You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by "White, Daniel" <Da...@lgim.com> on 2020/09/24 09:14:30 UTC
RE: SSL/LDAP Configuration
Hi Andy,
Still getting issues trying to make LDAP integration work – Is there a reference document which shows worked examples of the configurations?
I’ve attached my latest .xml files – Any help is gratefully received.
I’m currently getting the following error on startup :
[cid:image001.png@01D6925B.4838CE90]
Thanks
Dan
From: Andy LoPresto <al...@gmail.com>
Sent: 23 August 2020 01:06
To: users@nifi.apache.org
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Ok to diagnose, look at the users.xml to see if there is a user matching that DN, and if so, it should have a UUID. Then in the authorizations.xml there should be policies defined in a hierarchical manner associating those users with a right on a specific resource (component/processor). If so, you can copy/paste as many as you want to define them.
Again, this is not the ideal situation; most of this should be possible through the UI but I’m not sitting there to diagnose the issue.
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 22, 2020, at 16:56, White, Daniel <Da...@lgim.com>> wrote:
Hi Andy,
I tried removing users.xml and authorizations.xml but I’m still getting the same error.
Suspect it’s something to do with authorizers.xml, but I can’t see any issues with it.
I see this in the nifi-user.log :
<image001.png>
Thanks
Dan
From: Andy LoPresto <al...@gmail.com>>
Sent: 23 August 2020 00:12
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Daniel,
A couple options:
The “easy way” is to shut down NiFi, delete “users.xml” and “authorizations.xml” in the “conf/“ directory, and then restart NiFi. Whatever user was specified as the IAI should have enough permissions to get started now.
Once you can access the main canvas, you’ll want to go into the global policies dialog (global menu top right > policies) and give yourself the specific view & modify permissions on the root process group. I understand this manual effort is less than ideal, but the stages in which things are defined has mandated this for now.
I think the User Guide does a good job of explaining the theory here as well as specific component steps (but doesn’t go soup to nuts on the process), so I’d recommend that as well as the “end” (the last 3-4 steps) of the Walkthrough guide section on securing NiFi.
I’m on my phone so I don’t have all my usual resources available, but hopefully this guides you in the right direction. If not, please let me know and tomorrow I can provide more specific instructions.
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 22, 2020, at 16:05, White, Daniel <Da...@lgim.com>> wrote:
Hi Andy,
I’ve now managed to login to Nifi using my AD account but am getting the following error :
Insufficient Permissions – No applicable policies could be found.
<image001.png>
Any pointers would be gratefully received.
Thanks
Dan
From: Andy LoPresto <al...@apache.org>>
Sent: 03 August 2020 03:07
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Also, your authorizers.xml is not correct — you haven’t configured (or even uncommented) the LDAP user group provider, so the specified user group provider is the file users.xml, and you haven’t configured any initial admins, so no users will be allowed to log in. Did you follow the steps in the NiFi Admin Guide [3][4] for configuring this? Authentication and authorization are decoupled in NiFi, and while you can use LDAP for both, you’ll have to configure it for each.
Also, your login-identity-providers.xml uses START_TLS as the authentication strategy but does not specify any properties for the keystore or truststore, which will be required.
[3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider
[4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 2, 2020, at 7:02 PM, Andy LoPresto <al...@apache.org>> wrote:
Hi Daniel,
Did you verify that the provided credentials are correct? There will be two sets — the “manager” DN and password which are provided as configuration values in the authorizers.xml file, and the individual user credentials provided on each login attempt. The manager credentials allow NiFi to make an authenticated request to the LDAP service, and the request itself contains the user’s credentials.
You can verify these credentials by using the ldapsearch [1][2] tool from one of the machines where NiFi is installed. This allows you to verify TLS, ports, network reachability, and the correctness of the credentials themselves.
Something like:
$ ldapsearch -x -b “dc=<your_org>,dc=com" -H ldap://<ldap_server_url> -D "cn=admin,dc=<your_org>,dc=com" -W
That will conduct a general search using the account provided by -D, and prompt for the password with -W. You can also switch out the account in -D for the specific user you’re trying to log in as to verify those credentials.
[1] https://forums.opensuse.org/showthread.php/401522-performing-ldapsearch-over-tls-ssl-against-active-directory#post1908811
[2] https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 2, 2020, at 1:11 PM, White, Daniel <Da...@lgim.com>> wrote:
Confidential
Hi All,
Looking for some assistance with setting up SSL/LDAP to enable user admin within Nifi.
I’ve setup and configured my non-prod environment but am having issue login in :
Unable to validate the supplied credentials. Please contact the system administrator
I’ve followed the config guide and am stuck as to what the issue could be.
The steps I followed :
1. Generate keys etc using tls-toolkit.sh
2. Updated nifi.properties to set nifi.security.user.login.identity.provider=ldap-provider
3. Modified login-identity-providers.xml (copy attached)
4. Modified authorizers.xml (copy attached)
Nifi starts and I can get to the login page, just unable to login (with error shown above).
Any help will be very grateful.
Thanks
Dan White
Lead Technical Architect
Legal & General Investment Management
One Coleman Street, London, EC2R 5AA
Tel: +44 203 124 4048
Mob: +44 7980 027 656
www.lgim.com<http://www.lgim.com/>
This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems.
Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or Republic of Ireland.
Telephone Conversations may be recorded for your protection and to ensure quality of service
Legal & General Investment Management Limited (no 2091894), LGIM Real Assets (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA
Legal & General Assurance (Pensions Management) Limited (no 1006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (no 2091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (C173733). It is registered in the Republic of Ireland (no 609677) with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R 5AA.
Registered in England no: 1417162
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
<authorizers.xml><login-identity-providers.xml>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
Re: SSL/LDAP Configuration
Posted by Jean-Sebastien Vachon <js...@brizodata.com>.
For the record...
this did fix the issue. I'm not sure why the order would have been changed or if there's a rule stating in what order the identity should be
but, anyhow, thanks a ton
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: Jean-Sebastien Vachon <js...@brizodata.com>
Sent: Friday, September 24, 2021 8:02 AM
To: users@nifi.apache.org <us...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
Ok fine but I'm not responsible for the string being logged... my configuration files all show the same string in the same order...
> fgrep "CN=admin" conf/*
conf/authorizers.xml: <property name="Initial User Identity 1">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/users.xml: <user identifier="424775ca-62d5-3873-aa21-b58cfeb6d137" identity="CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec"/>
I will try modifying my config files to match the order shown in the logs and see how it goes...
Thanks for the hint anyway
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: Bryan Bende <bb...@gmail.com>
Sent: Thursday, September 23, 2021 9:12 PM
To: users@nifi.apache.org <us...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
Hello,
The highlighted identity from the logs is not the same string from your config files, the ordering of the DN parts is different. The config files have to match the exact identity string.
Thanks,
Bryan
On Thu, Sep 23, 2021 at 8:09 PM Jean-Sebastien Vachon <js...@brizodata.com>> wrote:
Hi,
I'm having the exact same issue. I tried following this as a guide:
https://www.youtube.com/watch?v=LanpbWR7Gv8
My log says:
==> logs/nifi-user.log <==
2021-09-23 19:53:25,835 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /home/jsvachon/nifi/nifi-1.14.0/./conf/users.xml
2021-09-23 19:53:25,862 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Sep 23 19:53:25 EDT 2021
2021-09-23 19:53:25,930 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Thu Sep 23 19:53:25 EDT 2021
2021-09-23 19:53:37,753 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA) GET https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2021-09-23 19:53:37,759 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA
2021-09-23 19:53:37,879 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA], groups[] does not have permission to access the requested resource. Unknown user with identity 'CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA'. Returning Forbidden response.
I've looked at my authorizers.xml and could not spot anything wrong...
Also, the id of the user referenced by authorizations.xml matches the one in users.xml
and the identity seem to be consistent across all files...
conf/authorizers.xml: <property name="Initial User Identity 1">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/users.xml: <user identifier="424775ca-62d5-3873-aa21-b58cfeb6d137" identity="CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec"/>
What am I missing?
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: White, Daniel <Da...@lgim.com>>
Sent: Friday, September 25, 2020 5:35 AM
To: users@nifi.apache.org<ma...@nifi.apache.org> <us...@nifi.apache.org>>
Subject: RE: SSL/LDAP Configuration
Hi,
I’m still hitting this error on login :
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
Any other ideas?
Thanks
Dan
From: Luther Blisset <el...@outlook.com>>
Sent: 25 September 2020 01:14
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RV: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hello Daniel
You must match your login id with the one mapped on the attribute setup on LdapUserGroupProvider as User Identity Attribute, here an example of it
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
...
<property name="User Search Base">OU=unit,DC=company,DC=com</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=Some Group,OU=unit,DC=company,DC=com)</property>
<property name="User Identity Attribute">userPrincipalName</property>
...
The message "Insufficient Permissions" is because that user doesn't have permissions even to the ui, there is a good article about UserGroupProviders by Pierre: https://pierrevillard.com/2017/12/22/authorizations-with-ldap-synchronization-in-apache-nifi-1-4/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpierrevillard.com%2F2017%2F12%2F22%2Fauthorizations-with-ldap-synchronization-in-apache-nifi-1-4%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=XDZjjE0B3nwbAuKZvKLdpyhw1fTuXlb455kEeh6qdw0%3D&reserved=0>
If you are able to login using ldap, you will be able to setup de provider with almost same conf
Are you using docker? if yes, the entry point script has some workarounds
Regards
________________________________
De: White, Daniel <Da...@lgim.com>>
Enviado: jueves, 24 de septiembre de 2020 08:45 p. m.
Para: Johannes Meixner <jo...@meixner.ch>>; users@nifi.apache.org<ma...@nifi.apache.org> <us...@nifi.apache.org>>
Asunto: RE: SSL/LDAP Configuration
Hi Johannes,
I'm making progress - I'm able to login to the GUI, but I'm getting the following message :
Insufficient Permissions
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
I can see the following in the nifi-users.log file :
2020-09-25 00:39:45,689 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM
2020-09-25 00:39:45,755 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Returning Forbidden response.
LDAP connection looks good as I can authenticate but authorization looks wrong somewhere.
Any ideas would be welcome.
Thanks
Dan
-----Original Message-----
From: Johannes Meixner <jo...@meixner.ch>>
Sent: 24 September 2020 13:53
To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi Daniel,
You define all those in authorizers.xml and use the file-user-group-provider to allow access to non-LDAP resources -- Initial admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into Google.
--
Johannes Meixner
web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0zUQ%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=nGcWbApVo3k15oRIiFqluKlZRojTQX99VnBluA%2FEwn4%3D&reserved=0>
Meixner GmbH
Switzerland
On 2020-09-24 14:39, White, Daniel wrote:
> Hi Johannes,
>
> Thanks.
>
> So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
>
> Apologies if this is a stupid question but we are new to Nifi.
>
> Are there any worked examples that you know of for these config files?
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>>
> Sent: 24 September 2020 12:35
> To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
>
>
> Hi Daniel
>
> Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
>
> What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
>
> So you get something like this:
>
> StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
>
> Hope that helps
>
>
> --
> Johannes Meixner
>
> web:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> meixner.ch<http://meixner.ch>%2F&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfff
> c4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> 365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0
> zUQ%3D&reserved=0
>
> Meixner GmbH
> Switzerland
> On 2020-09-24 13:16, White, Daniel wrote:
>> Welcome anyone else’s view on this or experience/examples used in the setup.
>>
>>
>>
>> *From:*White, Daniel <Da...@lgim.com>>
>> *Sent:* 24 September 2020 10:15
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org>
>> *Subject:* RE: SSL/LDAP Configuration
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> Still getting issues trying to make LDAP integration work – Is there
>> a reference document which shows worked examples of the configurations?
>>
>>
>>
>> I’ve attached my latest .xml files – Any help is gratefully received.
>>
>>
>>
>> I’m currently getting the following error on startup :
>>
>>
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 01:06
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Ok to diagnose, look at the users.xml to see if there is a user
>> matching that DN, and if so, it should have a UUID. Then in the
>> authorizations.xml there should be policies defined in a hierarchical
>> manner associating those users with a right on a specific resource
>> (component/processor). If so, you can copy/paste as many as you want
>> to define them.
>>
>>
>>
>> Again, this is not the ideal situation; most of this should be
>> possible through the UI but I’m not sitting there to diagnose the issue.
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I tried removing users.xml and authorizations.xml but I’m still
>> getting the same error.
>>
>>
>>
>> Suspect it’s something to do with authorizers.xml, but I can’t see
>> any issues with it.
>>
>>
>>
>> I see this in the nifi-user.log :
>>
>>
>>
>> <image001.png>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 00:12
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Daniel,
>>
>>
>>
>> A couple options:
>>
>>
>>
>> The “easy way” is to shut down NiFi, delete “users.xml” and
>> “authorizations.xml” in the “conf/“ directory, and then restart
>> NiFi. Whatever user was specified as the IAI should have enough
>> permissions to get started now.
>>
>>
>>
>> Once you can access the main canvas, you’ll want to go into the
>> global policies dialog (global menu top right > policies) and give
>> yourself the specific view & modify permissions on the root process
>> group. I understand this manual effort is less than ideal, but the
>> stages in which things are defined has mandated this for now.
>>
>>
>>
>> I think the User Guide does a good job of explaining the theory here
>> as well as specific component steps (but doesn’t go soup to nuts on
>> the process), so I’d recommend that as well as the “end” (the last
>> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>>
>>
>>
>> I’m on my phone so I don’t have all my usual resources available,
>> but hopefully this guides you in the right direction. If not, please
>> let me know and tomorrow I can provide more specific instructions.
>>
>>
>>
>>
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I’ve now managed to login to Nifi using my AD account but am
>> getting the following error :
>>
>>
>>
>> Insufficient Permissions – No applicable policies could be found.
>>
>>
>>
>> <image001.png>
>>
>>
>>
>> Any pointers would be gratefully received.
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto@apache.org
<mailto:alopresto@apache.org%0b>>> <ma...@apache.org>>
>> *Sent:* 03 August 2020 03:07
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation.
>> Do not click links or open attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>>
>> Also, your authorizers.xml is not correct — you haven’t
>> configured (or even uncommented) the LDAP user group provider,
>> so the specified user group provider is the file users.xml, and
>> you haven’t configured any initial admins, so no users will be
>> allowed to log in. Did you follow the steps in the NiFi Admin
>> Guide [3][4] for configuring this? Authentication and
>> authorization are decoupled in NiFi, and while you can use LDAP
>> for both, you’ll have to configure it for each.
>>
>>
>>
>> Also, your login-identity-providers.xml uses START_TLS as the
>> authentication strategy but does not specify any properties for
>> the keystore or truststore, which will be required.
>>
>>
>>
>> [3]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.c
>> om%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc5
>> 90d%7C0%7C1%7C637365488257001866&sdata=m8oFyRm8mHYMjT9XK%2BIROJSZ
>> BrHb%2FmGTsvPM0EWNXJM%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.co<http://40lgim.co>
>> m
>> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590
>> d
>> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhb
>> H
>> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>>
>> [4]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0d
>> dfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0
>> %7C1%7C637365488257001866&sdata=%2BSr4laoAGGFOuF8RzV1e481%2BMtFnc
>> wVQlircLrhUfIQ%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C071
>> 7
>> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7
>> C
>> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZe
>> J
>> DRTb%2Fo3U%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D
>> EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
>> <al...@apache.org> <ma...@apache.org>> wrote:
>>
>>
>>
>> Hi Daniel,
>>
>>
>>
>> Did you verify that the provided credentials are correct?
>> There will be two sets — the “manager” DN and password which
>> are provided as configuration values in the authorizers.xml
>> file, and the individual user credentials provided on each
>> login attempt. The manager credentials allow NiFi to make an
>> authenticated request to the LDAP service, and the request
>> itself contains the user’s credentials.
