Thanks. Now test can login. One last question... if I copy users.xml and authorizations.xml to the host file system and inject them into later runs of the Docker image through volume references, would that work for making a reproducible demo?
On Thu, Mar 22, 2018 at 10:08 AM, Kevin Doran <[email protected]> wrote: > Yeah, from looking at your Docker compose file, your LDAP search > base/filter is configured as: > > LDAP_USER_SEARCH_BASE='ou=people,dc=nifi,dc=com' > LDAP_USER_SEARCH_FILTER='uid={0}' > > > > This means that NiFi is going to search the directory for any nodes that > are children of 'ou=people,dc=nifi,dc=com', match any LDAP entry with an > attribute uid={0}, and use the substring matched by {0} as the identity. > > > > In this case that is “test”. So that is the user identity (“test”) you > want to add to NiFi using the initial admin. Grant them access to the right > resources (e.g., the UI), and then you should be able to login with > test/password. > > > > *From: *Mike Thomsen <[email protected]> > *Reply-To: *<[email protected]> > *Date: *Thursday, March 22, 2018 at 10:03 > > *To: *<[email protected]> > *Subject: *Re: Unknown user w/ Docker image > > > > I added two entries: > > uid=test > > cn=test, ou=people, dc=nifi, dc=com > > > > Tried logging in w/ test/password (what the LDIF uses) > > > > Got: Unknown user with identity 'test'. Contact the system administrator. > > > > Any ideas? > > > > On Thu, Mar 22, 2018 at 9:34 AM, Kevin Doran <[email protected]> wrote: > > Mike, > > > > To my knowledge, the Docker image does not yet have support for adding the > LdapUserGroupProvider to authorizers.xml. It only adds the LdapProvider to > login-identity-provider.xml. This means you should be able to > login/authenticate as an LDAP user, but users and group will not sync in > order to create authorization rules. You will have to manually add users > (with identities that match how your login-identity-provider is configured) > using the initial admin. > > > > I’ve opened a JIRA to add LdapUserGroupProvider support to the NiFi Docker > image [1]. > > > > Also, it looks like there is already a JIRA for the AUTH=ldap > documentation issue [2]. > > > > Kevin > > > > [1] https://issues.apache.org/jira/browse/NIFI-5002 > > [2] https://issues.apache.org/jira/browse/NIFI-4934 > > > > *From: *Mike Thomsen <[email protected]> > *Reply-To: *<[email protected]> > *Date: *Thursday, March 22, 2018 at 09:26 > > > *To: *<[email protected]> > *Subject: *Re: Unknown user w/ Docker image > > > > Thanks. I fixed that, but it's still not returning any users from the > LDAP. It's weird because the LDAP docker image is set up using the same > configuration from Pierre's blog posts that I've gotten to work outside of > Docker. I'm also not seeing anything in the logs indicating that it's > trying the LDAP query. > > > > On Thu, Mar 22, 2018 at 8:30 AM, Kevin Doran <[email protected]> wrote: > > Sorry, meant to include the link to start.sh, which is in our codebase > [1]. I’m only pointing it out b/c it looked like in your Docker compose > file that you wanted this to be an LDAP demo. > > > > [1] https://github.com/apache/nifi/blob/master/nifi-docker/ > dockerhub/sh/start.sh#L30 > > > > *From: *Kevin Doran <[email protected]> > *Date: *Thursday, March 22, 2018 at 08:27 > *To: *<[email protected]> > *Subject: *Re: Unknown user w/ Docker image > > > > Good eye, Pierre. > > > > Mike, unrelated to the initial admin question, but anticipating something > you might run int o after you get that part working. Change the "AUTH=tls" > environment variable value to "AUTH=ldap". (I know the README file for the > docker image uses ‘AUTH=tls’ in the documentation for LDAP setup; that is > an error. I’ll open a PR to correct the documentation. To confirm how it > works, look at the start.sh file) > > > > Cheers, > Kevin > > > > *From: *Mike Thomsen <[email protected]> > *Reply-To: *<[email protected]> > *Date: *Thursday, March 22, 2018 at 08:25 > *To: *<[email protected]> > *Subject: *Re: Unknown user w/ Docker image > > > > They were. I did a copy from the Docker Hub page and didn't think they'd > harm anything in the YAML. Removing them got initialAdmin to work. > > > > On Thu, Mar 22, 2018 at 8:20 AM, Pierre Villard < > [email protected]> wrote: > > Hmmm no... the single quotes must be the issue here... I would expect > identity="CN=initialAdmin, OU=NIFI" > > In your yaml file, I'd try to use double quotes around your property > values. > > > > 2018-03-22 13:16 GMT+01:00 Mike Thomsen <[email protected]>: > > Yeah, that's the weird part. It looks valid to me: > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <tenants> > > <groups/> > > <users> > > <user identifier="f481771c-47d3-323f-b1c0-902b68e221e1" > identity="'CN=initialAdmin, OU=NIFI'"/> > > </users> > > </tenants> > > > > > > On Thu, Mar 22, 2018 at 8:07 AM, Pierre Villard < > [email protected]> wrote: > > Hey Mike, > > Can you check the users.xml file created by NiFi when it started for the > first time? > > > > 2018-03-22 12:41 GMT+01:00 Mike Thomsen <[email protected]>: > > I'm trying to use the Docker image to set up a secure NiFi demo, and am > running into this error: > > > > Unknown user with identity 'CN=initialAdmin, OU=NIFI'. Contact the system > administrator. > > > > SSL works, I verified that the owner in the cert is "CN=initialAdmin, > OU=NIFI" > > > > I've attached the Docker Compose configuration that I'm using. Any input > would be appreciated. > > > > Thanks, > > > > Mike > > > > > > > > > > > > >
