Hi Josef. No I did not try that. And well done, with that I can access the UI, and can connect with LDAP identity.
Thanks a lot. Cheers Etienne Le mar. 30 juin 2020 à 11:15, <josef.zahn...@swisscom.com> a écrit : > Hi Etienne > > > > Did you tried the following in «nifi-registry.properties»: > > nifi.registry.security.needClientAuth=false > > > > Cheers Josef > > > > > > *From: *Etienne Jouvin <lapinoujou...@gmail.com> > *Reply to: *"users@nifi.apache.org" <users@nifi.apache.org> > *Date: *Tuesday, 30 June 2020 at 10:46 > *To: *"users@nifi.apache.org" <users@nifi.apache.org> > *Subject: *Need help SSL LDAP Nifi Registry > > > > Hello all. > > > > I am trying to setup LDAP authentication on NiFi Registry. > > I followed some links, like > https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753 > > > > But each time, it requires that a certificate is installed on client side. > I had this "problem" for NiFi but because I did not provided > the nifi.security.user.login.identity.provider > > > > But for the registry, I remember that and did it. > > > > For summary, what I have in nifi-registry.properties > > nifi.registry.security.keystore=./conf/keystore.jks > nifi.registry.security.keystoreType=jks > nifi.registry.security.keystorePasswd=password > nifi.registry.security.keyPasswd=password > nifi.registry.security.truststore=./conf/truststore.jks > nifi.registry.security.truststoreType=jks > nifi.registry.security.truststorePasswd=password > > > > (All of those informations were given by the tls-toolkit, when executed > for NiFi) > > Then I put this > > #nifi.registry.security.identity.provider= > nifi.registry.security.identity.provider=ldap-identity-provider > > > > In the file identity-providers.xml > > I setup the LDAP provider > > <provider> > <identifier>ldap-identity-provider</identifier> > > <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> > <property name="Authentication Strategy">SIMPLE</property> > > <property name="Manager DN">uid=admin,ou=system</property> > <property name="Manager Password">secret</property> > > <property name="TLS - Keystore"></property> > <property name="TLS - Keystore Password"></property> > <property name="TLS - Keystore Type"></property> > <property name="TLS - Truststore"></property> > <property name="TLS - Truststore Password"></property> > <property name="TLS - Truststore Type"></property> > <property name="TLS - Client Auth"></property> > <property name="TLS - Protocol"></property> > <property name="TLS - Shutdown Gracefully"></property> > > <property name="Referral Strategy">FOLLOW</property> > <property name="Connect Timeout">10 secs</property> > <property name="Read Timeout">10 secs</property> > > <property name="Url">ldap://localhost:10389</property> > <property name="User Search Base">ou=users,dc=test,dc=ch</property> > <property name="User Search Filter">uid={0}</property> > > <property name="Identity Strategy">USE_DN</property> > <property name="Authentication Expiration">12 hours</property> > </provider> > > > > And finally in authorizers.xml > > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > > <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> > <property name="Users File">./conf/users.xml</property> > <property name="Initial User Identity 1">uid=firstuser, > ou=users,dc=test,dc=ch</property> > </userGroupProvider> > > > > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> > <property name="User Group > Provider">file-user-group-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <property name="Initial Admin Identity"> uid=firstuser, > ou=users,dc=test,dc=ch </property> > <property name="NiFi Group Name"></property> > > <!--<property name="NiFi Identity 1"></property>--> > </accessPolicyProvider> > > > > > > Starting Registry is OK. > > > > But when I want to access throw Chrome, I have a certificate error > : ERR_BAD_SSL_CLIENT_AUTH_CERT > > > > How can I force the authentication to not request a client side > certificate ? > > > > Thanks for any input. > > > > Etienne Jouvin > > >