>>
>>
>>
>> You can verify these credentials by using the ldapsearch
>> [1][2] tool from one of the machines where NiFi is
>> installed. This allows you to verify TLS, ports, network
>> reachability, and the correctness of the credentials
>> themselves.
>>
>>
>>
>> Something like:
>>
>>
>>
>> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
>> ldap://<ldap_server_url> -D
>> "cn=admin,dc=<your_org>,dc=com" -W
>>
>>
>>
>> That will conduct a general search using the account
>> provided by -D, and prompt for the password with -W. You can
>> also switch out the account in -D for the specific user
>> you’re trying to log in as to verify those credentials.
>>
>>
>>
>> [1]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
>> ums.opensuse.org<http://ums.opensuse.org>%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDa
>> niel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc
>> 004ed2bc4ef8a46cbc590d%7C0%7C0%7C637365488257001866&sdata=5ELnY2j
>> vESYNEpUssWIRzLAidKManQPG9OTgXj9K2W8%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo%0b>>> r
>> ums.opensuse.org<http://ums.opensuse.org>%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -
>> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDan
>> i
>> el.White%40lgim.com<http://40lgim.com>%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc00
>> 4
>> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1v
>> o icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>>
>> [2]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
>> connected.com<http://connected.com>%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> ata=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfffc4351eebc08d86088d
>> efb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&a
>> mp;sdata=msRgjTaQjb1S18m3dCDh%2Ba7E4htptur5IJzPxqYIWGI%3D&reserve
>> d=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde%0b>>> v
>> connected.com<http://connected.com>%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> a
>> ta=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0717aac2d3914b6f48aa08d8607e13
>> b
>> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
>> ;
>> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved
>> =
>> 0>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 1:11 PM, White, Daniel
>> <Da...@lgim.com> <ma...@lgim.com>>
>> wrote:
>>
>>
>>
>> Confidential
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Looking for some assistance with setting up SSL/LDAP to
>> enable user admin within Nifi.
>>
>>
>>
>> I’ve setup and configured my non-prod environment but am
>> having issue login in :
>>
>>
>>
>> Unable to validate the supplied credentials. Please
>> contact the system administrator
>>
>>
>>
>> I’ve followed the config guide and am stuck as to what
>> the issue could be.
>>
>>
>>
>> The steps I followed :
>>
>>
>>
>> 1. Generate keys etc using tls-toolkit.sh
>> 2. Updated nifi.properties to set
>> nifi.security.user.login.identity.provider=ldap-provider
>> 3. Modified login-identity-providers.xml (copy attached)
>> 4. Modified authorizers.xml (copy attached)
>>
>>
>>
>> Nifi starts and I can get to the login page, just unable
>> to login (with error shown above).
>>
>>
>>
>> Any help will be very grateful.
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Dan White *
>> *Lead Technical Architect**
>> *Legal & General Investment Management
>> One Coleman Street, London, EC2R 5AA
>> Tel: +44 203 124 4048
>>
>> Mob: +44 7980 027 656
>>
>>
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com<http://lgim.com>%2F&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfffc
>> 4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
>> 365488257011864&sdata=JsfAeOJuan9gt%2FaWlicqN8FLk4FIRbqClFipB4MLC
>> LY%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.%0b>>> lgim.com<http://lgim.com>%2F&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0717aac2d391
>> 4
>> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C6373
>> 6
>> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMt
>> g
>> M%3D&reserved=0>
>>
>>
>>
>> This e-mail (and any attachments) may contain privileged
>> and/or confidential information. If you are not the
>> intended recipient please do not disclose, copy,
>> distribute, disseminate or take any action in reliance
>> on it. If you have received this message in error please
>> reply and tell us and then delete it. Should you wish to
>> communicate with us by e-mail we cannot guarantee the
>> security of any data outside our own computer systems.
>>
>> Any information contained in this message may be subject
>> to applicable terms and conditions and must not be
>> construed as giving investment advice within or outside
>> the United Kingdom or Republic of Ireland.
>>
>> Telephone Conversations may be recorded for your
>> protection and to ensure quality of service
>>
>> Legal & General Investment Management Limited (no
>> 2091894), LGIM Real Assets (Operator) Limited (no
>> 05522016), LGIM (International) Limited (no 7716001)
>> Legal & General Unit Trust Managers (no 1009418), GO ETF
>> Solutions LLP (OC329482) and LGIM Corporate Director
>> Limited (no 7105051) are authorised and regulated by the
>> Financial Conduct Authority. All are registered in
>> England & Wales with a registered office at One Coleman
>> Street, London, EC2R 5AA
>>
>> Legal & General Assurance (Pensions Management) Limited
>> (no 1006112) is authorised by the Prudential Regulation
>> Authority and regulated by the Financial Conduct
>> Authority and the Prudential Regulation Authority. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> Legal & General Property Limited (no 2091897) is
>> authorised and regulated by the Financial Conduct
>> Authority for insurance mediation activities. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> LGIM Managers (Europe) Limited is authorised and
>> regulated by the Central Bank of Ireland (C173733). It
>> is registered in the Republic of Ireland (no 609677)
>> with a registered office at 33/34 Sir John Rogerson's<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g>
>> Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
>>
>> Legal & General Group PLC, Registered Office One Coleman
>> Street, London, EC2R 5AA.
>>
>> Registered in England no: 1417162
>> ________________________________________________________________________
>> **** This email has come from the internet and has been
>> scanned for all viruses and potentially offensive
>> content by Messagelabs on behalf of Legal & General ****
>> <authorizers.xml><login-identity-providers.xml>
>>
>>
<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g>>>
>>
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General. Please report unwanted spam email
>> to security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General ****
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com<ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&sdata=QiXhtQmsvn7Psl2EK0eI7CPY24S%2B%2BxPHIpsg6E4KK4o%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
>
> Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/<http://www.legalandgeneral.com/institutional/privacy-policy/>.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
Re: SSL/LDAP Configuration
Posted by Jean-Sebastien Vachon <js...@brizodata.com>.
Ok fine but I'm not responsible for the string being logged... my configuration files all show the same string in the same order...
> fgrep "CN=admin" conf/*
conf/authorizers.xml: <property name="Initial User Identity 1">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/users.xml: <user identifier="424775ca-62d5-3873-aa21-b58cfeb6d137" identity="CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec"/>
I will try modifying my config files to match the order shown in the logs and see how it goes...
Thanks for the hint anyway
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: Bryan Bende <bb...@gmail.com>
Sent: Thursday, September 23, 2021 9:12 PM
To: users@nifi.apache.org <us...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
Hello,
The highlighted identity from the logs is not the same string from your config files, the ordering of the DN parts is different. The config files have to match the exact identity string.
Thanks,
Bryan
On Thu, Sep 23, 2021 at 8:09 PM Jean-Sebastien Vachon <js...@brizodata.com>> wrote:
Hi,
I'm having the exact same issue. I tried following this as a guide:
https://www.youtube.com/watch?v=LanpbWR7Gv8
My log says:
==> logs/nifi-user.log <==
2021-09-23 19:53:25,835 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /home/jsvachon/nifi/nifi-1.14.0/./conf/users.xml
2021-09-23 19:53:25,862 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Sep 23 19:53:25 EDT 2021
2021-09-23 19:53:25,930 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Thu Sep 23 19:53:25 EDT 2021
2021-09-23 19:53:37,753 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA) GET https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2021-09-23 19:53:37,759 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA
2021-09-23 19:53:37,879 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA], groups[] does not have permission to access the requested resource. Unknown user with identity 'CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA'. Returning Forbidden response.
I've looked at my authorizers.xml and could not spot anything wrong...
Also, the id of the user referenced by authorizations.xml matches the one in users.xml
and the identity seem to be consistent across all files...
conf/authorizers.xml: <property name="Initial User Identity 1">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/users.xml: <user identifier="424775ca-62d5-3873-aa21-b58cfeb6d137" identity="CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec"/>
What am I missing?
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: White, Daniel <Da...@lgim.com>>
Sent: Friday, September 25, 2020 5:35 AM
To: users@nifi.apache.org<ma...@nifi.apache.org> <us...@nifi.apache.org>>
Subject: RE: SSL/LDAP Configuration
Hi,
I’m still hitting this error on login :
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
Any other ideas?
Thanks
Dan
From: Luther Blisset <el...@outlook.com>>
Sent: 25 September 2020 01:14
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RV: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hello Daniel
You must match your login id with the one mapped on the attribute setup on LdapUserGroupProvider as User Identity Attribute, here an example of it
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
...
<property name="User Search Base">OU=unit,DC=company,DC=com</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=Some Group,OU=unit,DC=company,DC=com)</property>
<property name="User Identity Attribute">userPrincipalName</property>
...
The message "Insufficient Permissions" is because that user doesn't have permissions even to the ui, there is a good article about UserGroupProviders by Pierre: https://pierrevillard.com/2017/12/22/authorizations-with-ldap-synchronization-in-apache-nifi-1-4/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpierrevillard.com%2F2017%2F12%2F22%2Fauthorizations-with-ldap-synchronization-in-apache-nifi-1-4%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=XDZjjE0B3nwbAuKZvKLdpyhw1fTuXlb455kEeh6qdw0%3D&reserved=0>
If you are able to login using ldap, you will be able to setup de provider with almost same conf
Are you using docker? if yes, the entry point script has some workarounds
Regards
________________________________
De: White, Daniel <Da...@lgim.com>>
Enviado: jueves, 24 de septiembre de 2020 08:45 p. m.
Para: Johannes Meixner <jo...@meixner.ch>>; users@nifi.apache.org<ma...@nifi.apache.org> <us...@nifi.apache.org>>
Asunto: RE: SSL/LDAP Configuration
Hi Johannes,
I'm making progress - I'm able to login to the GUI, but I'm getting the following message :
Insufficient Permissions
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
I can see the following in the nifi-users.log file :
2020-09-25 00:39:45,689 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM
2020-09-25 00:39:45,755 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Returning Forbidden response.
LDAP connection looks good as I can authenticate but authorization looks wrong somewhere.
Any ideas would be welcome.
Thanks
Dan
-----Original Message-----
From: Johannes Meixner <jo...@meixner.ch>>
Sent: 24 September 2020 13:53
To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi Daniel,
You define all those in authorizers.xml and use the file-user-group-provider to allow access to non-LDAP resources -- Initial admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into Google.
--
Johannes Meixner
web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0zUQ%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=nGcWbApVo3k15oRIiFqluKlZRojTQX99VnBluA%2FEwn4%3D&reserved=0>
Meixner GmbH
Switzerland
On 2020-09-24 14:39, White, Daniel wrote:
> Hi Johannes,
>
> Thanks.
>
> So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
>
> Apologies if this is a stupid question but we are new to Nifi.
>
> Are there any worked examples that you know of for these config files?
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>>
> Sent: 24 September 2020 12:35
> To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
>
>
> Hi Daniel
>
> Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
>
> What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
>
> So you get something like this:
>
> StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
>
> Hope that helps
>
>
> --
> Johannes Meixner
>
> web:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> meixner.ch<http://meixner.ch>%2F&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfff
> c4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> 365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0
> zUQ%3D&reserved=0
>
> Meixner GmbH
> Switzerland
> On 2020-09-24 13:16, White, Daniel wrote:
>> Welcome anyone else’s view on this or experience/examples used in the setup.
>>
>>
>>
>> *From:*White, Daniel <Da...@lgim.com>>
>> *Sent:* 24 September 2020 10:15
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org>
>> *Subject:* RE: SSL/LDAP Configuration
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> Still getting issues trying to make LDAP integration work – Is there
>> a reference document which shows worked examples of the configurations?
>>
>>
>>
>> I’ve attached my latest .xml files – Any help is gratefully received.
>>
>>
>>
>> I’m currently getting the following error on startup :
>>
>>
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 01:06
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Ok to diagnose, look at the users.xml to see if there is a user
>> matching that DN, and if so, it should have a UUID. Then in the
>> authorizations.xml there should be policies defined in a hierarchical
>> manner associating those users with a right on a specific resource
>> (component/processor). If so, you can copy/paste as many as you want
>> to define them.
>>
>>
>>
>> Again, this is not the ideal situation; most of this should be
>> possible through the UI but I’m not sitting there to diagnose the issue.
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I tried removing users.xml and authorizations.xml but I’m still
>> getting the same error.
>>
>>
>>
>> Suspect it’s something to do with authorizers.xml, but I can’t see
>> any issues with it.
>>
>>
>>
>> I see this in the nifi-user.log :
>>
>>
>>
>> <image001.png>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 00:12
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Daniel,
>>
>>
>>
>> A couple options:
>>
>>
>>
>> The “easy way” is to shut down NiFi, delete “users.xml” and
>> “authorizations.xml” in the “conf/“ directory, and then restart
>> NiFi. Whatever user was specified as the IAI should have enough
>> permissions to get started now.
>>
>>
>>
>> Once you can access the main canvas, you’ll want to go into the
>> global policies dialog (global menu top right > policies) and give
>> yourself the specific view & modify permissions on the root process
>> group. I understand this manual effort is less than ideal, but the
>> stages in which things are defined has mandated this for now.
>>
>>
>>
>> I think the User Guide does a good job of explaining the theory here
>> as well as specific component steps (but doesn’t go soup to nuts on
>> the process), so I’d recommend that as well as the “end” (the last
>> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>>
>>
>>
>> I’m on my phone so I don’t have all my usual resources available,
>> but hopefully this guides you in the right direction. If not, please
>> let me know and tomorrow I can provide more specific instructions.
>>
>>
>>
>>
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I’ve now managed to login to Nifi using my AD account but am
>> getting the following error :
>>
>>
>>
>> Insufficient Permissions – No applicable policies could be found.
>>
>>
>>
>> <image001.png>
>>
>>
>>
>> Any pointers would be gratefully received.
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto@apache.org
<mailto:alopresto@apache.org%0b>>> <ma...@apache.org>>
>> *Sent:* 03 August 2020 03:07
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation.
>> Do not click links or open attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>>
>> Also, your authorizers.xml is not correct — you haven’t
>> configured (or even uncommented) the LDAP user group provider,
>> so the specified user group provider is the file users.xml, and
>> you haven’t configured any initial admins, so no users will be
>> allowed to log in. Did you follow the steps in the NiFi Admin
>> Guide [3][4] for configuring this? Authentication and
>> authorization are decoupled in NiFi, and while you can use LDAP
>> for both, you’ll have to configure it for each.
>>
>>
>>
>> Also, your login-identity-providers.xml uses START_TLS as the
>> authentication strategy but does not specify any properties for
>> the keystore or truststore, which will be required.
>>
>>
>>
>> [3]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.c
>> om%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc5
>> 90d%7C0%7C1%7C637365488257001866&sdata=m8oFyRm8mHYMjT9XK%2BIROJSZ
>> BrHb%2FmGTsvPM0EWNXJM%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.co<http://40lgim.co>
>> m
>> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590
>> d
>> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhb
>> H
>> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>>
>> [4]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0d
>> dfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0
>> %7C1%7C637365488257001866&sdata=%2BSr4laoAGGFOuF8RzV1e481%2BMtFnc
>> wVQlircLrhUfIQ%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org<http://i.apache.org>%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C071
>> 7
>> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7
>> C
>> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZe
>> J
>> DRTb%2Fo3U%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D
>> EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
>> <al...@apache.org> <ma...@apache.org>> wrote:
>>
>>
>>
>> Hi Daniel,
>>
>>
>>
>> Did you verify that the provided credentials are correct?
>> There will be two sets — the “manager” DN and password which
>> are provided as configuration values in the authorizers.xml
>> file, and the individual user credentials provided on each
>> login attempt. The manager credentials allow NiFi to make an
>> authenticated request to the LDAP service, and the request
>> itself contains the user’s credentials.
