So interesting thing just happened. I added my TLS parts of the 
identity-provider.xml and I restarted the server and everything is working fine.

I don’t want you digging into it too much but it is a strange issue I was 
receiving. 

> On Apr 10, 2018, at 3:21 PM, Kevin Doran <kdo...@apache.org> wrote:
> 
> Thanks; that certainly narrows it down. It could be that you’ve uncovered a 
> bug with the LdapIdentityProvider when using START_TLS. I’ll try to recreate 
> it and dig into it on my end. Thanks for sharing all this info.
>  
> Kevin
>  
> From: Scott Howell <scotthow...@mobilgov.com 
> <mailto:scotthow...@mobilgov.com>>
> Reply-To: <users@nifi.apache.org <mailto:users@nifi.apache.org>>
> Date: Tuesday, April 10, 2018 at 16:05
> To: <users@nifi.apache.org <mailto:users@nifi.apache.org>>
> Subject: Re: Nifi Registry LDAP
>  
> I was able to remove the TLS information in the identity-provider.xml and was 
> able to use my remote LDAP to login. So I think I am narrowing down the issue.
>  
>  
> 
> 
>> On Apr 10, 2018, at 2:57 PM, Kevin Doran <kdo...@apache.org 
>> <mailto:kdo...@apache.org>> wrote:
>>  
>> Thanks Scott,
>>  
>> I don’t see anything wrong with your configuration. I created a free 
>> jumpcloud account, so I’ll try to recreate this issue and get back to you if 
>> I have any other insights.
>>  
>> Kevin
>>  
>> From: Scott Howell <scotthow...@mobilgov.com 
>> <mailto:scotthow...@mobilgov.com>>
>> Reply-To: <users@nifi.apache.org <mailto:users@nifi.apache.org>>
>> Date: Tuesday, April 10, 2018 at 15:54
>> To: <users@nifi.apache.org <mailto:users@nifi.apache.org>>
>> Subject: Re: Nifi Registry LDAP
>>  
>> I was able to switch back to my local LDAP server and was able to login 
>> successfully. The provider I am using in identity-providers.xml is as 
>> follows: <>
>>  
>> <provider>
>>         <identifier>ldap-identity-provider</identifier>
>>         
>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
>>         <property name="Authentication Strategy">SIMPLE</property>
>>  
>>         <property name="Manager 
>> DN">cn=Manager,dc={redacted},dc=com</property>
>>         <property name="Manager Password">{redacted}</property>
>>  
>>  
>>         <property name="Referral Strategy">FOLLOW</property>
>>         <property name="Connect Timeout">10 secs</property>
>>         <property name="Read Timeout">10 secs</property>
>>  
>>         <property name="Url">ldap://{redacted}:389</property>
>>         <property name="User Search 
>> Base">ou=users,dc={redacted},dc=com</property>
>>         <property name="User Search Filter">uid={0}</property>
>>  
>>         <property name="Identity Strategy">USE_DN</property>
>>         <property name="Authentication Expiration">12 hours</property>
>>     </provider>
>>  
>> This is a super strange issue as to why nifi works with the remote LDAP and 
>> nifi-registry does not. 
>>  
>> 
>> 
>>> On Apr 10, 2018, at 2:18 PM, Scott Howell <scotthow...@mobilgov.com 
>>> <mailto:scotthow...@mobilgov.com>> wrote:
>>>  
>>> Thanks Kevin for sending that back,
>>>  
>>> This is what I see when looking at the Headers on the login. 
>>> <Screen Shot 2018-04-10 at 2.15.35 PM.png>
>>>  
>>> The version of Nifi-Registry I am running is 0.1.0. What confuses me is 
>>> that this was working with my local LDAP fine. It just stopped working when 
>>> I switched to setting up the identity-provider.xml with the same 
>>> credentials as my nifi-cluster. 
>>>  
>>>  
>>> 
>>> 
>>> 
>>>> On Apr 10, 2018, at 2:10 PM, Kevin Doran <kdo...@apache.org 
>>>> <mailto:kdo...@apache.org>> wrote:
>>>>  
>>>> If everything is configured correctly, this error usually indicates that 
>>>> the server did not locate your login credentials when processing the login 
>>>> request. That usually means it will not even attempt to authenticate the 
>>>> credentials, so I'm not sure it is an LDAP configuration error.
>>>>  
>>>> If you want to check this manually using developer tools in a browser 
>>>> (e.g., Chrome or Firefox) you can look at the HTTP traffic to see if 
>>>> credentials are being passed to the server. NiFi Registry uses the HTTP 
>>>> Basic Auth protocol to login (credentials are encoded in the Authorization 
>>>> header and passed to the server from the login page to generate a 
>>>> temporary authentication token). 
>>>>  
>>>> So after clicking "Login", you should look for an HTTP POST to 
>>>> <base_url>/nifi-registry-api/access/token/login, which should have an 
>>>> "Authorization" header with the value "Basic 
>>>> {encoded-username-and-password}"
>>>>  
>>>> If the credentials are there, it is likely something is misconfigured on 
