Issue #1 - You should be able to specify an LDAP user as your initial
admin, what is the error you get?
Keep in mind it is case and white-space sensitive, and also depends on
whether you are returning full DN or short name, it must match exactly.
error
Multiple UserGroupProviders claim to provide user
uid=XXXXXX,cn=users,cn=accounts,dc=XXXX
logfile
2019-08-13 16:49:40,976 INFO [NiFi Web Server-23]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
Multiple UserGroupProviders claim to provide user
uid=612442779,cn=users,cn=accounts,dc=ace. Returning Conflict response.
2019-08-13 16:49:40,977 DEBUG [NiFi Web Server-23]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException: Multiple UserGroupProviders claim to
provide user uid=XXXXXX,cn=users,cn=accounts,dc=XXXX
at
org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider.getUserAndGroups(CompositeConfigurableUserGroupProvider.java:195)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
On Mon, Aug 5, 2019 at 10:38 PM Bryan Bende <[email protected]> wrote:
> Hello,
>
> Issue #1 - You should be able to specify an LDAP user as your initial
> admin, what is the error you get?
>
> Keep in mind it is case and white-space sensitive, and also depends on
> whether you are returning full DN or short name, it must match exactly.
>
> Issue #2 - Since you are able to query the API with the client cert, it
> seems like your cert is setup correctly.
>
> Is there an error in nifi-app.log or nifi-user.log when you try to modify
> the policy? Can you modify policies through the UI without issues?
>
> Tokens are only issued for login methods that are based on username and
> password, so it is expected behavior that you could not issue one for a
> cert user.
>
> Thanks,
>
> Bryan
>
>
> On Sun, Aug 4, 2019 at 8:30 PM Felipe Garcia <[email protected]>
> wrote:
>
>> Setup
>>
>>
>> a cluster of a few nifi boxes
>>
>>
>> setup to authenticate with LDAP
>>
>> users and groups in LDAP
>>
>>
>> Issue 1: unable to specify an LDAP user as Initial User
>>
>>
>> I have only been able to set up the cluster with a client certificate
>> user.
>>
>>
>> Issue 2: I am unable to use the API with the initial certificate user to
>> add an LDAP group.
>>
>>
>> I exported the cert and key into a usable format for curl
>>
>>
>> *# open*ssl pkcs12 -in /opt/nifi-certs/CN\=admin_OU\=NIFI.p12 -out
>> /opt/nifi-certs/CN\=admin_OU\=NIFI.key -nocerts -nodes
>>
>> *# open*ssl pkcs12 -export -in /opt/nifi-certs/CN\=admin_OU\=NIFI.p12
>> -out /opt/nifi-certs/CN\=admin_OU\=NIFI.pem -clcerts -nokeys -passin
>> 'changeme'
>>
>>
>> I am able to query the API
>>
>>
>> curl -k -X GET
>> https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/policies/read/flow --cert
>> /opt/nifi-certs/CN=admin_OU=NIFI.pem --key
>> /opt/nifi-certs/CN=admin_OU=NIFI.key --compressed
>>
>>
>>
>> But I am unable to change or add via the API
>>
>>
>> curl -k -X PUT -H 'Content-Type: application/json'
>> https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/policies/f99bccd1-a30e-3e4a-98a2-dbc708edc67f
>> --cert
>> /opt/nifi-certs/CN=admin_OU=NIFI.pem --key
>> /opt/nifi-certs/CN=admin_OU=NIFI.key -d @/tmp/newpolicy.json
>>
>> Unable to save Authorizations
>>
>>
>>
>> I cannot create a token for a cert user
>>
>>
>> curl -k -X POST '
>> https://nifi01-sst140.dev.cloud.ace:9443/nifi-api/access/token' -H
>> 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type:
>> application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --cert
>> /opt/nifi-certs/CN\=admin_OU\=NIFI.pem --key
>> /opt/nifi-certs/CN\=admin_OU\=NIFI.key --compressed
>>
>> The username and password must be specified.
>>
>>