>>
>>
>>
>> You can verify these credentials by using the ldapsearch
>> [1][2] tool from one of the machines where NiFi is
>> installed. This allows you to verify TLS, ports, network
>> reachability, and the correctness of the credentials
>> themselves.
>>
>>
>>
>> Something like:
>>
>>
>>
>> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
>> ldap://<ldap_server_url> -D
>> "cn=admin,dc=<your_org>,dc=com" -W
>>
>>
>>
>> That will conduct a general search using the account
>> provided by -D, and prompt for the password with -W. You can
>> also switch out the account in -D for the specific user
>> you’re trying to log in as to verify those credentials.
>>
>>
>>
>> [1]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
>> ums.opensuse.org<http://ums.opensuse.org>%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDa
>> niel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc
>> 004ed2bc4ef8a46cbc590d%7C0%7C0%7C637365488257001866&sdata=5ELnY2j
>> vESYNEpUssWIRzLAidKManQPG9OTgXj9K2W8%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo%0b>>> r
>> ums.opensuse.org<http://ums.opensuse.org>%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -
>> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDan
>> i
>> el.White%40lgim.com<http://40lgim.com>%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc00
>> 4
>> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1v
>> o icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>>
>> [2]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
>> connected.com<http://connected.com>%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> ata=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfffc4351eebc08d86088d
>> efb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&a
>> mp;sdata=msRgjTaQjb1S18m3dCDh%2Ba7E4htptur5IJzPxqYIWGI%3D&reserve
>> d=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde%0b>>> v
>> connected.com<http://connected.com>%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> a
>> ta=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0717aac2d3914b6f48aa08d8607e13
>> b
>> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
>> ;
>> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved
>> =
>> 0>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 1:11 PM, White, Daniel
>> <Da...@lgim.com> <ma...@lgim.com>>
>> wrote:
>>
>>
>>
>> Confidential
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Looking for some assistance with setting up SSL/LDAP to
>> enable user admin within Nifi.
>>
>>
>>
>> I’ve setup and configured my non-prod environment but am
>> having issue login in :
>>
>>
>>
>> Unable to validate the supplied credentials. Please
>> contact the system administrator
>>
>>
>>
>> I’ve followed the config guide and am stuck as to what
>> the issue could be.
>>
>>
>>
>> The steps I followed :
>>
>>
>>
>> 1. Generate keys etc using tls-toolkit.sh
>> 2. Updated nifi.properties to set
>> nifi.security.user.login.identity.provider=ldap-provider
>> 3. Modified login-identity-providers.xml (copy attached)
>> 4. Modified authorizers.xml (copy attached)
>>
>>
>>
>> Nifi starts and I can get to the login page, just unable
>> to login (with error shown above).
>>
>>
>>
>> Any help will be very grateful.
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Dan White *
>> *Lead Technical Architect**
>> *Legal & General Investment Management
>> One Coleman Street, London, EC2R 5AA
>> Tel: +44 203 124 4048
>>
>> Mob: +44 7980 027 656
>>
>>
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com<http://lgim.com>%2F&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0ddfa18dfffc
>> 4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
>> 365488257011864&sdata=JsfAeOJuan9gt%2FaWlicqN8FLk4FIRbqClFipB4MLC
>> LY%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.%0b>>> lgim.com<http://lgim.com>%2F&data=02%7C01%7CDaniel.White%40lgim.com<http://40lgim.com>%7C0717aac2d391
>> 4
>> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C6373
>> 6
>> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMt
>> g
>> M%3D&reserved=0>
>>
>>
>>
>> This e-mail (and any attachments) may contain privileged
>> and/or confidential information. If you are not the
>> intended recipient please do not disclose, copy,
>> distribute, disseminate or take any action in reliance
>> on it. If you have received this message in error please
>> reply and tell us and then delete it. Should you wish to
>> communicate with us by e-mail we cannot guarantee the
>> security of any data outside our own computer systems.
>>
>> Any information contained in this message may be subject
>> to applicable terms and conditions and must not be
>> construed as giving investment advice within or outside
>> the United Kingdom or Republic of Ireland.
>>
>> Telephone Conversations may be recorded for your
>> protection and to ensure quality of service
>>
>> Legal & General Investment Management Limited (no
>> 2091894), LGIM Real Assets (Operator) Limited (no
>> 05522016), LGIM (International) Limited (no 7716001)
>> Legal & General Unit Trust Managers (no 1009418), GO ETF
>> Solutions LLP (OC329482) and LGIM Corporate Director
>> Limited (no 7105051) are authorised and regulated by the
>> Financial Conduct Authority. All are registered in
>> England & Wales with a registered office at One Coleman
>> Street, London, EC2R 5AA
>>
>> Legal & General Assurance (Pensions Management) Limited
>> (no 1006112) is authorised by the Prudential Regulation
>> Authority and regulated by the Financial Conduct
>> Authority and the Prudential Regulation Authority. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> Legal & General Property Limited (no 2091897) is
>> authorised and regulated by the Financial Conduct
>> Authority for insurance mediation activities. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> LGIM Managers (Europe) Limited is authorised and
>> regulated by the Central Bank of Ireland (C173733). It
>> is registered in the Republic of Ireland (no 609677)
>> with a registered office at 33/34 Sir John Rogerson's<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g>
>> Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
>>
>> Legal & General Group PLC, Registered Office One Coleman
>> Street, London, EC2R 5AA.
>>
>> Registered in England no: 1417162
>> ________________________________________________________________________
>> **** This email has come from the internet and has been
>> scanned for all viruses and potentially offensive
>> content by Messagelabs on behalf of Legal & General ****
>> <authorizers.xml><login-identity-providers.xml>
>>
>>
<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g>>>
>>
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General. Please report unwanted spam email
>> to security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General ****
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com<ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&sdata=QiXhtQmsvn7Psl2EK0eI7CPY24S%2B%2BxPHIpsg6E4KK4o%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
>
> Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/<http://www.legalandgeneral.com/institutional/privacy-policy/>.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin<https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g> 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
Re: SSL/LDAP Configuration
Posted by Bryan Bende <bb...@gmail.com>.
Hello,
The highlighted identity from the logs is not the same string from your
config files, the ordering of the DN parts is different. The config files
have to match the exact identity string.
Thanks,
Bryan
On Thu, Sep 23, 2021 at 8:09 PM Jean-Sebastien Vachon <
jsvachon@brizodata.com> wrote:
> Hi,
>
> I'm having the exact same issue. I tried following this as a guide:
>
> https://www.youtube.com/watch?v=LanpbWR7Gv8
>
> My log says:
>
> ==> logs/nifi-user.log <==
> 2021-09-23 19:53:25,835 INFO [main] o.a.n.a.FileUserGroupProvider Creating
> new users file at /home/jsvachon/nifi/nifi-1.14.0/./conf/users.xml
> 2021-09-23 19:53:25,862 INFO [main] o.a.n.a.FileUserGroupProvider
> Users/Groups file loaded at Thu Sep 23 19:53:25 EDT 2021
> 2021-09-23 19:53:25,930 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Authorizations file loaded at Thu Sep 23 19:53:25 EDT 2021
> 2021-09-23 19:53:37,753 INFO [NiFi Web Server-18]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=admin,
> OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA) GET
> https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
> 2021-09-23 19:53:37,759 INFO [NiFi Web Server-18]
> o.a.n.w.s.NiFiAuthenticationFilter *Authentication success for* CN=admin,
> OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA
> 2021-09-23 19:53:37,879 INFO [NiFi Web Server-18]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=admin, OU=admin,
> O=BrizoData, L=Quebec, ST=Quebec, C=CA], groups[]* does not have
> permission to access the requested resource. Unknown user with identity* 'CN=admin,
> OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA'. Returning Forbidden
> response.
>
> I've looked at my authorizers.xml and could not spot anything wrong...
> Also, the id of the user referenced by authorizations.xml matches the one
> in users.xml
> and the identity seem to be consistent across all files...
>
> conf/authorizers.xml: <property name="Initial User Identity
> 1">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
> conf/authorizers.xml: <property name="Initial Admin
> Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec,
> ST=Quebec</property>
> conf/authorizers.xml: <property name="Initial Admin
> Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec,
> ST=Quebec</property>
> conf/users.xml: <user
> identifier="424775ca-62d5-3873-aa21-b58cfeb6d137" identity="CN=admin,
> O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec"/>
>
> What am I missing?
>
> Thanks
>
>
> *Jean-Sébastien Vachon *
> Co-Founder & Architect
>
>
> *Brizo Data, Inc. www.brizodata.com
> <https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
> *
> ------------------------------
> *From:* White, Daniel <Da...@lgim.com>
> *Sent:* Friday, September 25, 2020 5:35 AM
> *To:* users@nifi.apache.org <us...@nifi.apache.org>
> *Subject:* RE: SSL/LDAP Configuration
>
>
> Hi,
>
>
>
> I’m still hitting this error on login :
>
>
>
> Unknown user with identity 'cn=DW99908,ou=All
> Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system
> administrator.
>
> Any other ideas?
>
>
>
> Thanks
>
> Dan
>
>
>
> *From:* Luther Blisset <el...@outlook.com>
> *Sent:* 25 September 2020 01:14
> *To:* users@nifi.apache.org
> *Subject:* RV: SSL/LDAP Configuration
>
>
>
> CAUTION: This email originated from outside of the organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
>
>
> Hello Daniel
>
> You must match your login id with the one mapped on the attribute setup
> on LdapUserGroupProvider as *User Identity Attribute, *here an example of
> it
>
>
>
> <userGroupProvider>
>
> <identifier>ldap-user-group-provider</identifier>
>
> ...
>
> <property name="User Search Base">OU=unit,DC=company,DC=com</property>
>
> <property name="User Object Class">user</property>
>
> <property name="User Search Scope">ONE_LEVEL</property>
>
> <property name="User Search Filter">(memberOf=CN=Some
> Group,OU=unit,DC=company,DC=com)</property>
>
> <property name="User Identity Attribute">*userPrincipalName*
> </property>
>
> ...
>
>
>
>
>
> The message "Insufficient Permissions" is because that user doesn't have
> permissions even to the ui, there is a good article about
> UserGroupProviders by Pierre:
> https://pierrevillard.com/2017/12/22/authorizations-with-ldap-synchronization-in-apache-nifi-1-4/
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpierrevillard.com%2F2017%2F12%2F22%2Fauthorizations-with-ldap-synchronization-in-apache-nifi-1-4%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=XDZjjE0B3nwbAuKZvKLdpyhw1fTuXlb455kEeh6qdw0%3D&reserved=0>
>
>
>
> If you are able to login using ldap, you will be able to setup de provider
> with almost same conf
>
> Are you using docker? if yes, the entry point script has some workarounds
>
>
>
> Regards
> ------------------------------
>
> *De:* White, Daniel <Da...@lgim.com>
> *Enviado:* jueves, 24 de septiembre de 2020 08:45 p. m.
> *Para:* Johannes Meixner <jo...@meixner.ch>; users@nifi.apache.org <
> users@nifi.apache.org>
> *Asunto:* RE: SSL/LDAP Configuration
>
>
>
> Hi Johannes,
>
> I'm making progress - I'm able to login to the GUI, but I'm getting the
> following message :
>
> Insufficient Permissions
>
> Unknown user with identity 'cn=DW99908,ou=All
> Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system
> administrator.
>
> I can see the following in the nifi-users.log file :
>
> 2020-09-25 00:39:45,689 INFO [NiFi Web Server-19]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
> cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM
> 2020-09-25 00:39:45,755 INFO [NiFi Web Server-19]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=DW99908,ou=All
> Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM], groups[] does not have
> permission to access the requested resource. Unknown user with identity
> 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'.
> Returning Forbidden response.
>
> LDAP connection looks good as I can authenticate but authorization looks
> wrong somewhere.
>
> Any ideas would be welcome.
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>
> Sent: 24 September 2020 13:53
> To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
>
> Hi Daniel,
>
> You define all those in authorizers.xml and use the
> file-user-group-provider to allow access to non-LDAP resources -- Initial
> admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi
> hosts (FileUserGroupProvider).
>
> You should find Cloudera docs by just typing in all the class names into
> Google.
>
>
> --
> Johannes Meixner
>
> web:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0zUQ%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=nGcWbApVo3k15oRIiFqluKlZRojTQX99VnBluA%2FEwn4%3D&reserved=0>
>
> Meixner GmbH
> Switzerland
>
>
> On 2020-09-24 14:39, White, Daniel wrote:
> > Hi Johannes,
> >
> > Thanks.
> >
> > So do I need to configure all of those in the authorizers.xml or just
> the ones that relate to LDAP? I'm only going to be authorizing via LDAP and
> don't really understand the need for the file-user-group-provider?
> >
> > Apologies if this is a stupid question but we are new to Nifi.
> >
> > Are there any worked examples that you know of for these config files?
> >
> > Thanks
> > Dan
> >
> > -----Original Message-----
> > From: Johannes Meixner <jo...@meixner.ch>
> > Sent: 24 September 2020 12:35
> > To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
> > Subject: Re: SSL/LDAP Configuration
> >
> > CAUTION: This email originated from outside of the organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
> >
> >
> > Hi Daniel
> >
> > Your NiFi setup is choking because in line 278 of authorizers.xml you
> define a file-user-group-provider but never create it (lines 47-54 are
> commented out).
> >
> > What you might want to do is look into the
> CompositeConfigurableUserGroupProvider class with subs
> file-user-group-provider and ldap-user-group-provider.
> >
> > So you get something like this:
> >
> > StandardManagedAuthorizer --> FileAccessPolicyProvider -->
> CompositeConfigurableUserGroupProvider --> file-user-group-provider /
> ldap-user-group-provider (all in authorizers.xml).
> >
> > Hope that helps
> >
> >
> > --
> > Johannes Meixner
> >
> > web:
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> > meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfff
> > c4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> > 365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0
> > zUQ%3D&reserved=0
> >
> > Meixner GmbH
> > Switzerland
> > On 2020-09-24 13:16, White, Daniel wrote:
> >> Welcome anyone else’s view on this or experience/examples used in the
> setup.
> >>
> >>
> >>
> >> *From:*White, Daniel <Da...@lgim.com>
> >> *Sent:* 24 September 2020 10:15
> >> *To:* users@nifi.apache.org
> >> *Subject:* RE: SSL/LDAP Configuration
> >>
> >>
> >>
> >> Hi Andy,
> >>
> >>
> >>
> >> Still getting issues trying to make LDAP integration work – Is there
> >> a reference document which shows worked examples of the configurations?
> >>
> >>
> >>
> >> I’ve attached my latest .xml files – Any help is gratefully received.
> >>
> >>
> >>
> >> I’m currently getting the following error on startup :
> >>
> >>
> >>
> >>
> >>
> >> Thanks
> >>
> >> Dan
> >>
> >>
> >>
> >> *From:*Andy LoPresto <alopresto.apache@gmail.com
> <alopresto.apache@gmail.com%0b>>> <mailto:alopresto.apache@gmail.com
> <al...@gmail.com>>>
> >> *Sent:* 23 August 2020 01:06
> >> *To:* users@nifi.apache.org <mailto:users@nifi.apache.org
> <us...@nifi.apache.org>>
> >> *Subject:* Re: SSL/LDAP Configuration
> >>
> >>
> >>
> >> CAUTION:This email originated from outside of the organisation. Do
> >> not click links or open attachments unless you recognise the sender
> >> and know the content is safe.
> >>
> >>
> >>
> >> Ok to diagnose, look at the users.xml to see if there is a user
> >> matching that DN, and if so, it should have a UUID. Then in the
> >> authorizations.xml there should be policies defined in a hierarchical
> >> manner associating those users with a right on a specific resource
> >> (component/processor). If so, you can copy/paste as many as you want
> >> to define them.
