Hello, The IdentityAccessException indicates that the NiFi server did successfully receive and recognize LDAP username and password credentials in the request, but was unable to communicate with the LDAP server in order to authenticate them. The nested exception "socket closed" does not give a lot of information. It could be that the protocol/host/port set in the "Url" property are incorrect, or that NiFi could not authenticate to the LDAP server as the LDAP manager/admin service account.
NiFi LDAP integration supports several types of authentication to the LDAP server: - ANONYMOUS - if the LDAP server allows access to any client without credentials (probably not the case) - SIMPLE - Manager DN and Manager Password are used to authentication - LDAPS / START_TLS - Both use a private key to authenticate by doing a ssl/tls handshake that authenticates both the client and server to each other - similar to the way HTTPS with TLS Mutual Auth works. I believe LDAPS is an older protocol (though still used by some LDAP servers) and START_TLS is its replacement. You must find out from the LDAP server admin which one is used, and configure this in NiFi using the "Authentication Strategy" property. If using ANONYMOUS, no additional properties are required. If using SIMPLE, you must set the Manager DN and Manager Password. If using LDAPS or START_TLS, you must set the TLS - * properties to specify the keystore and truststore details so that the client can successfully perform the key exchange handshake with the server. These keys or stores are usually provided to you but the LDAP server admin/operator. Note the LDAP Url must start with the correct protocol (ldap:// or ldaps://) depending on what the LDAP server supports. I hope this helps! Please reach back out if you are still stuck or need help after getting past this issue. Once login authentication is working, you typically would want to configure your authorizers.xml file with similar LDAP settings so that you can sync users and groups in order to define access policies for authenticated users. (In other words, login-identity-providers.xml configures LDAP authentication, and authorizers.xml configures authorization). Regards, Kevin On Mon, Mar 25, 2019 at 9:46 AM <[email protected]> wrote: > Hi, > > > > > > I would like to state that I am not NiFi-savvy or LDAP-savvy by any means. > I am having issues setting up my local NiFi instance with an LDAP provided > to me (I can ensure you that there are no issues with the LDAP as I use it > for other services). The outline of my issue is stated below: > > *Use Case*: > > Force users to login before accessing the site (if they have permissions). > Users should be authenticated through the LDAP that the NiFi is setup to > point to. > > > > *Setup*: > > 1. I’ve setup a local instance (localhost:8080/nifi) of NiFi 1.9.0 > and have no issues accessing the GUI. (I am running on windows) > > > > 2. I followed an article ( > https://community.hortonworks.com/articles/58233/using-the-tls-toolkit-to-simplify-security.html) > to get HTTPS setup on my local instance and the next necessary steps (setup > Initial Admin) to have a working NiFi instance with an admin user. It > worked and I had no issues using the instance with my Admin user. > > > > 3. I followed Peirre Villard’s article ( > https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap/) to > get NiFi setup with a *local LDAP server*, which worked fine. > > > > 4. I tried getting NiFi setup with an LDAP I’ve been provided (the > ldap address and specific search base filters) using an *Anonymous > *authentication > strategy (I’ve attempted with SIMPLE and ran into other issues, but cannot > confirm that the user I used had User Authentication permissions), but > receive an error when trying to login into a user. > > > > *NOTE: *When I am using *Anonymous* authentication strategy I have no > Manager DN set (could this be the issue?) > > > *Error*: > Caused by: > org.apache.nifi.authentication.exception.IdentityAccessException: Unable to > validate the supplied credentials. Please contact the system administrator. > > at > org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:340) > > at > org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:315) > > at > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:728) > > ... 83 common frames omitted > > Caused by: > org.springframework.security.authentication.InternalAuthenticationServiceException: > (*ADDRESS*:*PORT)*; socket closed; nested exception is > javax.naming.ServiceUnavailableException: (*ADDRESS*:*PORT)*; socket > closed > > at > org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) > > at > org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) > > at > org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:310) > > ... 85 common frames omitted > > > > Are there specific LDAP configurations that I need to know/set? I have > very limited access to the information I know from the provided LDAP. > > > > > > Thanks, > > > > > > User > > If you are not the addressee, please inform us immediately that you have > received this e-mail by mistake, and delete it. We thank you for your > support. > >
