So I changed two things. 

1. I updated the <property name="Authentication Strategy">START_TLS</property> 
with START_TLS this allowed nifi to connect to Jumpcloud.

2. <property name="Identity Strategy">USE_DN</property> from USER_USERNAME and 
everything began to work.



> On Apr 9, 2018, at 3:14 PM, Andy LoPresto <alopre...@apache.org> wrote:
> 
> Scott,
> 
> One note is that since you are using port 389 (plaintext LDAP), your 
> credentials are being transmitted in cleartext unless you are enforcing 
> START_TLS, and as there is no truststore populated in your config, it does 
> not appear you are doing this. 
> 
> You should read the Jumpcloud instructions on configuring LDAP-as-a-service 
> (including creating an LDAP Binding User Account) using SSL/TLS and there are 
> some additional resources on configuring this for LDAP below:
> 
> https://support.jumpcloud.com/customer/en/portal/articles/2439911 
> <https://support.jumpcloud.com/customer/en/portal/articles/2439911>
> https://support.jumpcloud.com/customer/en/portal/articles/2440898-jumpcloud-ldaps-ssl-certificate
>  
> <https://support.jumpcloud.com/customer/en/portal/articles/2440898-jumpcloud-ldaps-ssl-certificate>
> https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
>  
> <https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls>
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider
>  
> <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider>
> 
> Andy LoPresto
> alopre...@apache.org <mailto:alopre...@apache.org>
> alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> 
>> On Apr 9, 2018, at 1:04 PM, Scott Howell <scotthow...@mobilgov.com 
>> <mailto:scotthow...@mobilgov.com>> wrote:
>> 
>> That is what is inside of <loginIdentityProviders></loginIdentityProviders>
>> 
>>> On Apr 9, 2018, at 3:03 PM, Scott Howell <scotthow...@mobilgov.com 
>>> <mailto:scotthow...@mobilgov.com>> wrote:
>>> 
>>> Yep let me send it over.
>>> 
>>> <provider>
>>>       <identifier>ldap-provider</identifier>
>>>       <class>org.apache.nifi.ldap.LdapProvider</class>
>>>       <property name="Authentication Strategy">ANONYMOUS</property>
>>> 
>>>       <property name="Manager 
>>> DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>>>       <property name="Manager Password”>{redacted}</property>
>>> 
>>>       <property name="TLS - Keystore"></property>
>>>       <property name="TLS - Keystore Password"></property>
>>>       <property name="TLS - Keystore Type"></property>
>>>       <property name="TLS - Truststore"></property>
>>>       <property name="TLS - Truststore Password"></property>
>>>       <property name="TLS - Truststore Type"></property>
>>>       <property name="TLS - Client Auth"></property>
>>>       <property name="TLS - Protocol"></property>
>>>       <property name="TLS - Shutdown Gracefully"></property>
>>> 
>>>       <property name="Referral Strategy">FOLLOW</property>
>>>       <property name="Connect Timeout">10 secs</property>
>>>       <property name="Read Timeout">10 secs</property>
>>> 
>>>       <property name="Url">ldap://ldap.jumpcloud.com:389</property> 
>>> <ldap://ldap.jumpcloud.com:389</property>>
>>>       <property name="User Search 
>>> Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>>>       <property name="User Search Filter">uid={0}</property>
>>> 
>>>       <property name="Identity Strategy">USE_USERNAME</property>
>>>       <property name="Authentication Expiration">12 hours</property>
>>>   </provider>
>>> 
>>> 
>>> 
>>>> On Apr 9, 2018, at 3:01 PM, Kevin Doran <kdo...@apache.org 
>>>> <mailto:kdo...@apache.org>> wrote:
>>>> 
>>>> Scott,
>>>> 
>>>> I've never implemented NiFi with JumpCloud, but speculating as to what 
>>>> could be the cause of your error, it could be the User Search Base/Filter 
>>>> configuration values. Can you share the contents of your 
>>>> login-identity-providers.xml (removing any sensitive values such as ldap 
>>>> credentials)?
>>>> 
>>>> Thanks,
>>>> Kevin
>>>> 
>>>> On 4/9/18, 14:53, "Scott Howell" <scotthow...@mobilgov.com 
>>>> <mailto:scotthow...@mobilgov.com>> wrote:
>>>> 
>>>>  I was wondering if there was anyone on the user group that had 
>>>> successfully integrated their NIFI authentication to work with Jumpcloud 
>>>> LDAP. I have followed the steps Jumpcloud provides with adding the correct 
>>>> credentials to the the NIFI login-identity-providers.xml but I am getting 
>>>> an error of “Unable to validate the supplied credentials. Please contact 
>>>> the system administrator.” In the UI in my nifi-user.log I am seeing 
>>>> [LDAP: error code 32 - No Such Object] when its trying to look up the LDAP 
>>>> user.
>>>> 
>>>>  Scott
>>>> 
>>>> 
>>> 
>> 
> 

Reply via email to