> >>
> >>
> >>
> >> Again, this is not the ideal situation; most of this should be
> >> possible through the UI but I’m not sitting there to diagnose the issue.
> >>
> >> Andy LoPresto
> >>
> >> alopresto@apache.org <mailto:alopresto@apache.org
> <al...@apache.org>>
> >> alopresto.apache@gmail.com <mailto:alopresto.apache@gmail.com
> <al...@gmail.com>>
> >>
> >> He/Him
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> >>
> >>
> >>
> >> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
> <Daniel.White@lgim.com%0b>>> <mailto:Daniel.White@lgim.com
> <Da...@lgim.com>>> wrote:
> >>
> >>
> >>
> >> Hi Andy,
> >>
> >>
> >>
> >> I tried removing users.xml and authorizations.xml but I’m still
> >> getting the same error.
> >>
> >>
> >>
> >> Suspect it’s something to do with authorizers.xml, but I can’t see
> >> any issues with it.
> >>
> >>
> >>
> >> I see this in the nifi-user.log :
> >>
> >>
> >>
> >> <image001.png>
> >>
> >> Thanks
> >>
> >> Dan
> >>
> >>
> >>
> >> *From:*Andy LoPresto <alopresto.apache@gmail.com
> <alopresto.apache@gmail.com%0b>>> <mailto:alopresto.apache@gmail.com
> <al...@gmail.com>>>
> >> *Sent:* 23 August 2020 00:12
> >> *To:* users@nifi.apache.org <mailto:users@nifi.apache.org
> <us...@nifi.apache.org>>
> >> *Subject:* Re: SSL/LDAP Configuration
> >>
> >>
> >>
> >> CAUTION:This email originated from outside of the organisation. Do
> >> not click links or open attachments unless you recognise the sender
> >> and know the content is safe.
> >>
> >>
> >>
> >> Daniel,
> >>
> >>
> >>
> >> A couple options:
> >>
> >>
> >>
> >> The “easy way” is to shut down NiFi, delete “users.xml” and
> >> “authorizations.xml” in the “conf/“ directory, and then restart
> >> NiFi. Whatever user was specified as the IAI should have enough
> >> permissions to get started now.
> >>
> >>
> >>
> >> Once you can access the main canvas, you’ll want to go into the
> >> global policies dialog (global menu top right > policies) and give
> >> yourself the specific view & modify permissions on the root process
> >> group. I understand this manual effort is less than ideal, but the
> >> stages in which things are defined has mandated this for now.
> >>
> >>
> >>
> >> I think the User Guide does a good job of explaining the theory here
> >> as well as specific component steps (but doesn’t go soup to nuts on
> >> the process), so I’d recommend that as well as the “end” (the last
> >> 3-4 steps) of the Walkthrough guide section on securing NiFi.
> >>
> >>
> >>
> >> I’m on my phone so I don’t have all my usual resources available,
> >> but hopefully this guides you in the right direction. If not, please
> >> let me know and tomorrow I can provide more specific instructions.
> >>
> >>
> >>
> >>
> >>
> >> Andy LoPresto
> >>
> >> alopresto@apache.org <mailto:alopresto@apache.org
> <al...@apache.org>>
> >> alopresto.apache@gmail.com <mailto:alopresto.apache@gmail.com
> <al...@gmail.com>>
> >>
> >> He/Him
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
> >> EF69
> >>
> >>
> >>
> >> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
> <Daniel.White@lgim.com%0b>>> <mailto:Daniel.White@lgim.com
> <Da...@lgim.com>>> wrote:
> >>
> >>
> >>
> >> Hi Andy,
> >>
> >>
> >>
> >> I’ve now managed to login to Nifi using my AD account but am
> >> getting the following error :
> >>
> >>
> >>
> >> Insufficient Permissions – No applicable policies could be
> found.
> >>
> >>
> >>
> >> <image001.png>
> >>
> >>
> >>
> >> Any pointers would be gratefully received.
> >>
> >>
> >>
> >> Thanks
> >>
> >> Dan
> >>
> >>
> >>
> >> *From:*Andy LoPresto <alopresto@apache.org
> <alopresto@apache.org%0b>>> <mailto:alopresto@apache.org
> <al...@apache.org>>>
> >> *Sent:* 03 August 2020 03:07
> >> *To:* users@nifi.apache.org <mailto:users@nifi.apache.org
> <us...@nifi.apache.org>>
> >> *Subject:* Re: SSL/LDAP Configuration
> >>
> >>
> >>
> >> CAUTION:This email originated from outside of the organisation.
> >> Do not click links or open attachments unless you recognise the
> >> sender and know the content is safe.
> >>
> >>
> >>
> >> Also, your authorizers.xml is not correct — you haven’t
> >> configured (or even uncommented) the LDAP user group provider,
> >> so the specified user group provider is the file users.xml, and
> >> you haven’t configured any initial admins, so no users will be
> >> allowed to log in. Did you follow the steps in the NiFi Admin
> >> Guide [3][4] for configuring this? Authentication and
> >> authorization are decoupled in NiFi, and while you can use LDAP
> >> for both, you’ll have to configure it for each.
> >>
> >>
> >>
> >> Also, your login-identity-providers.xml uses START_TLS as the
> >> authentication strategy but does not specify any properties for
> >> the keystore or truststore, which will be required.
> >>
> >>
> >>
> >> [3]
> >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
> >> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
> >> ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.c
> >> om%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc5
> >> 90d%7C0%7C1%7C637365488257001866&sdata=m8oFyRm8mHYMjT9XK%2BIROJSZ
> >> BrHb%2FmGTsvPM0EWNXJM%3D&reserved=0
> >>
> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>>
> f
> >> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
> >> l
> >> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.co
> >> m
> >> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590
> >> d
> >> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhb
> >> H
> >> JD2DhUwPp8%2BXrVc%3D&reserved=0>
> >>
> >> [4]
> >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
> >> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
> >> ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0d
> >> dfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0
> >> %7C1%7C637365488257001866&sdata=%2BSr4laoAGGFOuF8RzV1e481%2BMtFnc
> >> wVQlircLrhUfIQ%3D&reserved=0
> >>
> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>>
> f
> >> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
> >> l
> >> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C071
> >> 7
> >> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7
> >> C
> >> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZe
> >> J
> >> DRTb%2Fo3U%3D&reserved=0>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Andy LoPresto
> >> alopresto@apache.org <mailto:alopresto@apache.org
> <al...@apache.org>>
> >> /alopresto.apache@gmail.com <mailto:alopresto.apache@gmail.com
> <al...@gmail.com>>/
> >> He/Him
> >>
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
> >> 2F7D
> >> EF69
> >>
> >>
> >>
> >>
> >> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
> >> <alopresto@apache.org <mailto:alopresto@apache.org
> <al...@apache.org>>> wrote:
> >>
> >>
> >>
> >> Hi Daniel,
> >>
> >>
> >>
> >> Did you verify that the provided credentials are correct?
> >> There will be two sets — the “manager” DN and password which
> >> are provided as configuration values in the authorizers.xml
> >> file, and the individual user credentials provided on each
> >> login attempt. The manager credentials allow NiFi to make an
> >> authenticated request to the LDAP service, and the request
> >> itself contains the user’s credentials.
> >>
> >>
> >>
> >> You can verify these credentials by using the ldapsearch
> >> [1][2] tool from one of the machines where NiFi is
> >> installed. This allows you to verify TLS, ports, network
> >> reachability, and the correctness of the credentials
> >> themselves.
> >>
> >>
> >>
> >> Something like:
> >>
> >>
> >>
> >> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
> >> ldap://<ldap_server_url> -D
> >> "cn=admin,dc=<your_org>,dc=com" -W
> >>
> >>
> >>
> >> That will conduct a general search using the account
> >> provided by -D, and prompt for the password with -W. You can
> >> also switch out the account in -D for the specific user
> >> you’re trying to log in as to verify those credentials.
> >>
> >>
> >>
> >> [1]
> >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
> >> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
> >> -tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDa
> >> niel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc
> >> 004ed2bc4ef8a46cbc590d%7C0%7C0%7C637365488257001866&sdata=5ELnY2j
> >> vESYNEpUssWIRzLAidKManQPG9OTgXj9K2W8%3D&reserved=0
> >>
> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo%0b>>>
> r
> >> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
> >> -
> >> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDan
> >> i
> >> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc00
> >> 4
> >> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1v
> >> o icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
> >>
> >> [2]
> >> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
> >> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
> >> ata=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088d
> >> efb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&a
> >> mp;sdata=msRgjTaQjb1S18m3dCDh%2Ba7E4htptur5IJzPxqYIWGI%3D&reserve
> >> d=0
> >>
> >> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde%0b>>>
> v
> >> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
> >> a
> >> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13
> >> b
> >> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
> >> ;
> >> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved
> >> =
> >> 0>
> >>
> >>
> >>
> >> Andy LoPresto
> >> alopresto@apache.org <mailto:alopresto@apache.org
> <al...@apache.org>>
> >> /alopresto.apache@gmail.com <
> mailto:alopresto.apache@gmail.com <al...@gmail.com>>/
> >> He/Him
> >>
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
> >> 2F7D EF69
> >>
> >>
> >>
> >>
> >> On Aug 2, 2020, at 1:11 PM, White, Daniel
> >> <Daniel.White@lgim.com <mailto:Daniel.White@lgim.com
> <Da...@lgim.com>>>
> >> wrote:
> >>
> >>
> >>
> >> Confidential
> >>
> >>
> >>
> >> Hi All,
> >>
> >>
> >>
> >> Looking for some assistance with setting up SSL/LDAP to
> >> enable user admin within Nifi.
> >>
> >>
> >>
> >> I’ve setup and configured my non-prod environment but am
> >> having issue login in :
> >>
> >>
> >>
> >> Unable to validate the supplied credentials. Please
> >> contact the system administrator
> >>
> >>
> >>
> >> I’ve followed the config guide and am stuck as to what
> >> the issue could be.
> >>
> >>
> >>
> >> The steps I followed :
> >>
> >>
> >>
> >> 1. Generate keys etc using tls-toolkit.sh
> >> 2. Updated nifi.properties to set
> >>
> nifi.security.user.login.identity.provider=ldap-provider
> >> 3. Modified login-identity-providers.xml (copy
> attached)
> >> 4. Modified authorizers.xml (copy attached)
> >>
> >>
> >>
> >> Nifi starts and I can get to the login page, just unable
> >> to login (with error shown above).
> >>
> >>
> >>
> >> Any help will be very grateful.
> >>
> >>
> >>
> >> Thanks
> >>
> >>
> >>
> >> *Dan White *
> >> *Lead Technical Architect**
> >> *Legal & General Investment Management
> >> One Coleman Street, London, EC2R 5AA
> >> Tel: +44 203 124 4048
> >>
> >> Mob: +44 7980 027 656
> >>
> >>
> >> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> >> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc
> >> 4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> >> 365488257011864&sdata=JsfAeOJuan9gt%2FaWlicqN8FLk4FIRbqClFipB4MLC
> >> LY%3D&reserved=0
> >>
> >> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.%0b>>>
> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d391
> >> 4
> >> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C6373
> >> 6
> >> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMt
> >> g
> >> M%3D&reserved=0>
> >>
> >>
> >>
> >> This e-mail (and any attachments) may contain privileged
> >> and/or confidential information. If you are not the
> >> intended recipient please do not disclose, copy,
> >> distribute, disseminate or take any action in reliance
> >> on it. If you have received this message in error please
> >> reply and tell us and then delete it. Should you wish to
> >> communicate with us by e-mail we cannot guarantee the
> >> security of any data outside our own computer systems.
> >>
> >> Any information contained in this message may be subject
> >> to applicable terms and conditions and must not be
> >> construed as giving investment advice within or outside
> >> the United Kingdom or Republic of Ireland.
> >>
> >> Telephone Conversations may be recorded for your
> >> protection and to ensure quality of service
> >>
> >> Legal & General Investment Management Limited (no
> >> 2091894), LGIM Real Assets (Operator) Limited (no
> >> 05522016), LGIM (International) Limited (no 7716001)
> >> Legal & General Unit Trust Managers (no 1009418), GO ETF
> >> Solutions LLP (OC329482) and LGIM Corporate Director
> >> Limited (no 7105051) are authorised and regulated by the
> >> Financial Conduct Authority. All are registered in
> >> England & Wales with a registered office at One Coleman
> >> Street, London, EC2R 5AA
> >>
> >> Legal & General Assurance (Pensions Management) Limited
> >> (no 1006112) is authorised by the Prudential Regulation
> >> Authority and regulated by the Financial Conduct
> >> Authority and the Prudential Regulation Authority. It is
> >> registered in England & Wales with a registered office
> >> at One Coleman Street, London, EC2R 5AA.
> >>
> >> Legal & General Property Limited (no 2091897) is
> >> authorised and regulated by the Financial Conduct
> >> Authority for insurance mediation activities. It is
> >> registered in England & Wales with a registered office
> >> at One Coleman Street, London, EC2R 5AA.
> >>
> >> LGIM Managers (Europe) Limited is authorised and
> >> regulated by the Central Bank of Ireland (C173733). It
> >> is registered in the Republic of Ireland (no 609677)
> >> with a registered office at 33/34 Sir John Rogerson's
> <https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g>
> >> Quay, Dublin
> <https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g>
> 2, D02 XK09.
> >>
> >> Legal & General Group PLC, Registered Office One Coleman
> >> Street, London, EC2R 5AA.
> >>
> >> Registered in England no: 1417162
> >>
> ________________________________________________________________________
> >> **** This email has come from the internet and has been
> >> scanned for all viruses and potentially offensive
> >> content by Messagelabs on behalf of Legal & General ****
> >> <authorizers.xml><login-identity-providers.xml>
> >>
> >>
>
> <https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+%0D%0A+Quay,+Dublin?entry=gmail&source=g>
> >>
> >>
> >>
> >>
> >>
> ________________________________________________________________________
> >> *** This email has come from the internet and has been scanned
> >> for all viruses and potentially offensive content by Messagelabs
> >> on behalf of Legal & General. Please report unwanted spam email
> >> to security@lgim.com <mailto:security@lgim.com
> <se...@lgim.com>> ***
> >>
> >> Please consider the environment before printing this email.
> >>
> >>
> >>
> ________________________________________________________________________
> >> **** This email has come from the internet and has been scanned
> >> for all viruses and potentially offensive content by Messagelabs
> >> on behalf of Legal & General ****
> >>
> >>
> >>
> ________________________________________________________________________
> >> *** This email has come from the internet and has been scanned for
> >> all viruses and potentially offensive content by Messagelabs on
> >> behalf of Legal & General. Please report unwanted spam email to
> >> security@lgim.com <mailto:security@lgim.com <se...@lgim.com>>
> ***
> >>
> >> Please consider the environment before printing this email.
> >>
> >>
> >>
> ________________________________________________________________________
> >> **** This email has come from the internet and has been scanned for
> >> all viruses and potentially offensive content by Messagelabs on
> >> behalf of Legal & General ****
> >>
> >>
> >> _____________________________________________________________________
> >> _
> >> __
> >> *** This email has come from the internet and has been scanned for
> >> all viruses and potentially offensive content by Messagelabs on
> >> behalf of Legal & General. Please report unwanted spam email to
> >> security@lgim.com <mailto:security@lgim.com <se...@lgim.com>> ***
> >>
> >> Please consider the environment before printing this email.
