Got it thanks to https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-NiFi-to-Integrate-with-a-Secure-NiFi/ta-p/247765
Next steps would be to have NiFi and Registry on different hosts and see how connections are made. Le mar. 30 juin 2020 à 11:43, Etienne Jouvin <lapinoujou...@gmail.com> a écrit : > But now, I have NiFi and Registry with secure access (LDAP + SSL) > > I need to find out how to configure the Registry in NiFi, because for now > I did not have to specify login. > And even if my first bucket is Public, it is not accessible from NiFi. > > > Le mar. 30 juin 2020 à 11:29, Etienne Jouvin <lapinoujou...@gmail.com> a > écrit : > >> Hi Josef. >> >> No I did not try that. >> And well done, with that I can access the UI, and can connect with LDAP >> identity. >> >> Thanks a lot. >> >> Cheers >> >> Etienne >> >> >> >> Le mar. 30 juin 2020 à 11:15, <josef.zahn...@swisscom.com> a écrit : >> >>> Hi Etienne >>> >>> >>> >>> Did you tried the following in «nifi-registry.properties»: >>> >>> nifi.registry.security.needClientAuth=false >>> >>> >>> >>> Cheers Josef >>> >>> >>> >>> >>> >>> *From: *Etienne Jouvin <lapinoujou...@gmail.com> >>> *Reply to: *"users@nifi.apache.org" <users@nifi.apache.org> >>> *Date: *Tuesday, 30 June 2020 at 10:46 >>> *To: *"users@nifi.apache.org" <users@nifi.apache.org> >>> *Subject: *Need help SSL LDAP Nifi Registry >>> >>> >>> >>> Hello all. >>> >>> >>> >>> I am trying to setup LDAP authentication on NiFi Registry. >>> >>> I followed some links, like >>> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753 >>> >>> >>> >>> But each time, it requires that a certificate is installed on client >>> side. I had this "problem" for NiFi but because I did not provided >>> the nifi.security.user.login.identity.provider >>> >>> >>> >>> But for the registry, I remember that and did it. >>> >>> >>> >>> For summary, what I have in nifi-registry.properties >>> >>> nifi.registry.security.keystore=./conf/keystore.jks >>> nifi.registry.security.keystoreType=jks >>> nifi.registry.security.keystorePasswd=password >>> nifi.registry.security.keyPasswd=password >>> nifi.registry.security.truststore=./conf/truststore.jks >>> nifi.registry.security.truststoreType=jks >>> nifi.registry.security.truststorePasswd=password >>> >>> >>> >>> (All of those informations were given by the tls-toolkit, when executed >>> for NiFi) >>> >>> Then I put this >>> >>> #nifi.registry.security.identity.provider= >>> nifi.registry.security.identity.provider=ldap-identity-provider >>> >>> >>> >>> In the file identity-providers.xml >>> >>> I setup the LDAP provider >>> >>> <provider> >>> <identifier>ldap-identity-provider</identifier> >>> >>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> >>> <property name="Authentication Strategy">SIMPLE</property> >>> >>> <property name="Manager DN">uid=admin,ou=system</property> >>> <property name="Manager Password">secret</property> >>> >>> <property name="TLS - Keystore"></property> >>> <property name="TLS - Keystore Password"></property> >>> <property name="TLS - Keystore Type"></property> >>> <property name="TLS - Truststore"></property> >>> <property name="TLS - Truststore Password"></property> >>> <property name="TLS - Truststore Type"></property> >>> <property name="TLS - Client Auth"></property> >>> <property name="TLS - Protocol"></property> >>> <property name="TLS - Shutdown Gracefully"></property> >>> >>> <property name="Referral Strategy">FOLLOW</property> >>> <property name="Connect Timeout">10 secs</property> >>> <property name="Read Timeout">10 secs</property> >>> >>> <property name="Url">ldap://localhost:10389</property> >>> <property name="User Search >>> Base">ou=users,dc=test,dc=ch</property> >>> <property name="User Search Filter">uid={0}</property> >>> >>> <property name="Identity Strategy">USE_DN</property> >>> <property name="Authentication Expiration">12 hours</property> >>> </provider> >>> >>> >>> >>> And finally in authorizers.xml >>> >>> <userGroupProvider> >>> <identifier>file-user-group-provider</identifier> >>> >>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> >>> <property name="Users File">./conf/users.xml</property> >>> <property name="Initial User Identity 1">uid=firstuser, >>> ou=users,dc=test,dc=ch</property> >>> </userGroupProvider> >>> >>> >>> >>> <accessPolicyProvider> >>> <identifier>file-access-policy-provider</identifier> >>> >>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> >>> <property name="User Group >>> Provider">file-user-group-provider</property> >>> <property name="Authorizations >>> File">./conf/authorizations.xml</property> >>> <property name="Initial Admin Identity"> uid=firstuser, >>> ou=users,dc=test,dc=ch </property> >>> <property name="NiFi Group Name"></property> >>> >>> <!--<property name="NiFi Identity 1"></property>--> >>> </accessPolicyProvider> >>> >>> >>> >>> >>> >>> Starting Registry is OK. >>> >>> >>> >>> But when I want to access throw Chrome, I have a certificate error >>> : ERR_BAD_SSL_CLIENT_AUTH_CERT >>> >>> >>> >>> How can I force the authentication to not request a client side >>> certificate ? >>> >>> >>> >>> Thanks for any input. >>> >>> >>> >>> Etienne Jouvin >>> >>> >>> >>
