Update: we found out that the described issue (fallback to “simple” mode) is related to Java-11 (and of course LDAP with START_TLS) only. The error message is gone with Java 1.8.0, so in our case we will use for now Java 1.8.0. As already mentioned earlier, another option would be to use Java 11 but with LDAPS instead of START_TLS, but we decided against it.
I’ve updated https://issues.apache.org/jira/browse/NIFI-6860 with this information. Hopefully one of the devs can fix this in future releases. Cheers Josef From: "Zahner Josef, GSB-LR-TRW-LI" <josef.zahn...@swisscom.com> Date: Monday, 11 November 2019 at 11:16 To: "users@nifi.apache.org" <users@nifi.apache.org> Subject: Re: NiFi Upgrade 1.9.2 to 1.10.0 - LDAP Failure And additionally, below the output of the tcpdump captured on the NiFi node during startup of NiFi 1.10.0. We use the standard LDAP port (389). And you where right, I see in the dump that NiFi tries to authenticate with “simple” authentication with START_TLS… [cid:image001.png@01D59881.72F2B710] From: "Zahner Josef, GSB-LR-TRW-LI" <josef.zahn...@swisscom.com> Date: Monday, 11 November 2019 at 11:06 To: "users@nifi.apache.org" <users@nifi.apache.org> Subject: Re: NiFi Upgrade 1.9.2 to 1.10.0 - LDAP Failure Hi Andy, I’ve just opened a jira bugreport: https://issues.apache.org/jira/projects/NIFI/issues/NIFI-6860 We changed nothing on the LDAP. The whole setup still works for our production nodes with NiFi 1.9.2, we have multiple clusters/single NiFi’s running. As we use ansible I’ve removed again NiFi 1.10.0 from the test node and installed again NiFi 1.9.2, it was working without any issues. And the only difference between NiFi 1.9.2 and 1.10.0 deployment are the new config parameters. As you can see in the bugreport, I’ve switched now to LDAPS and this is working… Users are visible in the “Users” windows and I can login with an LDAP user. I just switched to LDAPS instead of START_TLS and added an “S” to the URL of the LDAP server. Cheers Josef From: Andy LoPresto <alopre...@apache.org> Reply to: "users@nifi.apache.org" <users@nifi.apache.org> Date: Monday, 11 November 2019 at 10:46 To: "users@nifi.apache.org" <users@nifi.apache.org> Subject: Re: NiFi Upgrade 1.9.2 to 1.10.0 - LDAP Failure Hi Josef, My inclination is that somehow the password NiFi is trying to send to the LDAP service is no longer sufficiently protected? The only other change I am aware of that could influence this is the Spring Security upgrade from 4.2.8 to 4.2.13 (NiFi-6412) [1]; the new version of Spring Security might enforce a new restriction on how the password is sent that LDAP doesn’t like. The LDAP error code 13 refers to the password being sent in plaintext [2]. As you are using StartTLS, I am assuming the LDAP port you’re connecting to is still 389? Did anything change on the LDAP server? Can you verify a simple lookup using ldapsearch still works? If you get the same error code, you may need to add -Z to the command to initialize a secure TLS channel. [1] https://issues.apache.org/jira/browse/NIFI-6412 [2] https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes/#rc-confidentialityRequired Andy LoPresto alopre...@apache.org<mailto:alopre...@apache.org> alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 On Nov 11, 2019, at 4:59 PM, josef.zahn...@swisscom.com<mailto:josef.zahn...@swisscom.com> wrote: Hi guys We would like to upgrade from NiFi 1.9.2 to 1.10.0 and we have HTTPS with LDAP (START_TLS) authentication successfully enabled on 1.9.2. Now after upgrading, we have an issue which prevents nifi from startup: 2019-11-11 08:29:30,447 ERROR [main] o.s.web.context.ContextLoader Context initialization failed org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtAuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required] at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:666) at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:87) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1269) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:551) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761) at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543) … In authorizers.xml we added the line “<property name="Group Membership - Enforce Case Sensitivity">false</property>”, but beside of that at least the authorizers.xml is the same. Anybody an idea what could cause the error? NiFi-5839 seems to be related to the property above. Other than that I found no change regarding LDAP authentication… https://issues.apache.org/jira/browse/NIFI-5839 Any help would be appreciated Josef
smime.p7s
Description: S/MIME Cryptographic Signature