> >>
> >>
> >> _____________________________________________________________________
> >> _
> >> __
> >> **** This email has come from the internet and has been scanned for
> >> all viruses and potentially offensive content by Messagelabs on
> >> behalf of Legal & General ****
> >>
> >> _____________________________________________________________________
> >> _
> >> __
> >> *** This email has come from the internet and has been scanned for
> >> all viruses and potentially offensive content by Messagelabs on
> >> behalf of Legal & General. Please report unwanted spam email to
> >> security@lgim.com <mailto:security@lgim.com <se...@lgim.com>> ***
> >>
> >> Please consider the environment before printing this email.
> >>
> >>
> >> _____________________________________________________________________
> >> _
> >> __
> >> **** This email has come from the internet and has been scanned for
> >> all viruses and potentially offensive content by Messagelabs on
> >> behalf of Legal & General ****
> >
> > ______________________________________________________________________
> > __
> > *** This email has come from the internet and has been scanned for all
> > viruses and potentially offensive content by Messagelabs on behalf of
> > Legal & General. Please report unwanted spam email to
> > security@lgim.com ***
> >
> > Please consider the environment before printing this email.
> > This e-mail (and any attachments) may contain privileged and/or
> confidential information which may be protected by copyright or other
> intellectual property rights. If you are not the intended recipient please
> do not disclose, copy, distribute, disseminate or take any action in
> reliance on it. If you have received this e-mail in error please reply to
> the sender and then immediately delete it (including, any attachments).
> Should you wish to communicate with us by e-mail we cannot guarantee the
> security of any data outside our own computer systems or that any e-mail
> will be virus free.
> >
> > Any information contained in this e-mail may be subject to applicable
> terms and conditions and must not be construed as giving investment advice
> within or outside the United Kingdom or the Republic of Ireland.
> >
> > Telephone Conversations may be recorded, including to comply with our
> legal and/or regulatory requirements and/or to monitor the quality of our
> service. For information about how we use your personal data, including
> your legal rights, please refer to our privacy policy at:
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&sdata=QiXhtQmsvn7Psl2EK0eI7CPY24S%2B%2BxPHIpsg6E4KK4o%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>
> .
> >
> > Legal & General Investment Management Limited (Company number 02091894),
> LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM
> International Limited (Company number 07716001), Legal & General (Unit
> Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP
> (Company number OC329482) and LGIM Corporate Director Limited (Company
> number 07105051) are each authorised and regulated by the Financial Conduct
> Authority. All are registered in England & Wales with a registered office
> at One Coleman Street, London, EC2R 5AA.
> >
> > Legal and General Assurance (Pensions Management) Limited (Company
> number 01006112) is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential Regulation
> Authority. It is registered in England & Wales with a registered office at
> One Coleman Street, London, EC2R 5AA.
> >
> > Legal & General Property Limited (Registration number 02091897) is
> authorised and regulated by the Financial Conduct Authority for insurance
> mediation activities. It is registered in England & Wales with a registered
> office at One Coleman Street, London, EC2R 5AA.
> >
> > LGIM Managers (Europe) Limited is authorised and regulated by the
> Central Bank of Ireland (Reference No C173733). It is registered in the
> Republic of Ireland (Number 609677) with its principal business address at 33/34
> Sir John Rogerson's Quay, Dublin
> <https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g>
> 2, D02 XK09.
> >
> > The ultimate parent company is Legal & General Group PLC (Company number
> 01417162) which is registered in England & Wales and has a registered
> office at One Coleman Street, London, EC2R 5AA.
> >
> > ______________________________________________________________________
> > __
> > **** This email has come from the internet and has been scanned for
> > all viruses and potentially offensive content by Messagelabs on behalf
> > of Legal & General ****
> >
>
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of Legal
> & General. Please report unwanted spam email to security@lgim.com ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or
> confidential information which may be protected by copyright or other
> intellectual property rights. If you are not the intended recipient please
> do not disclose, copy, distribute, disseminate or take any action in
> reliance on it. If you have received this e-mail in error please reply to
> the sender and then immediately delete it (including, any attachments).
> Should you wish to communicate with us by e-mail we cannot guarantee the
> security of any data outside our own computer systems or that any e-mail
> will be virus free.
>
> Any information contained in this e-mail may be subject to applicable
> terms and conditions and must not be construed as giving investment advice
> within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our
> legal and/or regulatory requirements and/or to monitor the quality of our
> service. For information about how we use your personal data, including
> your legal rights, please refer to our privacy policy at:
> www.legalandgeneral.com/institutional/privacy-policy/
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>
> .
>
> Legal & General Investment Management Limited (Company number 02091894),
> LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM
> International Limited (Company number 07716001), Legal & General (Unit
> Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP
> (Company number OC329482) and LGIM Corporate Director Limited (Company
> number 07105051) are each authorised and regulated by the Financial Conduct
> Authority. All are registered in England & Wales with a registered office
> at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number
> 01006112) is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential Regulation
> Authority. It is registered in England & Wales with a registered office at
> One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is
> authorised and regulated by the Financial Conduct Authority for insurance
> mediation activities. It is registered in England & Wales with a registered
> office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central
> Bank of Ireland (Reference No C173733). It is registered in the Republic of
> Ireland (Number 609677) with its principal business address at 33/34 Sir
> John Rogerson's Quay, Dublin
> <https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g>
> 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number
> 01417162) which is registered in England & Wales and has a registered
> office at One Coleman Street, London, EC2R 5AA.
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of Legal
> & General ****
>
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of Legal
> & General. Please report unwanted spam email to security@lgim.com ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or
> confidential information which may be protected by copyright or other
> intellectual property rights. If you are not the intended recipient please
> do not disclose, copy, distribute, disseminate or take any action in
> reliance on it. If you have received this e-mail in error please reply to
> the sender and then immediately delete it (including, any attachments).
> Should you wish to communicate with us by e-mail we cannot guarantee the
> security of any data outside our own computer systems or that any e-mail
> will be virus free.
>
> Any information contained in this e-mail may be subject to applicable
> terms and conditions and must not be construed as giving investment advice
> within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our
> legal and/or regulatory requirements and/or to monitor the quality of our
> service. For information about how we use your personal data, including
> your legal rights, please refer to our privacy policy at:
> www.legalandgeneral.com/institutional/privacy-policy/.
>
> Legal & General Investment Management Limited (Company number 02091894),
> LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM
> International Limited (Company number 07716001), Legal & General (Unit
> Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP
> (Company number OC329482) and LGIM Corporate Director Limited (Company
> number 07105051) are each authorised and regulated by the Financial Conduct
> Authority. All are registered in England & Wales with a registered office
> at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number
> 01006112) is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential Regulation
> Authority. It is registered in England & Wales with a registered office at
> One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is
> authorised and regulated by the Financial Conduct Authority for insurance
> mediation activities. It is registered in England & Wales with a registered
> office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central
> Bank of Ireland (Reference No C173733). It is registered in the Republic of
> Ireland (Number 609677) with its principal business address at 33/34 Sir
> John Rogerson's Quay, Dublin
> <https://www.google.com/maps/search/33%2F34+Sir+John+Rogerson's+Quay,+Dublin?entry=gmail&source=g>
> 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number
> 01417162) which is registered in England & Wales and has a registered
> office at One Coleman Street, London, EC2R 5AA.
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of Legal
> & General ****
>
Re: SSL/LDAP Configuration
Posted by Jean-Sebastien Vachon <js...@brizodata.com>.
Hi,
I'm having the exact same issue. I tried following this as a guide:
https://www.youtube.com/watch?v=LanpbWR7Gv8
My log says:
==> logs/nifi-user.log <==
2021-09-23 19:53:25,835 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /home/jsvachon/nifi/nifi-1.14.0/./conf/users.xml
2021-09-23 19:53:25,862 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Thu Sep 23 19:53:25 EDT 2021
2021-09-23 19:53:25,930 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Thu Sep 23 19:53:25 EDT 2021
2021-09-23 19:53:37,753 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA) GET https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2021-09-23 19:53:37,759 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA
2021-09-23 19:53:37,879 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA], groups[] does not have permission to access the requested resource. Unknown user with identity 'CN=admin, OU=admin, O=BrizoData, L=Quebec, ST=Quebec, C=CA'. Returning Forbidden response.
I've looked at my authorizers.xml and could not spot anything wrong...
Also, the id of the user referenced by authorizations.xml matches the one in users.xml
and the identity seem to be consistent across all files...
conf/authorizers.xml: <property name="Initial User Identity 1">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/authorizers.xml: <property name="Initial Admin Identity">CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec</property>
conf/users.xml: <user identifier="424775ca-62d5-3873-aa21-b58cfeb6d137" identity="CN=admin, O=BrizoData, OU=admin, C=CA, L=Quebec, ST=Quebec"/>
What am I missing?
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: White, Daniel <Da...@lgim.com>
Sent: Friday, September 25, 2020 5:35 AM
To: users@nifi.apache.org <us...@nifi.apache.org>
Subject: RE: SSL/LDAP Configuration
Hi,
I’m still hitting this error on login :
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
Any other ideas?
Thanks
Dan
From: Luther Blisset <el...@outlook.com>
Sent: 25 September 2020 01:14
To: users@nifi.apache.org
Subject: RV: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hello Daniel
You must match your login id with the one mapped on the attribute setup on LdapUserGroupProvider as User Identity Attribute, here an example of it
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
...
<property name="User Search Base">OU=unit,DC=company,DC=com</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=Some Group,OU=unit,DC=company,DC=com)</property>
<property name="User Identity Attribute">userPrincipalName</property>
...
The message "Insufficient Permissions" is because that user doesn't have permissions even to the ui, there is a good article about UserGroupProviders by Pierre: https://pierrevillard.com/2017/12/22/authorizations-with-ldap-synchronization-in-apache-nifi-1-4/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpierrevillard.com%2F2017%2F12%2F22%2Fauthorizations-with-ldap-synchronization-in-apache-nifi-1-4%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=XDZjjE0B3nwbAuKZvKLdpyhw1fTuXlb455kEeh6qdw0%3D&reserved=0>
If you are able to login using ldap, you will be able to setup de provider with almost same conf
Are you using docker? if yes, the entry point script has some workarounds
Regards
________________________________
De: White, Daniel <Da...@lgim.com>>
Enviado: jueves, 24 de septiembre de 2020 08:45 p. m.
Para: Johannes Meixner <jo...@meixner.ch>>; users@nifi.apache.org<ma...@nifi.apache.org> <us...@nifi.apache.org>>
Asunto: RE: SSL/LDAP Configuration
Hi Johannes,
I'm making progress - I'm able to login to the GUI, but I'm getting the following message :
Insufficient Permissions
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
I can see the following in the nifi-users.log file :
2020-09-25 00:39:45,689 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM
2020-09-25 00:39:45,755 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Returning Forbidden response.
LDAP connection looks good as I can authenticate but authorization looks wrong somewhere.
Any ideas would be welcome.
Thanks
Dan
-----Original Message-----
From: Johannes Meixner <jo...@meixner.ch>>
Sent: 24 September 2020 13:53
To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi Daniel,
You define all those in authorizers.xml and use the file-user-group-provider to allow access to non-LDAP resources -- Initial admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into Google.
--
Johannes Meixner
web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0zUQ%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=nGcWbApVo3k15oRIiFqluKlZRojTQX99VnBluA%2FEwn4%3D&reserved=0>
Meixner GmbH
Switzerland
On 2020-09-24 14:39, White, Daniel wrote:
> Hi Johannes,
>
> Thanks.
>
> So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
>
> Apologies if this is a stupid question but we are new to Nifi.
>
> Are there any worked examples that you know of for these config files?
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>>
> Sent: 24 September 2020 12:35
> To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
>
>
> Hi Daniel
>
> Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
>
> What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
>
> So you get something like this:
>
> StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
>
> Hope that helps
>
>
> --
> Johannes Meixner
>
> web:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfff
> c4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> 365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0
> zUQ%3D&reserved=0
>
> Meixner GmbH
> Switzerland
> On 2020-09-24 13:16, White, Daniel wrote:
>> Welcome anyone else’s view on this or experience/examples used in the setup.
>>
>>
>>
>> *From:*White, Daniel <Da...@lgim.com>>
>> *Sent:* 24 September 2020 10:15
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org>
>> *Subject:* RE: SSL/LDAP Configuration
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> Still getting issues trying to make LDAP integration work – Is there
>> a reference document which shows worked examples of the configurations?
>>
>>
>>
>> I’ve attached my latest .xml files – Any help is gratefully received.
>>
>>
>>
>> I’m currently getting the following error on startup :
>>
>>
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 01:06
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Ok to diagnose, look at the users.xml to see if there is a user
>> matching that DN, and if so, it should have a UUID. Then in the
>> authorizations.xml there should be policies defined in a hierarchical
>> manner associating those users with a right on a specific resource
>> (component/processor). If so, you can copy/paste as many as you want
>> to define them.
>>
>>
>>
>> Again, this is not the ideal situation; most of this should be
>> possible through the UI but I’m not sitting there to diagnose the issue.
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I tried removing users.xml and authorizations.xml but I’m still
>> getting the same error.
>>
>>
>>
>> Suspect it’s something to do with authorizers.xml, but I can’t see
>> any issues with it.
>>
>>
>>
>> I see this in the nifi-user.log :
>>
>>
>>
>> <image001.png>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 00:12
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Daniel,
>>
>>
>>
>> A couple options:
>>
>>
>>
>> The “easy way” is to shut down NiFi, delete “users.xml” and
>> “authorizations.xml” in the “conf/“ directory, and then restart
>> NiFi. Whatever user was specified as the IAI should have enough
>> permissions to get started now.
>>
>>
>>
>> Once you can access the main canvas, you’ll want to go into the
>> global policies dialog (global menu top right > policies) and give
>> yourself the specific view & modify permissions on the root process
>> group. I understand this manual effort is less than ideal, but the
>> stages in which things are defined has mandated this for now.
>>
>>
>>
>> I think the User Guide does a good job of explaining the theory here
>> as well as specific component steps (but doesn’t go soup to nuts on
>> the process), so I’d recommend that as well as the “end” (the last
>> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>>
>>
>>
>> I’m on my phone so I don’t have all my usual resources available,
>> but hopefully this guides you in the right direction. If not, please
>> let me know and tomorrow I can provide more specific instructions.
>>
>>
>>
>>
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I’ve now managed to login to Nifi using my AD account but am
>> getting the following error :
>>
>>
>>
>> Insufficient Permissions – No applicable policies could be found.
>>
>>
>>
>> <image001.png>
>>
>>
>>
>> Any pointers would be gratefully received.
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto@apache.org
<mailto:alopresto@apache.org%0b>>> <ma...@apache.org>>
>> *Sent:* 03 August 2020 03:07
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation.
>> Do not click links or open attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>>
>> Also, your authorizers.xml is not correct — you haven’t
>> configured (or even uncommented) the LDAP user group provider,
>> so the specified user group provider is the file users.xml, and
>> you haven’t configured any initial admins, so no users will be
>> allowed to log in. Did you follow the steps in the NiFi Admin
>> Guide [3][4] for configuring this? Authentication and
>> authorization are decoupled in NiFi, and while you can use LDAP
>> for both, you’ll have to configure it for each.
>>
>>
>>
>> Also, your login-identity-providers.xml uses START_TLS as the
>> authentication strategy but does not specify any properties for
>> the keystore or truststore, which will be required.
>>
>>
>>
>> [3]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.c
>> om%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc5
>> 90d%7C0%7C1%7C637365488257001866&sdata=m8oFyRm8mHYMjT9XK%2BIROJSZ
>> BrHb%2FmGTsvPM0EWNXJM%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.co
>> m
>> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590
>> d
>> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhb
>> H
>> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>>
>> [4]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0d
>> dfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0
>> %7C1%7C637365488257001866&sdata=%2BSr4laoAGGFOuF8RzV1e481%2BMtFnc
>> wVQlircLrhUfIQ%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C071
>> 7
>> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7
>> C
>> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZe
>> J
>> DRTb%2Fo3U%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D
>> EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
>> <alopresto@apache.org <ma...@apache.org>> wrote:
>>
>>
>>
>> Hi Daniel,
>>
>>
>>
>> Did you verify that the provided credentials are correct?
