I was able to remove the TLS information in the identity-provider.xml and was able to use my remote LDAP to login. So I think I am narrowing down the issue.
> On Apr 10, 2018, at 2:57 PM, Kevin Doran <[email protected]> wrote: > > Thanks Scott, > > I don’t see anything wrong with your configuration. I created a free > jumpcloud account, so I’ll try to recreate this issue and get back to you if > I have any other insights. > > Kevin > > From: Scott Howell <[email protected]> > Reply-To: <[email protected]> > Date: Tuesday, April 10, 2018 at 15:54 > To: <[email protected]> > Subject: Re: Nifi Registry LDAP > > I was able to switch back to my local LDAP server and was able to login > successfully. The provider I am using in identity-providers.xml is as > follows: <> > > <provider> > <identifier>ldap-identity-provider</identifier> > > <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> > <property name="Authentication Strategy">SIMPLE</property> > > <property name="Manager DN">cn=Manager,dc={redacted},dc=com</property> > <property name="Manager Password">{redacted}</property> > > > <property name="Referral Strategy">FOLLOW</property> > <property name="Connect Timeout">10 secs</property> > <property name="Read Timeout">10 secs</property> > > <property name="Url">ldap://{redacted}:389</property> > <property name="User Search > Base">ou=users,dc={redacted},dc=com</property> > <property name="User Search Filter">uid={0}</property> > > <property name="Identity Strategy">USE_DN</property> > <property name="Authentication Expiration">12 hours</property> > </provider> > > This is a super strange issue as to why nifi works with the remote LDAP and > nifi-registry does not. > > >> On Apr 10, 2018, at 2:18 PM, Scott Howell <[email protected] >> <mailto:[email protected]>> wrote: >> >> Thanks Kevin for sending that back, >> >> This is what I see when looking at the Headers on the login. >> <Screen Shot 2018-04-10 at 2.15.35 PM.png> >> >> The version of Nifi-Registry I am running is 0.1.0. What confuses me is that >> this was working with my local LDAP fine. It just stopped working when I >> switched to setting up the identity-provider.xml with the same credentials >> as my nifi-cluster. >> >> >> >> >>> On Apr 10, 2018, at 2:10 PM, Kevin Doran <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> If everything is configured correctly, this error usually indicates that >>> the server did not locate your login credentials when processing the login >>> request. That usually means it will not even attempt to authenticate the >>> credentials, so I'm not sure it is an LDAP configuration error. >>> >>> If you want to check this manually using developer tools in a browser >>> (e.g., Chrome or Firefox) you can look at the HTTP traffic to see if >>> credentials are being passed to the server. NiFi Registry uses the HTTP >>> Basic Auth protocol to login (credentials are encoded in the Authorization >>> header and passed to the server from the login page to generate a temporary >>> authentication token). >>> >>> So after clicking "Login", you should look for an HTTP POST to >>> <base_url>/nifi-registry-api/access/token/login, which should have an >>> "Authorization" header with the value "Basic >>> {encoded-username-and-password}" >>> >>> If the credentials are there, it is likely something is misconfigured on >>> the server side with the identity provider so that login credentials are >>> not even being looked for. If the credentials are not there... well I've >>> never seen that. I would probably as if your NiFi Registry Server running >>> behind a load balancer or proxy that could be interfering with HTTP headers? >>> >>> What version of NiFi Registry are you using? 0.1.0 or a version built from >>> source? >>> >>> Hope this helps, >>> Kevin >>> >>> >>> On 4/10/18, 14:59, "Scott Howell" <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Yes I did, I had Nifi-registry working with a local instances of LDAP >>> running. It’s now not cooperating since I moved to using Jumpcloud. >>> >>> > On Apr 10, 2018, at 1:56 PM, Kevin Doran <[email protected] >>> <mailto:[email protected]>> wrote: >>> > >>> > Hi Scott, >>> > >>> > Did you configure nifi-registry.properties with: >>> > >>> > nifi.registry.security.identity.provider=ldap-identity-provider >>> > >>> > On 4/10/18, 14:53, "Scott Howell" <[email protected] >>> <mailto:[email protected]>> wrote: >>> > >>> > Thanks for the all the help yesterday standing up LDAP for NIFI. I >>> was able to troubleshoot and fix the issues myself. I am running into a >>> unique issue with my Nifi-Registry when I try to login with my LDAP >>> credentials like I do for the nifi cluster I get in my logs with this: >>> > >>> > 2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18] >>> o.a.n.r.w.s.NiFiRegistrySecurityConfig AuthenticationEntryPoint invoked as >>> no user identity credentials were found in the request. >>> > >>> > My identity-providers.xml is this: >>> > <identityProviders> >>> > <provider> >>> > >>> <identifier>ldap-identity-provider</identifier> >>> >>> >>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> >>> > <property name="Authentication >>> Strategy">START_TLS</property> >>> > <property name="Manager >>> DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property> >>> > <property name="Manager >>> Password">{redacted}</property> >>> > <property name="TLS - Keystore”> >>> > </property> >>> > <property name="TLS - Keystore >>> Password"></property> >>> > <property name="TLS - Keystore >>> Type"></property> >>> > <property name="TLS - >>> Truststore">/opt/certs/jumpcloud.jks</property> >>> > <property name="TLS - Truststore >>> Password">{redacted}</property> >>> > <property name="TLS - Truststore >>> Type">JKS</property> >>> > <property name="TLS - Client >>> Auth"></property> >>> > <property name="TLS - >>> Protocol">TLSv1.2</property> >>> > <property name="TLS - Shutdown >>> Gracefully"></property> >>> > <property name="Referral >>> Strategy">FOLLOW</property> >>> > <property name="Connect Timeout">10 >>> secs</property> >>> > <property name="Read Timeout">10 >>> secs</property> >>> > <property >>> name="Url">ldap://ldap.jumpcloud.com:389</property> >>> <ldap://ldap.jumpcloud.com:389%3c/property%3e> >>> > <property name="User Search >>> Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property> >>> > <property name="User Search >>> Filter">uid={0}</property> >>> > <property name="Identity >>> Strategy">USE_USERNAME</property> >>> > <property name="Authentication >>> Expiration">12 hours</property> >>> > </provider> >>> > </identityProviders> >>> > >>> > For the most part I grabbed most of this from my Nifi node >>> login-identity-providers.xml but I seem to have something messed up. >>> > >>> >
