1

We are using cetic/helm for nifi cluster. We have configured LDAP credentials as below:

 ldap: enabled: true host: "ldaps://ldaphost.net" searchBase: "ou=People,o=ABC" #CN=Users,DC=ldap,DC=example,DC=be admin: "cn=Keycloak_business_managed_Acc,ou=SystemUsers,ou=Accounts,o=ABC" pass: changeme searchFilter: (objectClass=abcEDPerson, inetorgperson, organizationalPerson, person, top, dspswuser, posixAccount, shadowAccount) userIdentityAttribute: uid authStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. identityStrategy: USE_USERNAME authExpiration: 12 hours userSearchScope: SUBTREE # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users. groupSearchScope: SUBTREE # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.

However, we always get invalid user credentials when we try to login using our individual login accounts from NIFI UI.

The same thing works through ldapsearch

root@bh-gsn-57-asca-dev-01:~# ldapsearch -h ldaphost.net -D "cn=Keycloak_business_managed_Acc,ou=SystemUsers,ou=Accounts,o=ABC" -w "changeme" -b "ou=people,o=abc" uid=myuserid # extended LDIF # # LDAPv3 # base <ou=people,o=abc> with scope subtree # filter: uid=myuserid # requesting: ALL # # 62XXXXXX, Internal, People, ABC dn: employeeNumber=62XXXXXX,ou=Internal,ou=People,o=ABC displayName: Prabir Choudhury (ABC-D)

Kindly advise on what I am doing wrong.

I understand from the document that Manager DN(admin)/password is basically the DN and password of the manager that is used to bind to the LDAP server to search for users. Therefore, we are providing the BIND DN in place of admin and BIND PASSWORD in place of pass.

Improve this question
1
  • you are using ldaps in the config, but ldap in ldapsearch working example. Could you try ldaps in your ldapsearch query and post the results? Commented Jan 24, 2023 at 15:29

1 Answer 1

Reset to default
0

It seems your host and searchFilter settings are wrong. In order to replicate the ldapsearch command, you would need the following configuration :

auth: # ... ldap: enabled: true host: "ldap://ldaphost.net:389" searchBase: "ou=People,o=ABC" admin: "cn=Keycloak_business_managed_Acc,ou=SystemUsers,ou=Accounts,o=ABC" pass: changeme searchFilter: (uid={0}) userIdentityAttribute: uid authStrategy: SIMPLE identityStrategy: USE_USERNAME authExpiration: 12 hours userSearchScope: SUBTREE groupSearchScope: SUBTREE

However - at the time of writing - this won't work because the config files login-identity-providers-ldap.xml and authorizers.xml have hard-coded values, notably the search filter :

<property name="User Search Filter">(cn={0})</property>

which should be :

<property name="User Search Filter">{{.Values.auth.ldap.searchFilter}}</property>

There are 2 pull requests addressing the issue (#260 and #280). I guess you can try to fix this manually for now until they are merged, either as described above, or by setting directly the proper values in the ldap login identity provider config, just like you would do without Helm.

See https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.