>> There will be two sets — the “manager” DN and password which
>> are provided as configuration values in the authorizers.xml
>> file, and the individual user credentials provided on each
>> login attempt. The manager credentials allow NiFi to make an
>> authenticated request to the LDAP service, and the request
>> itself contains the user’s credentials.
>>
>>
>>
>> You can verify these credentials by using the ldapsearch
>> [1][2] tool from one of the machines where NiFi is
>> installed. This allows you to verify TLS, ports, network
>> reachability, and the correctness of the credentials
>> themselves.
>>
>>
>>
>> Something like:
>>
>>
>>
>> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
>> ldap://<ldap_server_url> -D
>> "cn=admin,dc=<your_org>,dc=com" -W
>>
>>
>>
>> That will conduct a general search using the account
>> provided by -D, and prompt for the password with -W. You can
>> also switch out the account in -D for the specific user
>> you’re trying to log in as to verify those credentials.
>>
>>
>>
>> [1]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDa
>> niel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc
>> 004ed2bc4ef8a46cbc590d%7C0%7C0%7C637365488257001866&sdata=5ELnY2j
>> vESYNEpUssWIRzLAidKManQPG9OTgXj9K2W8%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo%0b>>> r
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -
>> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDan
>> i
>> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc00
>> 4
>> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1v
>> o icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>>
>> [2]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> ata=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088d
>> efb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&a
>> mp;sdata=msRgjTaQjb1S18m3dCDh%2Ba7E4htptur5IJzPxqYIWGI%3D&reserve
>> d=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde%0b>>> v
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> a
>> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13
>> b
>> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
>> ;
>> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved
>> =
>> 0>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 1:11 PM, White, Daniel
>> <Daniel.White@lgim.com <ma...@lgim.com>>
>> wrote:
>>
>>
>>
>> Confidential
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Looking for some assistance with setting up SSL/LDAP to
>> enable user admin within Nifi.
>>
>>
>>
>> I’ve setup and configured my non-prod environment but am
>> having issue login in :
>>
>>
>>
>> Unable to validate the supplied credentials. Please
>> contact the system administrator
>>
>>
>>
>> I’ve followed the config guide and am stuck as to what
>> the issue could be.
>>
>>
>>
>> The steps I followed :
>>
>>
>>
>> 1. Generate keys etc using tls-toolkit.sh
>> 2. Updated nifi.properties to set
>> nifi.security.user.login.identity.provider=ldap-provider
>> 3. Modified login-identity-providers.xml (copy attached)
>> 4. Modified authorizers.xml (copy attached)
>>
>>
>>
>> Nifi starts and I can get to the login page, just unable
>> to login (with error shown above).
>>
>>
>>
>> Any help will be very grateful.
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Dan White *
>> *Lead Technical Architect**
>> *Legal & General Investment Management
>> One Coleman Street, London, EC2R 5AA
>> Tel: +44 203 124 4048
>>
>> Mob: +44 7980 027 656
>>
>>
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc
>> 4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
>> 365488257011864&sdata=JsfAeOJuan9gt%2FaWlicqN8FLk4FIRbqClFipB4MLC
>> LY%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.%0b>>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d391
>> 4
>> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C6373
>> 6
>> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMt
>> g
>> M%3D&reserved=0>
>>
>>
>>
>> This e-mail (and any attachments) may contain privileged
>> and/or confidential information. If you are not the
>> intended recipient please do not disclose, copy,
>> distribute, disseminate or take any action in reliance
>> on it. If you have received this message in error please
>> reply and tell us and then delete it. Should you wish to
>> communicate with us by e-mail we cannot guarantee the
>> security of any data outside our own computer systems.
>>
>> Any information contained in this message may be subject
>> to applicable terms and conditions and must not be
>> construed as giving investment advice within or outside
>> the United Kingdom or Republic of Ireland.
>>
>> Telephone Conversations may be recorded for your
>> protection and to ensure quality of service
>>
>> Legal & General Investment Management Limited (no
>> 2091894), LGIM Real Assets (Operator) Limited (no
>> 05522016), LGIM (International) Limited (no 7716001)
>> Legal & General Unit Trust Managers (no 1009418), GO ETF
>> Solutions LLP (OC329482) and LGIM Corporate Director
>> Limited (no 7105051) are authorised and regulated by the
>> Financial Conduct Authority. All are registered in
>> England & Wales with a registered office at One Coleman
>> Street, London, EC2R 5AA
>>
>> Legal & General Assurance (Pensions Management) Limited
>> (no 1006112) is authorised by the Prudential Regulation
>> Authority and regulated by the Financial Conduct
>> Authority and the Prudential Regulation Authority. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> Legal & General Property Limited (no 2091897) is
>> authorised and regulated by the Financial Conduct
>> Authority for insurance mediation activities. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> LGIM Managers (Europe) Limited is authorised and
>> regulated by the Central Bank of Ireland (C173733). It
>> is registered in the Republic of Ireland (no 609677)
>> with a registered office at 33/34 Sir John Rogerson's
>> Quay, Dublin 2, D02 XK09.
>>
>> Legal & General Group PLC, Registered Office One Coleman
>> Street, London, EC2R 5AA.
>>
>> Registered in England no: 1417162
>> ________________________________________________________________________
>> **** This email has come from the internet and has been
>> scanned for all viruses and potentially offensive
>> content by Messagelabs on behalf of Legal & General ****
>> <authorizers.xml><login-identity-providers.xml>
>>
>>
>>
>>
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General. Please report unwanted spam email
>> to security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General ****
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com<ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&sdata=QiXhtQmsvn7Psl2EK0eI7CPY24S%2B%2BxPHIpsg6E4KK4o%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
>
> Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
RE: SSL/LDAP Configuration
Posted by "White, Daniel" <Da...@lgim.com>.
Hi,
I’m still hitting this error on login :
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
Any other ideas?
Thanks
Dan
From: Luther Blisset <el...@outlook.com>
Sent: 25 September 2020 01:14
To: users@nifi.apache.org
Subject: RV: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hello Daniel
You must match your login id with the one mapped on the attribute setup on LdapUserGroupProvider as User Identity Attribute, here an example of it
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
...
<property name="User Search Base">OU=unit,DC=company,DC=com</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=Some Group,OU=unit,DC=company,DC=com)</property>
<property name="User Identity Attribute">userPrincipalName</property>
...
The message "Insufficient Permissions" is because that user doesn't have permissions even to the ui, there is a good article about UserGroupProviders by Pierre: https://pierrevillard.com/2017/12/22/authorizations-with-ldap-synchronization-in-apache-nifi-1-4/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpierrevillard.com%2F2017%2F12%2F22%2Fauthorizations-with-ldap-synchronization-in-apache-nifi-1-4%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=XDZjjE0B3nwbAuKZvKLdpyhw1fTuXlb455kEeh6qdw0%3D&reserved=0>
If you are able to login using ldap, you will be able to setup de provider with almost same conf
Are you using docker? if yes, the entry point script has some workarounds
Regards
________________________________
De: White, Daniel <Da...@lgim.com>>
Enviado: jueves, 24 de septiembre de 2020 08:45 p. m.
Para: Johannes Meixner <jo...@meixner.ch>>; users@nifi.apache.org<ma...@nifi.apache.org> <us...@nifi.apache.org>>
Asunto: RE: SSL/LDAP Configuration
Hi Johannes,
I'm making progress - I'm able to login to the GUI, but I'm getting the following message :
Insufficient Permissions
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
I can see the following in the nifi-users.log file :
2020-09-25 00:39:45,689 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM
2020-09-25 00:39:45,755 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Returning Forbidden response.
LDAP connection looks good as I can authenticate but authorization looks wrong somewhere.
Any ideas would be welcome.
Thanks
Dan
-----Original Message-----
From: Johannes Meixner <jo...@meixner.ch>>
Sent: 24 September 2020 13:53
To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi Daniel,
You define all those in authorizers.xml and use the file-user-group-provider to allow access to non-LDAP resources -- Initial admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into Google.
--
Johannes Meixner
web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0zUQ%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650340721&sdata=nGcWbApVo3k15oRIiFqluKlZRojTQX99VnBluA%2FEwn4%3D&reserved=0>
Meixner GmbH
Switzerland
On 2020-09-24 14:39, White, Daniel wrote:
> Hi Johannes,
>
> Thanks.
>
> So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
>
> Apologies if this is a stupid question but we are new to Nifi.
>
> Are there any worked examples that you know of for these config files?
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>>
> Sent: 24 September 2020 12:35
> To: users@nifi.apache.org<ma...@nifi.apache.org>; White, Daniel <Da...@lgim.com>>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
>
>
> Hi Daniel
>
> Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
>
> What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
>
> So you get something like this:
>
> StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
>
> Hope that helps
>
>
> --
> Johannes Meixner
>
> web:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfff
> c4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> 365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0
> zUQ%3D&reserved=0
>
> Meixner GmbH
> Switzerland
> On 2020-09-24 13:16, White, Daniel wrote:
>> Welcome anyone else’s view on this or experience/examples used in the setup.
>>
>>
>>
>> *From:*White, Daniel <Da...@lgim.com>>
>> *Sent:* 24 September 2020 10:15
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org>
>> *Subject:* RE: SSL/LDAP Configuration
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> Still getting issues trying to make LDAP integration work – Is there
>> a reference document which shows worked examples of the configurations?
>>
>>
>>
>> I’ve attached my latest .xml files – Any help is gratefully received.
>>
>>
>>
>> I’m currently getting the following error on startup :
>>
>>
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 01:06
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Ok to diagnose, look at the users.xml to see if there is a user
>> matching that DN, and if so, it should have a UUID. Then in the
>> authorizations.xml there should be policies defined in a hierarchical
>> manner associating those users with a right on a specific resource
>> (component/processor). If so, you can copy/paste as many as you want
>> to define them.
>>
>>
>>
>> Again, this is not the ideal situation; most of this should be
>> possible through the UI but I’m not sitting there to diagnose the issue.
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I tried removing users.xml and authorizations.xml but I’m still
>> getting the same error.
>>
>>
>>
>> Suspect it’s something to do with authorizers.xml, but I can’t see
>> any issues with it.
>>
>>
>>
>> I see this in the nifi-user.log :
>>
>>
>>
>> <image001.png>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
<mailto:alopresto.apache@gmail.com%0b>>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 00:12
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Daniel,
>>
>>
>>
>> A couple options:
>>
>>
>>
>> The “easy way” is to shut down NiFi, delete “users.xml” and
>> “authorizations.xml” in the “conf/“ directory, and then restart
>> NiFi. Whatever user was specified as the IAI should have enough
>> permissions to get started now.
>>
>>
>>
>> Once you can access the main canvas, you’ll want to go into the
>> global policies dialog (global menu top right > policies) and give
>> yourself the specific view & modify permissions on the root process
>> group. I understand this manual effort is less than ideal, but the
>> stages in which things are defined has mandated this for now.
>>
>>
>>
>> I think the User Guide does a good job of explaining the theory here
>> as well as specific component steps (but doesn’t go soup to nuts on
>> the process), so I’d recommend that as well as the “end” (the last
>> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>>
>>
>>
>> I’m on my phone so I don’t have all my usual resources available,
>> but hopefully this guides you in the right direction. If not, please
>> let me know and tomorrow I can provide more specific instructions.
>>
>>
>>
>>
>>
>> Andy LoPresto
>>
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
<mailto:Daniel.White@lgim.com%0b>>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I’ve now managed to login to Nifi using my AD account but am
>> getting the following error :
>>
>>
>>
>> Insufficient Permissions – No applicable policies could be found.
>>
>>
>>
>> <image001.png>
>>
>>
>>
>> Any pointers would be gratefully received.
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto@apache.org
<mailto:alopresto@apache.org%0b>>> <ma...@apache.org>>
>> *Sent:* 03 August 2020 03:07
>> *To:* users@nifi.apache.org<ma...@nifi.apache.org> <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation.
>> Do not click links or open attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>>
>> Also, your authorizers.xml is not correct — you haven’t
>> configured (or even uncommented) the LDAP user group provider,
>> so the specified user group provider is the file users.xml, and
>> you haven’t configured any initial admins, so no users will be
>> allowed to log in. Did you follow the steps in the NiFi Admin
>> Guide [3][4] for configuring this? Authentication and
>> authorization are decoupled in NiFi, and while you can use LDAP
>> for both, you’ll have to configure it for each.
>>
>>
>>
>> Also, your login-identity-providers.xml uses START_TLS as the
>> authentication strategy but does not specify any properties for
>> the keystore or truststore, which will be required.
>>
>>
>>
>> [3]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.c
>> om%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc5
>> 90d%7C0%7C1%7C637365488257001866&sdata=m8oFyRm8mHYMjT9XK%2BIROJSZ
>> BrHb%2FmGTsvPM0EWNXJM%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.co
>> m
>> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590
>> d
>> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhb
>> H
>> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>>
>> [4]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0d
>> dfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0
>> %7C1%7C637365488257001866&sdata=%2BSr4laoAGGFOuF8RzV1e481%2BMtFnc
>> wVQlircLrhUfIQ%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni%0b>>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C071
>> 7
>> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7
>> C
>> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZe
>> J
>> DRTb%2Fo3U%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D
>> EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
>> <alopresto@apache.org <ma...@apache.org>> wrote:
>>
>>
>>
>> Hi Daniel,
>>
>>
>>
>> Did you verify that the provided credentials are correct?
>> There will be two sets — the “manager” DN and password which
>> are provided as configuration values in the authorizers.xml
>> file, and the individual user credentials provided on each
>> login attempt. The manager credentials allow NiFi to make an
>> authenticated request to the LDAP service, and the request
>> itself contains the user’s credentials.
>>
>>
>>
>> You can verify these credentials by using the ldapsearch
>> [1][2] tool from one of the machines where NiFi is
>> installed. This allows you to verify TLS, ports, network
>> reachability, and the correctness of the credentials
>> themselves.
>>
>>
>>
>> Something like:
>>
>>
>>
>> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
>> ldap://<ldap_server_url> -D
>> "cn=admin,dc=<your_org>,dc=com" -W
>>
>>
>>
>> That will conduct a general search using the account
>> provided by -D, and prompt for the password with -W. You can
>> also switch out the account in -D for the specific user
>> you’re trying to log in as to verify those credentials.
>>
>>
>>
>> [1]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDa
>> niel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc
>> 004ed2bc4ef8a46cbc590d%7C0%7C0%7C637365488257001866&sdata=5ELnY2j
>> vESYNEpUssWIRzLAidKManQPG9OTgXj9K2W8%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo%0b>>> r
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -
>> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDan
>> i
>> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc00
>> 4
>> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1v
>> o icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>>
>> [2]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> ata=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088d
>> efb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&a
>> mp;sdata=msRgjTaQjb1S18m3dCDh%2Ba7E4htptur5IJzPxqYIWGI%3D&reserve
>> d=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde%0b>>> v
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> a
>> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13
>> b
>> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
>> ;
>> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved
>> =
>> 0>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org<ma...@apache.org> <ma...@apache.org>
>> /alopresto.apache@gmail.com<ma...@gmail.com> <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 1:11 PM, White, Daniel
>> <Daniel.White@lgim.com <ma...@lgim.com>>
>> wrote:
>>
>>
>>
>> Confidential
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Looking for some assistance with setting up SSL/LDAP to
>> enable user admin within Nifi.
>>
>>
>>
>> I’ve setup and configured my non-prod environment but am
>> having issue login in :
>>
>>
>>
>> Unable to validate the supplied credentials. Please
>> contact the system administrator
>>
>>
>>
>> I’ve followed the config guide and am stuck as to what
>> the issue could be.
