Hello, Couple days ago I talked with Andy(@yolopey) over twitter about me experiencing a hard part when installing secure NiFi 1.9.2. Before I forgot (as usual) I thought if I put it somewhere else it could be somehow helpful.
First, not getting used with LDAP DN creates a long confusion. I have hard time following example which DN tree to use on different parts of the guide. While the LDAP tutorial is outside the scope, maybe having consistent DN tree throughout the guide could be helpful. For example between File-based (LDAP Authentication) <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#file-based-ldap-authentication> and LDAP-based Users/Groups Referencing User DN <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap-based-users-groups-referencing-user-dn>, also when generating initial admin cert with TLS-Toolkit. Other problem with DN it is spaced-sensitive. I created the person certificate without space: tls-toolkit.sh -C 'cn=nifiadmin,ou=users,dc=exa,dc=local', then copied the same string to the "initial admin identity" properties. Apparently the certificate auto-generated the space and my 'not-spaced' version authorization became failed in login time. In the end I tried with changing the initial admin + deleting users.xml or simply change the name inside users.xml file directly both works. Last part which is my mistake. I did un-comment the legacy FileAuthorizer class at the bottom of the authorizer.xml file. I thought it will be the same procedure to do like enabling ldap-provider in the local-identity-provider.xml. I am not sure how easy other fall to this mistake. These are my main challenges over building the secured NiFi. The problem maybe would happen for person without LDAP experience like me. Otherwise there are no big problem. I haven't tried the Kerberos one which I'd love to try other time. Best Regards, Ken
