Hi Daniel Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider. So you get something like this: StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml). Hope that helps -- Johannes Meixner web: https://www.meixner.ch Meixner GmbH Switzerland On 2020-09-24 13:16, White, Daniel wrote: > Welcome anyone else’s view on this or experience/examples used in the setup. > > > > *From:*White, Daniel <daniel.wh...@lgim.com> > *Sent:* 24 September 2020 10:15 > *To:* users@nifi.apache.org > *Subject:* RE: SSL/LDAP Configuration > > > > Hi Andy, > > > > Still getting issues trying to make LDAP integration work – Is there a > reference document which shows worked examples of the configurations? > > > > I’ve attached my latest .xml files – Any help is gratefully received. > > > > I’m currently getting the following error on startup : > > > > > > Thanks > > Dan > > > > *From:*Andy LoPresto <alopresto.apa...@gmail.com > <mailto:alopresto.apa...@gmail.com>> > *Sent:* 23 August 2020 01:06 > *To:* users@nifi.apache.org <mailto:users@nifi.apache.org> > *Subject:* Re: SSL/LDAP Configuration > > > > CAUTION:This email originated from outside of the organisation. Do not > click links or open attachments unless you recognise the sender and know > the content is safe. > > > > Ok to diagnose, look at the users.xml to see if there is a user matching > that DN, and if so, it should have a UUID. Then in the > authorizations.xml there should be policies defined in a hierarchical > manner associating those users with a right on a specific resource > (component/processor). If so, you can copy/paste as many as you want to > define them. > > > > Again, this is not the ideal situation; most of this should be possible > through the UI but I’m not sitting there to diagnose the issue. > > Andy LoPresto > > alopre...@apache.org <mailto:alopre...@apache.org> > alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com> > > He/Him > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > On Aug 22, 2020, at 16:56, White, Daniel <daniel.wh...@lgim.com > <mailto:daniel.wh...@lgim.com>> wrote: > > > > Hi Andy, > > > > I tried removing users.xml and authorizations.xml but I’m still > getting the same error. > > > > Suspect it’s something to do with authorizers.xml, but I can’t see > any issues with it. > > > > I see this in the nifi-user.log : > > > > <image001.png> > > Thanks > > Dan > > > > *From:*Andy LoPresto <alopresto.apa...@gmail.com > <mailto:alopresto.apa...@gmail.com>> > *Sent:* 23 August 2020 00:12 > *To:* users@nifi.apache.org <mailto:users@nifi.apache.org> > *Subject:* Re: SSL/LDAP Configuration > > > > CAUTION:This email originated from outside of the organisation. Do > not click links or open attachments unless you recognise the sender > and know the content is safe. > > > > Daniel, > > > > A couple options: > > > > The “easy way” is to shut down NiFi, delete “users.xml” and > “authorizations.xml” in the “conf/“ directory, and then restart > NiFi. Whatever user was specified as the IAI should have enough > permissions to get started now. > > > > Once you can access the main canvas, you’ll want to go into the > global policies dialog (global menu top right > policies) and give > yourself the specific view & modify permissions on the root process > group. I understand this manual effort is less than ideal, but the > stages in which things are defined has mandated this for now. > > > > I think the User Guide does a good job of explaining the theory here > as well as specific component steps (but doesn’t go soup to nuts on > the process), so I’d recommend that as well as the “end” (the last > 3-4 steps) of the Walkthrough guide section on securing NiFi. > > > > I’m on my phone so I don’t have all my usual resources available, > but hopefully this guides you in the right direction. If not, please > let me know and tomorrow I can provide more specific instructions. > > > > > > Andy LoPresto > > alopre...@apache.org <mailto:alopre...@apache.org> > alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com> > > He/Him > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > On Aug 22, 2020, at 16:05, White, Daniel <daniel.wh...@lgim.com > <mailto:daniel.wh...@lgim.com>> wrote: > > > > Hi Andy, > > > > I’ve now managed to login to Nifi using my AD account but am > getting the following error : > > > > Insufficient Permissions – No applicable policies could be found. > > > > <image001.png> > > > > Any pointers would be gratefully received. > > > > Thanks > > Dan > > > > *From:*Andy LoPresto <alopre...