>>
>>
>>
>> The steps I followed :
>>
>>
>>
>> 1. Generate keys etc using tls-toolkit.sh
>> 2. Updated nifi.properties to set
>> nifi.security.user.login.identity.provider=ldap-provider
>> 3. Modified login-identity-providers.xml (copy attached)
>> 4. Modified authorizers.xml (copy attached)
>>
>>
>>
>> Nifi starts and I can get to the login page, just unable
>> to login (with error shown above).
>>
>>
>>
>> Any help will be very grateful.
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Dan White *
>> *Lead Technical Architect**
>> *Legal & General Investment Management
>> One Coleman Street, London, EC2R 5AA
>> Tel: +44 203 124 4048
>>
>> Mob: +44 7980 027 656
>>
>>
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc
>> 4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
>> 365488257011864&sdata=JsfAeOJuan9gt%2FaWlicqN8FLk4FIRbqClFipB4MLC
>> LY%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.%0b>>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d391
>> 4
>> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C6373
>> 6
>> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMt
>> g
>> M%3D&reserved=0>
>>
>>
>>
>> This e-mail (and any attachments) may contain privileged
>> and/or confidential information. If you are not the
>> intended recipient please do not disclose, copy,
>> distribute, disseminate or take any action in reliance
>> on it. If you have received this message in error please
>> reply and tell us and then delete it. Should you wish to
>> communicate with us by e-mail we cannot guarantee the
>> security of any data outside our own computer systems.
>>
>> Any information contained in this message may be subject
>> to applicable terms and conditions and must not be
>> construed as giving investment advice within or outside
>> the United Kingdom or Republic of Ireland.
>>
>> Telephone Conversations may be recorded for your
>> protection and to ensure quality of service
>>
>> Legal & General Investment Management Limited (no
>> 2091894), LGIM Real Assets (Operator) Limited (no
>> 05522016), LGIM (International) Limited (no 7716001)
>> Legal & General Unit Trust Managers (no 1009418), GO ETF
>> Solutions LLP (OC329482) and LGIM Corporate Director
>> Limited (no 7105051) are authorised and regulated by the
>> Financial Conduct Authority. All are registered in
>> England & Wales with a registered office at One Coleman
>> Street, London, EC2R 5AA
>>
>> Legal & General Assurance (Pensions Management) Limited
>> (no 1006112) is authorised by the Prudential Regulation
>> Authority and regulated by the Financial Conduct
>> Authority and the Prudential Regulation Authority. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> Legal & General Property Limited (no 2091897) is
>> authorised and regulated by the Financial Conduct
>> Authority for insurance mediation activities. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> LGIM Managers (Europe) Limited is authorised and
>> regulated by the Central Bank of Ireland (C173733). It
>> is registered in the Republic of Ireland (no 609677)
>> with a registered office at 33/34 Sir John Rogerson's
>> Quay, Dublin 2, D02 XK09.
>>
>> Legal & General Group PLC, Registered Office One Coleman
>> Street, London, EC2R 5AA.
>>
>> Registered in England no: 1417162
>> ________________________________________________________________________
>> **** This email has come from the internet and has been
>> scanned for all viruses and potentially offensive
>> content by Messagelabs on behalf of Legal & General ****
>> <authorizers.xml><login-identity-providers.xml>
>>
>>
>>
>>
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General. Please report unwanted spam email
>> to security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General ****
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com<ma...@lgim.com> <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com<ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&sdata=QiXhtQmsvn7Psl2EK0eI7CPY24S%2B%2BxPHIpsg6E4KK4o%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
>
> Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce654f7143d8b40a874d408d860e7f4c2%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365896650350712&sdata=UWZ1jjymPduPTMY3UjJQoPVsxAk7Ffo4XaqgjnV6FnU%3D&reserved=0>.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
RV: SSL/LDAP Configuration
Posted by Luther Blisset <el...@outlook.com>.
Hello Daniel
You must match your login id with the one mapped on the attribute setup on LdapUserGroupProvider as User Identity Attribute, here an example of it
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
...
<property name="User Search Base">OU=unit,DC=company,DC=com</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(memberOf=CN=Some Group,OU=unit,DC=company,DC=com)</property>
<property name="User Identity Attribute">userPrincipalName</property>
...
The message "Insufficient Permissions" is because that user doesn't have permissions even to the ui, there is a good article about UserGroupProviders by Pierre: https://pierrevillard.com/2017/12/22/authorizations-with-ldap-synchronization-in-apache-nifi-1-4/
If you are able to login using ldap, you will be able to setup de provider with almost same conf
Are you using docker? if yes, the entry point script has some workarounds
Regards
________________________________
De: White, Daniel <Da...@lgim.com>
Enviado: jueves, 24 de septiembre de 2020 08:45 p. m.
Para: Johannes Meixner <jo...@meixner.ch>; users@nifi.apache.org <us...@nifi.apache.org>
Asunto: RE: SSL/LDAP Configuration
Hi Johannes,
I'm making progress - I'm able to login to the GUI, but I'm getting the following message :
Insufficient Permissions
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
I can see the following in the nifi-users.log file :
2020-09-25 00:39:45,689 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM
2020-09-25 00:39:45,755 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Returning Forbidden response.
LDAP connection looks good as I can authenticate but authorization looks wrong somewhere.
Any ideas would be welcome.
Thanks
Dan
-----Original Message-----
From: Johannes Meixner <jo...@meixner.ch>
Sent: 24 September 2020 13:53
To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi Daniel,
You define all those in authorizers.xml and use the file-user-group-provider to allow access to non-LDAP resources -- Initial admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into Google.
--
Johannes Meixner
web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0zUQ%3D&reserved=0
Meixner GmbH
Switzerland
On 2020-09-24 14:39, White, Daniel wrote:
> Hi Johannes,
>
> Thanks.
>
> So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
>
> Apologies if this is a stupid question but we are new to Nifi.
>
> Are there any worked examples that you know of for these config files?
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>
> Sent: 24 September 2020 12:35
> To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
>
>
> Hi Daniel
>
> Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
>
> What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
>
> So you get something like this:
>
> StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
>
> Hope that helps
>
>
> --
> Johannes Meixner
>
> web:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfff
> c4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> 365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0
> zUQ%3D&reserved=0
>
> Meixner GmbH
> Switzerland
> On 2020-09-24 13:16, White, Daniel wrote:
>> Welcome anyone else’s view on this or experience/examples used in the setup.
>>
>>
>>
>> *From:*White, Daniel <Da...@lgim.com>
>> *Sent:* 24 September 2020 10:15
>> *To:* users@nifi.apache.org
>> *Subject:* RE: SSL/LDAP Configuration
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> Still getting issues trying to make LDAP integration work – Is there
>> a reference document which shows worked examples of the configurations?
>>
>>
>>
>> I’ve attached my latest .xml files – Any help is gratefully received.
>>
>>
>>
>> I’m currently getting the following error on startup :
>>
>>
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 01:06
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Ok to diagnose, look at the users.xml to see if there is a user
>> matching that DN, and if so, it should have a UUID. Then in the
>> authorizations.xml there should be policies defined in a hierarchical
>> manner associating those users with a right on a specific resource
>> (component/processor). If so, you can copy/paste as many as you want
>> to define them.
>>
>>
>>
>> Again, this is not the ideal situation; most of this should be
>> possible through the UI but I’m not sitting there to diagnose the issue.
>>
>> Andy LoPresto
>>
>> alopresto@apache.org <ma...@apache.org>
>> alopresto.apache@gmail.com <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I tried removing users.xml and authorizations.xml but I’m still
>> getting the same error.
>>
>>
>>
>> Suspect it’s something to do with authorizers.xml, but I can’t see
>> any issues with it.
>>
>>
>>
>> I see this in the nifi-user.log :
>>
>>
>>
>> <image001.png>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 00:12
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Daniel,
>>
>>
>>
>> A couple options:
>>
>>
>>
>> The “easy way” is to shut down NiFi, delete “users.xml” and
>> “authorizations.xml” in the “conf/“ directory, and then restart
>> NiFi. Whatever user was specified as the IAI should have enough
>> permissions to get started now.
>>
>>
>>
>> Once you can access the main canvas, you’ll want to go into the
>> global policies dialog (global menu top right > policies) and give
>> yourself the specific view & modify permissions on the root process
>> group. I understand this manual effort is less than ideal, but the
>> stages in which things are defined has mandated this for now.
>>
>>
>>
>> I think the User Guide does a good job of explaining the theory here
>> as well as specific component steps (but doesn’t go soup to nuts on
>> the process), so I’d recommend that as well as the “end” (the last
>> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>>
>>
>>
>> I’m on my phone so I don’t have all my usual resources available,
>> but hopefully this guides you in the right direction. If not, please
>> let me know and tomorrow I can provide more specific instructions.
>>
>>
>>
>>
>>
>> Andy LoPresto
>>
>> alopresto@apache.org <ma...@apache.org>
>> alopresto.apache@gmail.com <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I’ve now managed to login to Nifi using my AD account but am
>> getting the following error :
>>
>>
>>
>> Insufficient Permissions – No applicable policies could be found.
>>
>>
>>
>> <image001.png>
>>
>>
>>
>> Any pointers would be gratefully received.
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto@apache.org
>> <ma...@apache.org>>
>> *Sent:* 03 August 2020 03:07
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation.
>> Do not click links or open attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>>
>> Also, your authorizers.xml is not correct — you haven’t
>> configured (or even uncommented) the LDAP user group provider,
>> so the specified user group provider is the file users.xml, and
>> you haven’t configured any initial admins, so no users will be
>> allowed to log in. Did you follow the steps in the NiFi Admin
>> Guide [3][4] for configuring this? Authentication and
>> authorization are decoupled in NiFi, and while you can use LDAP
>> for both, you’ll have to configure it for each.
>>
>>
>>
>> Also, your login-identity-providers.xml uses START_TLS as the
>> authentication strategy but does not specify any properties for
>> the keystore or truststore, which will be required.
>>
>>
>>
>> [3]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.c
>> om%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc5
>> 90d%7C0%7C1%7C637365488257001866&sdata=m8oFyRm8mHYMjT9XK%2BIROJSZ
>> BrHb%2FmGTsvPM0EWNXJM%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.co
>> m
>> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590
>> d
>> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhb
>> H
>> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>>
>> [4]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0d
>> dfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0
>> %7C1%7C637365488257001866&sdata=%2BSr4laoAGGFOuF8RzV1e481%2BMtFnc
>> wVQlircLrhUfIQ%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C071
>> 7
>> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7
>> C
>> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZe
>> J
>> DRTb%2Fo3U%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org <ma...@apache.org>
>> /alopresto.apache@gmail.com <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D
>> EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
>> <alopresto@apache.org <ma...@apache.org>> wrote:
>>
>>
>>
>> Hi Daniel,
>>
>>
>>
>> Did you verify that the provided credentials are correct?
>> There will be two sets — the “manager” DN and password which
>> are provided as configuration values in the authorizers.xml
>> file, and the individual user credentials provided on each
>> login attempt. The manager credentials allow NiFi to make an
>> authenticated request to the LDAP service, and the request
>> itself contains the user’s credentials.
>>
>>
>>
>> You can verify these credentials by using the ldapsearch
>> [1][2] tool from one of the machines where NiFi is
>> installed. This allows you to verify TLS, ports, network
>> reachability, and the correctness of the credentials
>> themselves.
>>
>>
>>
>> Something like:
>>
>>
>>
>> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
>> ldap://<ldap_server_url> -D
>> "cn=admin,dc=<your_org>,dc=com" -W
>>
>>
>>
>> That will conduct a general search using the account
>> provided by -D, and prompt for the password with -W. You can
>> also switch out the account in -D for the specific user
>> you’re trying to log in as to verify those credentials.
>>
>>
>>
>> [1]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDa
>> niel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc
>> 004ed2bc4ef8a46cbc590d%7C0%7C0%7C637365488257001866&sdata=5ELnY2j
>> vESYNEpUssWIRzLAidKManQPG9OTgXj9K2W8%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo
>> r
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -
>> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDan
>> i
>> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc00
>> 4
>> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1v
>> o icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>>
>> [2]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> ata=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088d
>> efb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&a
>> mp;sdata=msRgjTaQjb1S18m3dCDh%2Ba7E4htptur5IJzPxqYIWGI%3D&reserve
>> d=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde
>> v
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> a
>> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13
>> b
>> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
>> ;
>> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved
>> =
>> 0>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org <ma...@apache.org>
>> /alopresto.apache@gmail.com <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 1:11 PM, White, Daniel
>> <Daniel.White@lgim.com <ma...@lgim.com>>
>> wrote:
>>
>>
>>
>> Confidential
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Looking for some assistance with setting up SSL/LDAP to
>> enable user admin within Nifi.
>>
>>
>>
>> I’ve setup and configured my non-prod environment but am
>> having issue login in :
>>
>>
>>
>> Unable to validate the supplied credentials. Please
>> contact the system administrator
>>
>>
>>
>> I’ve followed the config guide and am stuck as to what
>> the issue could be.
>>
>>
>>
>> The steps I followed :
>>
>>
>>
>> 1. Generate keys etc using tls-toolkit.sh
>> 2. Updated nifi.properties to set
>> nifi.security.user.login.identity.provider=ldap-provider
>> 3. Modified login-identity-providers.xml (copy attached)
>> 4. Modified authorizers.xml (copy attached)
>>
>>
>>
>> Nifi starts and I can get to the login page, just unable
>> to login (with error shown above).
>>
>>
>>
>> Any help will be very grateful.
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Dan White *
>> *Lead Technical Architect**
>> *Legal & General Investment Management
>> One Coleman Street, London, EC2R 5AA
>> Tel: +44 203 124 4048
>>
>> Mob: +44 7980 027 656
>>
>>
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc
>> 4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
>> 365488257011864&sdata=JsfAeOJuan9gt%2FaWlicqN8FLk4FIRbqClFipB4MLC
>> LY%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d391
>> 4
>> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C6373
>> 6
>> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMt
>> g
>> M%3D&reserved=0>
>>
>>
>>
>> This e-mail (and any attachments) may contain privileged
>> and/or confidential information. If you are not the
>> intended recipient please do not disclose, copy,
>> distribute, disseminate or take any action in reliance
>> on it. If you have received this message in error please
>> reply and tell us and then delete it. Should you wish to
>> communicate with us by e-mail we cannot guarantee the
>> security of any data outside our own computer systems.
>>
>> Any information contained in this message may be subject
>> to applicable terms and conditions and must not be
>> construed as giving investment advice within or outside
>> the United Kingdom or Republic of Ireland.
>>
>> Telephone Conversations may be recorded for your
>> protection and to ensure quality of service
>>
>> Legal & General Investment Management Limited (no
>> 2091894), LGIM Real Assets (Operator) Limited (no
>> 05522016), LGIM (International) Limited (no 7716001)
>> Legal & General Unit Trust Managers (no 1009418), GO ETF
>> Solutions LLP (OC329482) and LGIM Corporate Director
>> Limited (no 7105051) are authorised and regulated by the
>> Financial Conduct Authority. All are registered in
>> England & Wales with a registered office at One Coleman
>> Street, London, EC2R 5AA
>>
>> Legal & General Assurance (Pensions Management) Limited
>> (no 1006112) is authorised by the Prudential Regulation
>> Authority and regulated by the Financial Conduct
>> Authority and the Prudential Regulation Authority. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> Legal & General Property Limited (no 2091897) is
>> authorised and regulated by the Financial Conduct
>> Authority for insurance mediation activities. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> LGIM Managers (Europe) Limited is authorised and
>> regulated by the Central Bank of Ireland (C173733). It
>> is registered in the Republic of Ireland (no 609677)
>> with a registered office at 33/34 Sir John Rogerson's
>> Quay, Dublin 2, D02 XK09.