>>>> the server side with the identity provider so that login credentials are 
>>>> not even being looked for. If the credentials are not there... well I've 
>>>> never seen that. I would probably as if your NiFi Registry Server running 
>>>> behind a load balancer or proxy that could be interfering with HTTP 
>>>> headers?
>>>>  
>>>> What version of NiFi Registry are you using? 0.1.0 or a version built from 
>>>> source?
>>>>  
>>>> Hope this helps,
>>>> Kevin
>>>>  
>>>>  
>>>> On 4/10/18, 14:59, "Scott Howell" <scotthow...@mobilgov.com 
>>>> <mailto:scotthow...@mobilgov.com>> wrote:
>>>>  
>>>>     Yes I did, I had Nifi-registry working with a local instances of LDAP 
>>>> running. It’s now not cooperating since I moved to using Jumpcloud. 
>>>>     
>>>>     > On Apr 10, 2018, at 1:56 PM, Kevin Doran <kdo...@apache.org 
>>>> <mailto:kdo...@apache.org>> wrote:
>>>>     > 
>>>>     > Hi Scott,
>>>>     > 
>>>>     > Did you configure nifi-registry.properties with:
>>>>     > 
>>>>     > nifi.registry.security.identity.provider=ldap-identity-provider
>>>>     > 
>>>>     > On 4/10/18, 14:53, "Scott Howell" <scotthow...@mobilgov.com 
>>>> <mailto:scotthow...@mobilgov.com>> wrote:
>>>>     > 
>>>>     >    Thanks for the all the help yesterday standing up LDAP for NIFI. 
>>>> I was able to troubleshoot and fix the issues myself. I am running into a 
>>>> unique issue with my Nifi-Registry when I try to login with my LDAP 
>>>> credentials like I do for the nifi cluster I get in my logs with this:
>>>>     > 
>>>>     >    2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18] 
>>>> o.a.n.r.w.s.NiFiRegistrySecurityConfig AuthenticationEntryPoint invoked as 
>>>> no user identity credentials were found in the request.
>>>>     > 
>>>>     >    My identity-providers.xml is this:
>>>>     >    <identityProviders>
>>>>     >         <provider> 
>>>>     >                          
>>>> <identifier>ldap-identity-provider</identifier>                            
>>>>                                                                            
>>>>                                                             
>>>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> 
>>>>     >                          <property name="Authentication 
>>>> Strategy">START_TLS</property>
>>>>     >                          <property name="Manager 
>>>> DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>
>>>>     >                          <property name="Manager 
>>>> Password">{redacted}</property> 
>>>>     >                          <property name="TLS - Keystore”>
>>>>     >                         </property>
>>>>     >                          <property name="TLS - Keystore 
>>>> Password"></property> 
>>>>     >                          <property name="TLS - Keystore 
>>>> Type"></property>
>>>>     >                          <property name="TLS - 
>>>> Truststore">/opt/certs/jumpcloud.jks</property> 
>>>>     >                          <property name="TLS - Truststore 
>>>> Password">{redacted}</property>                     
>>>>     >                         <property name="TLS - Truststore 
>>>> Type">JKS</property> 
>>>>     >                          <property name="TLS - Client 
>>>> Auth"></property> 
>>>>     >                          <property name="TLS - 
>>>> Protocol">TLSv1.2</property>
>>>>     >                          <property name="TLS - Shutdown 
>>>> Gracefully"></property>
>>>>     >                          <property name="Referral 
>>>> Strategy">FOLLOW</property> 
>>>>     >                          <property name="Connect Timeout">10 
>>>> secs</property> 
>>>>     >                          <property name="Read Timeout">10 
>>>> secs</property> 
>>>>     >                          <property 
>>>> name="Url">ldap://ldap.jumpcloud.com:389</property> 
>>>> <ldap://ldap.jumpcloud.com:389%3c/property%3e> 
>>>>     >                          <property name="User Search 
>>>> Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property> 
>>>>     >                          <property name="User Search 
>>>> Filter">uid={0}</property> 
>>>>     >                          <property name="Identity 
>>>> Strategy">USE_USERNAME</property> 
>>>>     >                          <property name="Authentication 
>>>> Expiration">12 hours</property> 
>>>>     >          </provider>
>>>>     >    </identityProviders>
>>>>     > 
>>>>     >    For the most part I grabbed most of this from my Nifi node 
>>>> login-identity-providers.xml but I seem to have something messed up.
>>>>     > 
>>>>     >

Reply via email to