I was able to switch back to my local LDAP server and was able to login
successfully. The provider I am using in identity-providers.xml is as follows:
<provider>
<identifier>ldap-identity-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">cn=Manager,dc={redacted},dc=com</property>
<property name="Manager Password">{redacted}</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://{redacted}:389</property>
<property name="User Search
Base">ou=users,dc={redacted},dc=com</property>
<property name="User Search Filter">uid={0}</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
This is a super strange issue as to why nifi works with the remote LDAP and
nifi-registry does not.
> On Apr 10, 2018, at 2:18 PM, Scott Howell <[email protected]> wrote:
>
> Thanks Kevin for sending that back,
>
> This is what I see when looking at the Headers on the login.
> <Screen Shot 2018-04-10 at 2.15.35 PM.png>
>
> The version of Nifi-Registry I am running is 0.1.0. What confuses me is that
> this was working with my local LDAP fine. It just stopped working when I
> switched to setting up the identity-provider.xml with the same credentials as
> my nifi-cluster.
>
>
>
>> On Apr 10, 2018, at 2:10 PM, Kevin Doran <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> If everything is configured correctly, this error usually indicates that the
>> server did not locate your login credentials when processing the login
>> request. That usually means it will not even attempt to authenticate the
>> credentials, so I'm not sure it is an LDAP configuration error.
>>
>> If you want to check this manually using developer tools in a browser (e.g.,
>> Chrome or Firefox) you can look at the HTTP traffic to see if credentials
>> are being passed to the server. NiFi Registry uses the HTTP Basic Auth
>> protocol to login (credentials are encoded in the Authorization header and
>> passed to the server from the login page to generate a temporary
>> authentication token).
>>
>> So after clicking "Login", you should look for an HTTP POST to
>> <base_url>/nifi-registry-api/access/token/login, which should have an
>> "Authorization" header with the value "Basic {encoded-username-and-password}"
>>
>> If the credentials are there, it is likely something is misconfigured on the
>> server side with the identity provider so that login credentials are not
>> even being looked for. If the credentials are not there... well I've never
>> seen that. I would probably as if your NiFi Registry Server running behind a
>> load balancer or proxy that could be interfering with HTTP headers?
>>
>> What version of NiFi Registry are you using? 0.1.0 or a version built from
>> source?
>>
>> Hope this helps,
>> Kevin
>>
>>
>> On 4/10/18, 14:59, "Scott Howell" <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Yes I did, I had Nifi-registry working with a local instances of LDAP
>> running. It’s now not cooperating since I moved to using Jumpcloud.
>>
>> > On Apr 10, 2018, at 1:56 PM, Kevin Doran <[email protected]
>> <mailto:[email protected]>> wrote:
>> >
>> > Hi Scott,
>> >
>> > Did you configure nifi-registry.properties with:
>> >
>> > nifi.registry.security.identity.provider=ldap-identity-provider
>> >
>> > On 4/10/18, 14:53, "Scott Howell" <[email protected]
>> <mailto:[email protected]>> wrote:
>> >
>> > Thanks for the all the help yesterday standing up LDAP for NIFI. I
>> was able to troubleshoot and fix the issues myself. I am running into a
>> unique issue with my Nifi-Registry when I try to login with my LDAP
>> credentials like I do for the nifi cluster I get in my logs with this:
>> >
>> > 2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18]
>> o.a.n.r.w.s.NiFiRegistrySecurityConfig AuthenticationEntryPoint invoked as
>> no user identity credentials were found in the request.
>> >
>> > My identity-providers.xml is this:
>> > <identityProviders>
>> > <provider>
>> >
>> <identifier>ldap-identity-provider</identifier>
>>
>>
>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
>> > <property name="Authentication
>> Strategy">START_TLS</property>
>> > <property name="Manager
>> DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>> > <property name="Manager
>> Password">{redacted}</property>
>> > <property name="TLS - Keystore”>
>> > </property>
>> > <property name="TLS - Keystore
>> Password"></property>
>> > <property name="TLS - Keystore
>> Type"></property>
>> > <property name="TLS -
>> Truststore">/opt/certs/jumpcloud.jks</property>
>> > <property name="TLS - Truststore
>> Password">{redacted}</property>
>> > <property name="TLS - Truststore
>> Type">JKS</property>
>> > <property name="TLS - Client
>> Auth"></property>
>> > <property name="TLS -
>> Protocol">TLSv1.2</property>
>> > <property name="TLS - Shutdown
>> Gracefully"></property>
>> > <property name="Referral
>> Strategy">FOLLOW</property>
>> > <property name="Connect Timeout">10
>> secs</property>
>> > <property name="Read Timeout">10
>> secs</property>
>> > <property
>> name="Url">ldap://ldap.jumpcloud.com:389</property>
>> <ldap://ldap.jumpcloud.com:389</property>>
>> > <property name="User Search
>> Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>> > <property name="User Search
>> Filter">uid={0}</property>
>> > <property name="Identity
>> Strategy">USE_USERNAME</property>
>> > <property name="Authentication Expiration">12
>> hours</property>
>> > </provider>
>> > </identityProviders>
>> >
>> > For the most part I grabbed most of this from my Nifi node
>> login-identity-providers.xml but I seem to have something messed up.
>> >
>> >
>
