Hi Mike, You also have to enable the LdapUserGroupProvider in authorizes xml by uncommenting it, configuring the properties, and changing the FileAccessPolicyProvider (also in authorizers.xml) to use the ldap-user-group-provider instead of the default file-user-group-provider.
Then delete users.xml and authorizations.xml and restart. This will disable any certificate-based identities you have configured, so you will need to choose an ldap-based user to be your initial admin. Or configure a CompositeUserGroupProvider so that you can use certificates and only require ldap login in absence of a client certificate. -Kevin ________________________________ From: Mike Thomsen <[email protected]> Sent: Sunday, December 3, 2017 9:45:18 AM To: [email protected] Subject: Re: Buttons are greyed out when initial admin account logs in I added the ldap-provider to the identity provider line in nifi.properties, but I don't see any users from LDAP. I tried deleting users.xml and authorizations.xml and restarting, but the user listing doesn't show any of the users from LDAP. Any ideas on how to troubleshoot? Thanks, Mike On Fri, Dec 1, 2017 at 7:05 PM, Kevin Doran <[email protected]<mailto:[email protected]>> wrote: Mike, I should also mention that since the time of Pierre's inital blog post on LDAP integration, support for user & group syncing with LDAP has been added to NiFi. See the instructions for the "LdapUserGroupProvider" in Authorizers.xml section of the the Admin Guide [1]. You will still need to set per-group or per-user policies as the initial admin, but you do not need to manually add users and groups in order to set policies. Also, your initial admin can use an identity from LDAP rather than a certificate (if that is preferred, otherwise, you can still use certificates alongside LDAP by using a CompositeUserGroupProvider as described in the Admin Guide). [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup -Kevin From: Kevin Doran <[email protected]<mailto:[email protected]>> Date: Friday, December 1, 2017 at 18:43 To: <[email protected]<mailto:[email protected]>> Subject: Re: Buttons are greyed out when initial admin account logs in Hi Mike, Your authorizers.xml and nifi.properties look correct to me to establish the certificate "CN=admin, OU=NIFI" as an admin user. Here's one idea that you may have already thought of... the initial admin is only granted admin policies if users/policies are empty on startup. Try deleting conf/users.xml and conf/authorizations.xml and restarting NiFi. Hope this helps! If you have any other questions about configuring LDAP or authorizers, let me know. Kevin From: Mike Thomsen <[email protected]<mailto:[email protected]>> Reply-To: <[email protected]<mailto:[email protected]>> Date: Friday, December 1, 2017 at 18:27 To: <[email protected]<mailto:[email protected]>> Subject: Buttons are greyed out when initial admin account logs in I'm following Pierre's blog post that shows how to set up LDAP w/ ApacheDS: https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap I've tried this with 1.4.0 and 1.5.0-SNAPSHOT (toolkits built for each too) for what it's worth. Built the certs with this command: bin/tls-toolkit.sh standalone -n localhost -C "CN=admin,OU=NIFI" -O -o ../security_output Copied security_output/localhost/* to $NIFI_ROOT/conf With or without the identity provider set to use the LDAP configuration, it's greyed out. Any ideas on what I'm doing wrong? Thanks, Mike
