Hi Andy, Thanks for the info, I’ll take a look at your suggestions and work on that.
Much appreciated. Regards Dan From: Andy LoPresto <alopre...@apache.org> Sent: 03 August 2020 03:07 To: users@nifi.apache.org Subject: Re: SSL/LDAP Configuration CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Also, your authorizers.xml is not correct — you haven’t configured (or even uncommented) the LDAP user group provider, so the specified user group provider is the file users.xml, and you haven’t configured any initial admins, so no users will be allowed to log in. Did you follow the steps in the NiFi Admin Guide [3][4] for configuring this? Authentication and authorization are decoupled in NiFi, and while you can use LDAP for both, you’ll have to configure it for each. Also, your login-identity-providers.xml uses START_TLS as the authentication strategy but does not specify any properties for the keystore or truststore, which will be required. [3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider [4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider Andy LoPresto alopre...@apache.org<mailto:alopre...@apache.org> alopresto.apa...@gmail.com<mailto:alopresto.apa...@gmail.com> He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 On Aug 2, 2020, at 7:02 PM, Andy LoPresto <alopre...@apache.org<mailto:alopre...@apache.org>> wrote: Hi Daniel, Did you verify that the provided credentials are correct? There will be two sets — the “manager” DN and password which are provided as configuration values in the authorizers.xml file, and the individual user credentials provided on each login attempt. The manager credentials allow NiFi to make an authenticated request to the LDAP service, and the request itself contains the user’s credentials. You can verify these credentials by using the ldapsearch [1][2] tool from one of the machines where NiFi is installed. This allows you to verify TLS, ports, network reachability, and the correctness of the credentials themselves. Something like: $ ldapsearch -x -b “dc=<your_org>,dc=com" -H ldap://<ldap_server_url> -D "cn=admin,dc=<your_org>,dc=com" -W That will conduct a general search using the account provided by -D, and prompt for the password with -W. You can also switch out the account in -D for the specific user you’re trying to log in as to verify those credentials. [1] https://forums.opensuse.org/showthread.php/401522-performing-ldapsearch-over-tls-ssl-against-active-directory#post1908811 [2] https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/ Andy LoPresto alopre...@apache.org<mailto:alopre...@apache.org> alopresto.apa...@gmail.com<mailto:alopresto.apa...@gmail.com> He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 On Aug 2, 2020, at 1:11 PM, White, Daniel <daniel.wh...@lgim.com<mailto:daniel.wh...@lgim.com>> wrote: Confidential Hi All, Looking for some assistance with setting up SSL/LDAP to enable user admin within Nifi. I’ve setup and configured my non-prod environment but am having issue login in : Unable to validate the supplied credentials. Please contact the system administrator I’ve followed the config guide and am stuck as to what the issue could be. The steps I followed : 1. Generate keys etc using tls-toolkit.sh 2. Updated nifi.properties to set nifi.security.user.login.identity.provider=ldap-provider 3. Modified login-identity-providers.xml (copy attached) 4. Modified authorizers.xml (copy attached) Nifi starts and I can get to the login page, just unable to login (with error shown above). Any help will be very grateful. Thanks Dan White Lead Technical Architect Legal & General Investment Management One Coleman Street, London, EC2R 5AA Tel: +44 203 124 4048 Mob: +44 7980 027 656 www.lgim.com<http://www.lgim.com/> This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems. Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or Republic of Ireland. Telephone Conversations may be recorded for your protection and to ensure quality of service Legal & General Investment Management Limited (no 2091894), LGIM Real Assets (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA Legal & General Assurance (Pensions Management) Limited (no 1006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. Legal & General Property Limited (no 2091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (C173733). It is registered in the Republic of Ireland (no 609677) with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09. Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R 5AA. Registered in England no: 1417162 ________________________________________________________________________ **** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General **** <authorizers.xml><login-identity-providers.xml> ________________________________________________________________________ *** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to secur...@lgim.com<mailto:secur...@lgim.com> *** Please consider the environment before printing this email. ________________________________________________________________________ **** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