@apache.org > <mailto:alopre...@apache.org>> > *Sent:* 03 August 2020 03:07 > *To:* users@nifi.apache.org <mailto:users@nifi.apache.org> > *Subject:* Re: SSL/LDAP Configuration > > > > CAUTION:This email originated from outside of the organisation. > Do not click links or open attachments unless you recognise the > sender and know the content is safe. > > > > Also, your authorizers.xml is not correct — you haven’t > configured (or even uncommented) the LDAP user group provider, > so the specified user group provider is the file users.xml, and > you haven’t configured any initial admins, so no users will be > allowed to log in. Did you follow the steps in the NiFi Admin > Guide [3][4] for configuring this? Authentication and > authorization are decoupled in NiFi, and while you can use LDAP > for both, you’ll have to configure it for each. > > > > Also, your login-identity-providers.xml uses START_TLS as the > authentication strategy but does not specify any properties for > the keystore or truststore, which will be required. > > > > [3] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider > > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=1u7d84x2WRXSyHeRrJJ5laXsmxrVFbc5F0GROkBDOyI%3D&reserved=0> > > [4] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider > > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=AVTFxC2Y%2Binx7z%2BYXEYuNvKigqAH1mvU7rmpf8x4P8g%3D&reserved=0> > > > > > > > > Andy LoPresto > alopre...@apache.org <mailto:alopre...@apache.org> > /alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com>/ > He/Him > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > > On Aug 2, 2020, at 7:02 PM, Andy LoPresto > <alopre...@apache.org <mailto:alopre...@apache.org>> wrote: > > > > Hi Daniel, > > > > Did you verify that the provided credentials are correct? > There will be two sets — the “manager” DN and password which > are provided as configuration values in the authorizers.xml > file, and the individual user credentials provided on each > login attempt. The manager credentials allow NiFi to make an > authenticated request to the LDAP service, and the request > itself contains the user’s credentials. > > > > You can verify these credentials by using the ldapsearch > [1][2] tool from one of the machines where NiFi is > installed. This allows you to verify TLS, ports, network > reachability, and the correctness of the credentials > themselves. > > > > Something like: > > > > $ ldapsearch -x -b “dc=<your_org>,dc=com" -H > ldap://<ldap_server_url> -D "cn=admin,dc=<your_org>,dc=com" -W > > > > That will conduct a general search using the account > provided by -D, and prompt for the password with -W. You can > also switch out the account in -D for the specific user > you’re trying to log in as to verify those credentials. > > > > [1] > https://forums.opensuse.org/showthread.php/401522-performing-ldapsearch-over-tls-ssl-against-active-directory#post1908811 > > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=%2BNopyhmscKe3nbIfhjLcqV6zPkS85rHURX7HNbMYIf8%3D&reserved=0> > > [2] > https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/ > > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevconnected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349839952&sdata=HwiMVh2dV0QDmrsVjUa1LeIeNtqee0pjxProyF3Fk9E%3D&reserved=0> > > > > Andy LoPresto > alopre...@apache.org <mailto:alopre...@apache.org> > /alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com>/ > He/Him > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B > 2F7D EF69 > > > > > On Aug 2, 2020, at 1:11 PM, White, Daniel > <daniel.wh...@lgim.com <mailto:daniel.wh...@lgim.com>> > wrote: > > > > Confidential > > > > Hi All, > > > > Looking for some assistance with setting up SSL/LDAP to > enable user admin within Nifi. > > > > I’ve setup and configured my non-prod environment but am > having issue login in : > > > > Unable to validate the supplied credentials. Please > contact the system administrator > > > > I’ve followed the config guide and am stuck as to what > the issue could be. > > > > The steps I followed : > > > > 1. Generate keys etc using tls-toolkit.sh > 2. Updated nifi.properties to set > nifi.security.user.login.identity.provider=ldap-provider > 3. Modified login-identity-providers.xml (copy attached) > 4. Modified authorizers.xml (copy attached) > > > > Nifi starts and I can get to the login page, just unable > to login (with error