https://issues.apache.org/jira/browse/NIFI-5002 [2] https://issues.apache.org/jira/browse/NIFI-4934 From: Mike Thomsen <mikerthom...@gmail.com> Reply-To: <users@nifi.apache.org> Date: Thursday, March 22, 2018 at 09:26 To: <users@nifi.apache.org> Subject: Re: Unknown user w/ Docker image Thanks. I fixed that, but it's still not returning any users from the LDAP. It's weird because the LDAP docker image is set up using the same configuration from Pierre's blog posts that I've gotten to work outside of Docker. I'm also not seeing anything in the logs indicating that it's trying the LDAP query. On Thu, Mar 22, 2018 at 8:30 AM, Kevin Doran <kdo...@apache.org> wrote: Sorry, meant to include the link to start.sh, which is in our codebase [1]. I’m only pointing it out b/c it looked like in your Docker compose file that you wanted this to be an LDAP demo. [1] https://github.com/apache/nifi/blob/master/nifi-docker/dockerhub/sh/start.sh#L30 From: Kevin Doran <kdo...@apache.org> Date: Thursday, March 22, 2018 at 08:27 To: <users@nifi.apache.org> Subject: Re: Unknown user w/ Docker image Good eye, Pierre. Mike, unrelated to the initial admin question, but anticipating something you might run int o after you get that part working. Change the "AUTH=tls" environment variable value to "AUTH=ldap". (I know the README file for the docker image uses ‘AUTH=tls’ in the documentation for LDAP setup; that is an error. I’ll open a PR to correct the documentation. To confirm how it works, look at the start.sh file) Cheers, Kevin From: Mike Thomsen <mikerthom...@gmail.com> Reply-To: <users@nifi.apache.org> Date: Thursday, March 22, 2018 at 08:25 To: <users@nifi.apache.org> Subject: Re: Unknown user w/ Docker image They were. I did a copy from the Docker Hub page and didn't think they'd harm anything in the YAML. Removing them got initialAdmin to work. On Thu, Mar 22, 2018 at 8:20 AM, Pierre Villard <pierre.villard...@gmail.com> wrote: Hmmm no... the single quotes must be the issue here... I would expect identity="CN=initialAdmin, OU=NIFI" In your yaml file, I'd try to use double quotes around your property values. 2018-03-22 13:16 GMT+01:00 Mike Thomsen <mikerthom...@gmail.com>: Yeah, that's the weird part. It looks valid to me: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="f481771c-47d3-323f-b1c0-902b68e221e1" identity="'CN=initialAdmin, OU=NIFI'"/> </users> </tenants> On Thu, Mar 22, 2018 at 8:07 AM, Pierre Villard <pierre.villard...@gmail.com> wrote: Hey Mike, Can you check the users.xml file created by NiFi when it started for the first time? 2018-03-22 12:41 GMT+01:00 Mike Thomsen <mikerthom...@gmail.com>: I'm trying to use the Docker image to set up a secure NiFi demo, and am running into this error: Unknown user with identity 'CN=initialAdmin, OU=NIFI'. Contact the system administrator. SSL works, I verified that the owner in the cert is "CN=initialAdmin, OU=NIFI" I've attached the Docker Compose configuration that I'm using. Any input would be appreciated. Thanks, Mike