So interesting thing just happened. I added my TLS parts of the identity-provider.xml and I restarted the server and everything is working fine.
I don’t want you digging into it too much but it is a strange issue I was receiving. > On Apr 10, 2018, at 3:21 PM, Kevin Doran <[email protected]> wrote: > > Thanks; that certainly narrows it down. It could be that you’ve uncovered a > bug with the LdapIdentityProvider when using START_TLS. I’ll try to recreate > it and dig into it on my end. Thanks for sharing all this info. > > Kevin > > From: Scott Howell <[email protected] > <mailto:[email protected]>> > Reply-To: <[email protected] <mailto:[email protected]>> > Date: Tuesday, April 10, 2018 at 16:05 > To: <[email protected] <mailto:[email protected]>> > Subject: Re: Nifi Registry LDAP > > I was able to remove the TLS information in the identity-provider.xml and was > able to use my remote LDAP to login. So I think I am narrowing down the issue. > > > > >> On Apr 10, 2018, at 2:57 PM, Kevin Doran <[email protected] >> <mailto:[email protected]>> wrote: >> >> Thanks Scott, >> >> I don’t see anything wrong with your configuration. I created a free >> jumpcloud account, so I’ll try to recreate this issue and get back to you if >> I have any other insights. >> >> Kevin >> >> From: Scott Howell <[email protected] >> <mailto:[email protected]>> >> Reply-To: <[email protected] <mailto:[email protected]>> >> Date: Tuesday, April 10, 2018 at 15:54 >> To: <[email protected] <mailto:[email protected]>> >> Subject: Re: Nifi Registry LDAP >> >> I was able to switch back to my local LDAP server and was able to login >> successfully. The provider I am using in identity-providers.xml is as >> follows: <> >> >> <provider> >> <identifier>ldap-identity-provider</identifier> >> >> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> >> <property name="Authentication Strategy">SIMPLE</property> >> >> <property name="Manager >> DN">cn=Manager,dc={redacted},dc=com</property> >> <property name="Manager Password">{redacted}</property> >> >> >> <property name="Referral Strategy">FOLLOW</property> >> <property name="Connect Timeout">10 secs</property> >> <property name="Read Timeout">10 secs</property> >> >> <property name="Url">ldap://{redacted}:389</property> >> <property name="User Search >> Base">ou=users,dc={redacted},dc=com</property> >> <property name="User Search Filter">uid={0}</property> >> >> <property name="Identity Strategy">USE_DN</property> >> <property name="Authentication Expiration">12 hours</property> >> </provider> >> >> This is a super strange issue as to why nifi works with the remote LDAP and >> nifi-registry does not. >> >> >> >>> On Apr 10, 2018, at 2:18 PM, Scott Howell <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Thanks Kevin for sending that back, >>> >>> This is what I see when looking at the Headers on the login. >>> <Screen Shot 2018-04-10 at 2.15.35 PM.png> >>> >>> The version of Nifi-Registry I am running is 0.1.0. What confuses me is >>> that this was working with my local LDAP fine. It just stopped working when >>> I switched to setting up the identity-provider.xml with the same >>> credentials as my nifi-cluster. >>> >>> >>> >>> >>> >>>> On Apr 10, 2018, at 2:10 PM, Kevin Doran <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> If everything is configured correctly, this error usually indicates that >>>> the server did not locate your login credentials when processing the login >>>> request. That usually means it will not even attempt to authenticate the >>>> credentials, so I'm not sure it is an LDAP configuration error. >>>> >>>> If you want to check this manually using developer tools in a browser >>>> (e.g., Chrome or Firefox) you can look at the HTTP traffic to see if >>>> credentials are being passed to the server. NiFi Registry uses the HTTP >>>> Basic Auth protocol to login (credentials are encoded in the Authorization >>>> header and passed to the server from the login page to generate a >>>> temporary authentication token). >>>> >>>> So after clicking "Login", you should look for an HTTP POST to >>>> <base_url>/nifi-registry-api/access/token/login, which should have an >>>> "Authorization" header with the value "Basic >>>> {encoded-username-and-password}" >>>> >>>> If the credentials are there, it is likely something is misconfigured on >>>> the server side with the identity provider so that login credentials are >>>> not even being looked for. If the credentials are not there... well I've >>>> never seen that. I would probably as if your NiFi Registry Server running >>>> behind a load balancer or proxy that could be interfering with HTTP >>>> headers? >>>> >>>> What version of NiFi Registry are you using? 0.1.0 or a version built from >>>> source? >>>> >>>> Hope this helps, >>>> Kevin >>>> >>>> >>>> On 4/10/18, 14:59, "Scott Howell" <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Yes I did, I had Nifi-registry working with a local instances of LDAP >>>> running. It’s now not cooperating since I moved to using Jumpcloud. >>>> >>>> > On Apr 10, 2018, at 1:56 PM, Kevin Doran <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> > >>>> > Hi Scott, >>>> > >>>> > Did you configure nifi-registry.properties with: >>>> > >>>> > nifi.registry.security.identity.provider=ldap-identity-provider >>>> > >>>> > On 4/10/18, 14:53, "Scott Howell" <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> > >>>> > Thanks for the all the help yesterday standing up LDAP for NIFI. >>>> I was able to troubleshoot and fix the issues myself. I am running into a >>>> unique issue with my Nifi-Registry when I try to login with my LDAP >>>> credentials like I do for the nifi cluster I get in my logs with this: >>>> > >>>> > 2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18] >>>> o.a.n.r.w.s.NiFiRegistrySecurityConfig AuthenticationEntryPoint invoked as >>>> no user identity credentials were found in the request. >>>> > >>>> > My identity-providers.xml is this: >>>> > <identityProviders> >>>> > <provider> >>>> > >>>> <identifier>ldap-identity-provider</identifier> >>>> >>>> >>>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> >>>> > <property name="Authentication >>>> Strategy">START_TLS</property> >>>> > <property name="Manager >>>> DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property> >>>> > <property name="Manager >>>> Password">{redacted}</property> >>>> > <property name="TLS - Keystore”> >>>> > </property> >>>> > <property name="TLS - Keystore >>>> Password"></property> >>>> > <property name="TLS - Keystore >>>> Type"></property> >>>> > <property name="TLS - >>>> Truststore">/opt/certs/jumpcloud.jks</property> >>>> > <property name="TLS - Truststore >>>> Password">{redacted}</property> >>>> > <property name="TLS - Truststore >>>> Type">JKS</property> >>>> > <property name="TLS - Client >>>> Auth"></property> >>>> > <property name="TLS - >>>> Protocol">TLSv1.2</property> >>>> > <property name="TLS - Shutdown >>>> Gracefully"></property> >>>> > <property name="Referral >>>> Strategy">FOLLOW</property> >>>> > <property name="Connect Timeout">10 >>>> secs</property> >>>> > <property name="Read Timeout">10 >>>> secs</property> >>>> > <property >>>> name="Url">ldap://ldap.jumpcloud.com:389</property> >>>> <ldap://ldap.jumpcloud.com:389%3c/property%3e> >>>> > <property name="User Search >>>> Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property> >>>> > <property name="User Search >>>> Filter">uid={0}</property> >>>> > <property name="Identity >>>> Strategy">USE_USERNAME</property> >>>> > <property name="Authentication >>>> Expiration">12 hours</property> >>>> > </provider> >>>> > </identityProviders> >>>> > >>>> > For the most part I grabbed most of this from my Nifi node >>>> login-identity-providers.xml but I seem to have something messed up. >>>> > >>>> >
