Thanks for documenting this Ken. You’re right that this is challenging and not user-friendly, especially for first-time users.
The point about DN spacing is especially well-taken. I’m working on new docs for this, and I’ll share them soon and hope your feedback will be helpful to make this process much easier for users. Thanks. If anyone has more info to add for difficult use cases or unexpected problems, please add it here. Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jun 30, 2019, at 23:45, Ken Danniswara <ken.dan...@gmail.com> wrote: > > Hello, > > Couple days ago I talked with Andy(@yolopey) over twitter about me > experiencing a hard part when installing secure NiFi 1.9.2. Before I forgot > (as usual) I thought if I put it somewhere else it could be somehow helpful. > > First, not getting used with LDAP DN creates a long confusion. I have hard > time following example which DN tree to use on different parts of the guide. > While the LDAP tutorial is outside the scope, maybe having consistent DN tree > throughout the guide could be helpful. For example between File-based (LDAP > Authentication) and LDAP-based Users/Groups Referencing User DN, also when > generating initial admin cert with TLS-Toolkit. > > Other problem with DN it is spaced-sensitive. I created the person > certificate without space: tls-toolkit.sh -C > 'cn=nifiadmin,ou=users,dc=exa,dc=local', then copied the same string to the > "initial admin identity" properties. Apparently the certificate > auto-generated the space and my 'not-spaced' version authorization became > failed in login time. In the end I tried with changing the initial admin + > deleting users.xml or simply change the name inside users.xml file directly > both works. > > Last part which is my mistake. I did un-comment the legacy FileAuthorizer > class at the bottom of the authorizer.xml file. I thought it will be the same > procedure to do like enabling ldap-provider in the > local-identity-provider.xml. I am not sure how easy other fall to this > mistake. > > These are my main challenges over building the secured NiFi. The problem > maybe would happen for person without LDAP experience like me. Otherwise > there are no big problem. I haven't tried the Kerberos one which I'd love to > try other time. > > Best Regards, > Ken