shown above). > > > > Any help will be very grateful. > > > > Thanks > > > > *Dan White * > *Lead Technical Architect** > *Legal & General Investment Management > One Coleman Street, London, EC2R 5AA > Tel: +44 203 124 4048 > > Mob: +44 7980 027 656 > > www.lgim.com > > <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349839952&sdata=VvtfSybUzHlRfXEw%2FalFkg4HMgiO3lIMFbPiuCL%2BJSE%3D&reserved=0> > > > > This e-mail (and any attachments) may contain privileged > and/or confidential information. If you are not the > intended recipient please do not disclose, copy, > distribute, disseminate or take any action in reliance > on it. If you have received this message in error please > reply and tell us and then delete it. Should you wish to > communicate with us by e-mail we cannot guarantee the > security of any data outside our own computer systems. > > Any information contained in this message may be subject > to applicable terms and conditions and must not be > construed as giving investment advice within or outside > the United Kingdom or Republic of Ireland. > > Telephone Conversations may be recorded for your > protection and to ensure quality of service > > Legal & General Investment Management Limited (no > 2091894), LGIM Real Assets (Operator) Limited (no > 05522016), LGIM (International) Limited (no 7716001) > Legal & General Unit Trust Managers (no 1009418), GO ETF > Solutions LLP (OC329482) and LGIM Corporate Director > Limited (no 7105051) are authorised and regulated by the > Financial Conduct Authority. All are registered in > England & Wales with a registered office at One Coleman > Street, London, EC2R 5AA > > Legal & General Assurance (Pensions Management) Limited > (no 1006112) is authorised by the Prudential Regulation > Authority and regulated by the Financial Conduct > Authority and the Prudential Regulation Authority. It is > registered in England & Wales with a registered office > at One Coleman Street, London, EC2R 5AA. > > Legal & General Property Limited (no 2091897) is > authorised and regulated by the Financial Conduct > Authority for insurance mediation activities. It is > registered in England & Wales with a registered office > at One Coleman Street, London, EC2R 5AA. > > LGIM Managers (Europe) Limited is authorised and > regulated by the Central Bank of Ireland (C173733). It > is registered in the Republic of Ireland (no 609677) > with a registered office at 33/34 Sir John Rogerson's > Quay, Dublin 2, D02 XK09. > > Legal & General Group PLC, Registered Office One Coleman > Street, London, EC2R 5AA. > > Registered in England no: 1417162 > > ________________________________________________________________________ > **** This email has come from the internet and has been > scanned for all viruses and potentially offensive > content by Messagelabs on behalf of Legal & General **** > <authorizers.xml><login-identity-providers.xml> > > > > > > > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned > for all viruses and potentially offensive content by Messagelabs > on behalf of Legal & General. Please report unwanted spam email > to secur...@lgim.com <mailto:secur...@lgim.com> *** > > Please consider the environment before printing this email. > > > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned > for all viruses and potentially offensive content by Messagelabs > on behalf of Legal & General **** > > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for > all viruses and potentially offensive content by Messagelabs on > behalf of Legal & General. Please report unwanted spam email to > secur...@lgim.com <mailto:secur...@lgim.com> *** > > Please consider the environment before printing this email. > > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for > all viruses and potentially offensive content by Messagelabs on > behalf of Legal & General **** > > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of > Legal & General. Please report unwanted spam email to secur...@lgim.com > <mailto:secur...@lgim.com> *** > > Please consider the environment before printing this email. > > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of > Legal & General **** > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of > Legal & General. Please report unwanted spam email to secur...@lgim.com > <mailto:secur...@lgim.com> *** > > Please consider the environment before printing this email. > > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of > Legal & General ****