>>
>> Legal & General Group PLC, Registered Office One Coleman
>> Street, London, EC2R 5AA.
>>
>> Registered in England no: 1417162
>> ________________________________________________________________________
>> **** This email has come from the internet and has been
>> scanned for all viruses and potentially offensive
>> content by Messagelabs on behalf of Legal & General ****
>> <authorizers.xml><login-identity-providers.xml>
>>
>>
>>
>>
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General. Please report unwanted spam email
>> to security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General ****
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&sdata=QiXhtQmsvn7Psl2EK0eI7CPY24S%2B%2BxPHIpsg6E4KK4o%3D&reserved=0.
>
> Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/<http://www.legalandgeneral.com/institutional/privacy-policy/>.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
RE: SSL/LDAP Configuration
Posted by "White, Daniel" <Da...@lgim.com>.
Hi Johannes,
I'm making progress - I'm able to login to the GUI, but I'm getting the following message :
Insufficient Permissions
Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Contact the system administrator.
I can see the following in the nifi-users.log file :
2020-09-25 00:39:45,689 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM
2020-09-25 00:39:45,755 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=DW99908,ou=All Users,ou=Resources,dc=INV,dc=ADRoot,dc=LGIM,dc=COM'. Returning Forbidden response.
LDAP connection looks good as I can authenticate but authorization looks wrong somewhere.
Any ideas would be welcome.
Thanks
Dan
-----Original Message-----
From: Johannes Meixner <jo...@meixner.ch>
Sent: 24 September 2020 13:53
To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi Daniel,
You define all those in authorizers.xml and use the file-user-group-provider to allow access to non-LDAP resources -- Initial admin users (FileAccessPolicyProvider, in case LDAP goes down) and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into Google.
--
Johannes Meixner
web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0zUQ%3D&reserved=0
Meixner GmbH
Switzerland
On 2020-09-24 14:39, White, Daniel wrote:
> Hi Johannes,
>
> Thanks.
>
> So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
>
> Apologies if this is a stupid question but we are new to Nifi.
>
> Are there any worked examples that you know of for these config files?
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>
> Sent: 24 September 2020 12:35
> To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
>
>
> Hi Daniel
>
> Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
>
> What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
>
> So you get something like this:
>
> StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
>
> Hope that helps
>
>
> --
> Johannes Meixner
>
> web:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfff
> c4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
> 365488257001866&sdata=gBAQ0PY3OP0MePtOi229%2Fz1S823LAIudVDo2i%2FB0
> zUQ%3D&reserved=0
>
> Meixner GmbH
> Switzerland
> On 2020-09-24 13:16, White, Daniel wrote:
>> Welcome anyone else’s view on this or experience/examples used in the setup.
>>
>>
>>
>> *From:*White, Daniel <Da...@lgim.com>
>> *Sent:* 24 September 2020 10:15
>> *To:* users@nifi.apache.org
>> *Subject:* RE: SSL/LDAP Configuration
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> Still getting issues trying to make LDAP integration work – Is there
>> a reference document which shows worked examples of the configurations?
>>
>>
>>
>> I’ve attached my latest .xml files – Any help is gratefully received.
>>
>>
>>
>> I’m currently getting the following error on startup :
>>
>>
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 01:06
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Ok to diagnose, look at the users.xml to see if there is a user
>> matching that DN, and if so, it should have a UUID. Then in the
>> authorizations.xml there should be policies defined in a hierarchical
>> manner associating those users with a right on a specific resource
>> (component/processor). If so, you can copy/paste as many as you want
>> to define them.
>>
>>
>>
>> Again, this is not the ideal situation; most of this should be
>> possible through the UI but I’m not sitting there to diagnose the issue.
>>
>> Andy LoPresto
>>
>> alopresto@apache.org <ma...@apache.org>
>> alopresto.apache@gmail.com <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I tried removing users.xml and authorizations.xml but I’m still
>> getting the same error.
>>
>>
>>
>> Suspect it’s something to do with authorizers.xml, but I can’t see
>> any issues with it.
>>
>>
>>
>> I see this in the nifi-user.log :
>>
>>
>>
>> <image001.png>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 00:12
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Daniel,
>>
>>
>>
>> A couple options:
>>
>>
>>
>> The “easy way” is to shut down NiFi, delete “users.xml” and
>> “authorizations.xml” in the “conf/“ directory, and then restart
>> NiFi. Whatever user was specified as the IAI should have enough
>> permissions to get started now.
>>
>>
>>
>> Once you can access the main canvas, you’ll want to go into the
>> global policies dialog (global menu top right > policies) and give
>> yourself the specific view & modify permissions on the root process
>> group. I understand this manual effort is less than ideal, but the
>> stages in which things are defined has mandated this for now.
>>
>>
>>
>> I think the User Guide does a good job of explaining the theory here
>> as well as specific component steps (but doesn’t go soup to nuts on
>> the process), so I’d recommend that as well as the “end” (the last
>> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>>
>>
>>
>> I’m on my phone so I don’t have all my usual resources available,
>> but hopefully this guides you in the right direction. If not, please
>> let me know and tomorrow I can provide more specific instructions.
>>
>>
>>
>>
>>
>> Andy LoPresto
>>
>> alopresto@apache.org <ma...@apache.org>
>> alopresto.apache@gmail.com <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I’ve now managed to login to Nifi using my AD account but am
>> getting the following error :
>>
>>
>>
>> Insufficient Permissions – No applicable policies could be found.
>>
>>
>>
>> <image001.png>
>>
>>
>>
>> Any pointers would be gratefully received.
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto@apache.org
>> <ma...@apache.org>>
>> *Sent:* 03 August 2020 03:07
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation.
>> Do not click links or open attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>>
>> Also, your authorizers.xml is not correct — you haven’t
>> configured (or even uncommented) the LDAP user group provider,
>> so the specified user group provider is the file users.xml, and
>> you haven’t configured any initial admins, so no users will be
>> allowed to log in. Did you follow the steps in the NiFi Admin
>> Guide [3][4] for configuring this? Authentication and
>> authorization are decoupled in NiFi, and while you can use LDAP
>> for both, you’ll have to configure it for each.
>>
>>
>>
>> Also, your login-identity-providers.xml uses START_TLS as the
>> authentication strategy but does not specify any properties for
>> the keystore or truststore, which will be required.
>>
>>
>>
>> [3]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.c
>> om%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc5
>> 90d%7C0%7C1%7C637365488257001866&sdata=m8oFyRm8mHYMjT9XK%2BIROJSZ
>> BrHb%2FmGTsvPM0EWNXJM%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.co
>> m
>> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590
>> d
>> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhb
>> H
>> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>>
>> [4]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0d
>> dfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0
>> %7C1%7C637365488257001866&sdata=%2BSr4laoAGGFOuF8RzV1e481%2BMtFnc
>> wVQlircLrhUfIQ%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fni
>> f
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23
>> l
>> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C071
>> 7
>> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7
>> C
>> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZe
>> J
>> DRTb%2Fo3U%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org <ma...@apache.org>
>> /alopresto.apache@gmail.com <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D
>> EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
>> <alopresto@apache.org <ma...@apache.org>> wrote:
>>
>>
>>
>> Hi Daniel,
>>
>>
>>
>> Did you verify that the provided credentials are correct?
>> There will be two sets — the “manager” DN and password which
>> are provided as configuration values in the authorizers.xml
>> file, and the individual user credentials provided on each
>> login attempt. The manager credentials allow NiFi to make an
>> authenticated request to the LDAP service, and the request
>> itself contains the user’s credentials.
>>
>>
>>
>> You can verify these credentials by using the ldapsearch
>> [1][2] tool from one of the machines where NiFi is
>> installed. This allows you to verify TLS, ports, network
>> reachability, and the correctness of the credentials
>> themselves.
>>
>>
>>
>> Something like:
>>
>>
>>
>> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
>> ldap://<ldap_server_url> -D
>> "cn=admin,dc=<your_org>,dc=com" -W
>>
>>
>>
>> That will conduct a general search using the account
>> provided by -D, and prompt for the password with -W. You can
>> also switch out the account in -D for the specific user
>> you’re trying to log in as to verify those credentials.
>>
>>
>>
>> [1]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDa
>> niel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc
>> 004ed2bc4ef8a46cbc590d%7C0%7C0%7C637365488257001866&sdata=5ELnY2j
>> vESYNEpUssWIRzLAidKManQPG9OTgXj9K2W8%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffo
>> r
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over
>> -
>> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDan
>> i
>> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc00
>> 4
>> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1v
>> o icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>>
>> [2]
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> ata=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088d
>> efb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&a
>> mp;sdata=msRgjTaQjb1S18m3dCDh%2Ba7E4htptur5IJzPxqYIWGI%3D&reserve
>> d=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fde
>> v
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&d
>> a
>> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13
>> b
>> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
>> ;
>> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved
>> =
>> 0>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org <ma...@apache.org>
>> /alopresto.apache@gmail.com <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 1:11 PM, White, Daniel
>> <Daniel.White@lgim.com <ma...@lgim.com>>
>> wrote:
>>
>>
>>
>> Confidential
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Looking for some assistance with setting up SSL/LDAP to
>> enable user admin within Nifi.
>>
>>
>>
>> I’ve setup and configured my non-prod environment but am
>> having issue login in :
>>
>>
>>
>> Unable to validate the supplied credentials. Please
>> contact the system administrator
>>
>>
>>
>> I’ve followed the config guide and am stuck as to what
>> the issue could be.
>>
>>
>>
>> The steps I followed :
>>
>>
>>
>> 1. Generate keys etc using tls-toolkit.sh
>> 2. Updated nifi.properties to set
>> nifi.security.user.login.identity.provider=ldap-provider
>> 3. Modified login-identity-providers.xml (copy attached)
>> 4. Modified authorizers.xml (copy attached)
>>
>>
>>
>> Nifi starts and I can get to the login page, just unable
>> to login (with error shown above).
>>
>>
>>
>> Any help will be very grateful.
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Dan White *
>> *Lead Technical Architect**
>> *Legal & General Investment Management
>> One Coleman Street, London, EC2R 5AA
>> Tel: +44 203 124 4048
>>
>> Mob: +44 7980 027 656
>>
>>
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc
>> 4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637
>> 365488257011864&sdata=JsfAeOJuan9gt%2FaWlicqN8FLk4FIRbqClFipB4MLC
>> LY%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d391
>> 4
>> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C6373
>> 6
>> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMt
>> g
>> M%3D&reserved=0>
>>
>>
>>
>> This e-mail (and any attachments) may contain privileged
>> and/or confidential information. If you are not the
>> intended recipient please do not disclose, copy,
>> distribute, disseminate or take any action in reliance
>> on it. If you have received this message in error please
>> reply and tell us and then delete it. Should you wish to
>> communicate with us by e-mail we cannot guarantee the
>> security of any data outside our own computer systems.
>>
>> Any information contained in this message may be subject
>> to applicable terms and conditions and must not be
>> construed as giving investment advice within or outside
>> the United Kingdom or Republic of Ireland.
>>
>> Telephone Conversations may be recorded for your
>> protection and to ensure quality of service
>>
>> Legal & General Investment Management Limited (no
>> 2091894), LGIM Real Assets (Operator) Limited (no
>> 05522016), LGIM (International) Limited (no 7716001)
>> Legal & General Unit Trust Managers (no 1009418), GO ETF
>> Solutions LLP (OC329482) and LGIM Corporate Director
>> Limited (no 7105051) are authorised and regulated by the
>> Financial Conduct Authority. All are registered in
>> England & Wales with a registered office at One Coleman
>> Street, London, EC2R 5AA
>>
>> Legal & General Assurance (Pensions Management) Limited
>> (no 1006112) is authorised by the Prudential Regulation
>> Authority and regulated by the Financial Conduct
>> Authority and the Prudential Regulation Authority. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> Legal & General Property Limited (no 2091897) is
>> authorised and regulated by the Financial Conduct
>> Authority for insurance mediation activities. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> LGIM Managers (Europe) Limited is authorised and
>> regulated by the Central Bank of Ireland (C173733). It
>> is registered in the Republic of Ireland (no 609677)
>> with a registered office at 33/34 Sir John Rogerson's
>> Quay, Dublin 2, D02 XK09.
>>
>> Legal & General Group PLC, Registered Office One Coleman
>> Street, London, EC2R 5AA.
>>
>> Registered in England no: 1417162
>> ________________________________________________________________________
>> **** This email has come from the internet and has been
>> scanned for all viruses and potentially offensive
>> content by Messagelabs on behalf of Legal & General ****
>> <authorizers.xml><login-identity-providers.xml>
>>
>>
>>
>>
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General. Please report unwanted spam email
>> to security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General ****
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>> _____________________________________________________________________
>> _
>> __
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> _____________________________________________________________________
>> _
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0ddfa18dfffc4351eebc08d86088defb%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365488257011864&sdata=QiXhtQmsvn7Psl2EK0eI7CPY24S%2B%2BxPHIpsg6E4KK4o%3D&reserved=0.
>
> Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
Re: SSL/LDAP Configuration
Posted by Johannes Meixner <jo...@meixner.ch>.
Hi Daniel,
You define all those in authorizers.xml and use the
file-user-group-provider to allow access to non-LDAP resources --
Initial admin users (FileAccessPolicyProvider, in case LDAP goes down)
and NiFi hosts (FileUserGroupProvider).
You should find Cloudera docs by just typing in all the class names into
Google.
--
Johannes Meixner
web: https://www.meixner.ch
Meixner GmbH
Switzerland
On 2020-09-24 14:39, White, Daniel wrote:
> Hi Johannes,
>
> Thanks.
>
> So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
>
> Apologies if this is a stupid question but we are new to Nifi.
>
> Are there any worked examples that you know of for these config files?
>
> Thanks
> Dan
>
> -----Original Message-----
> From: Johannes Meixner <jo...@meixner.ch>
> Sent: 24 September 2020 12:35
> To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
> Subject: Re: SSL/LDAP Configuration
>
> CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
>
>
> Hi Daniel
>
> Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
>
> What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
>
> So you get something like this:
>
> StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
>
> Hope that helps
>
>
> --
> Johannes Meixner
>
> web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=YoAhW1w3y9%2Fse9H4W0oIrNRVA5kSuTeu3Yrx23yDMDc%3D&reserved=0
>
> Meixner GmbH
> Switzerland
> On 2020-09-24 13:16, White, Daniel wrote:
>> Welcome anyone else’s view on this or experience/examples used in the setup.
>>
>>
>>
>> *From:*White, Daniel <Da...@lgim.com>
>> *Sent:* 24 September 2020 10:15
>> *To:* users@nifi.apache.org
>> *Subject:* RE: SSL/LDAP Configuration
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> Still getting issues trying to make LDAP integration work – Is there a
>> reference document which shows worked examples of the configurations?
>>
>>
>>
>> I’ve attached my latest .xml files – Any help is gratefully received.
>>
>>
>>
>> I’m currently getting the following error on startup :
>>
>>
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 01:06
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do not
>> click links or open attachments unless you recognise the sender and
>> know the content is safe.
>>
>>
>>
>> Ok to diagnose, look at the users.xml to see if there is a user
>> matching that DN, and if so, it should have a UUID. Then in the
>> authorizations.xml there should be policies defined in a hierarchical
>> manner associating those users with a right on a specific resource
>> (component/processor). If so, you can copy/paste as many as you want
>> to define them.
>>
>>
>>
>> Again, this is not the ideal situation; most of this should be
>> possible through the UI but I’m not sitting there to diagnose the issue.
>>
>> Andy LoPresto
>>
>> alopresto@apache.org <ma...@apache.org>
>> alopresto.apache@gmail.com <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I tried removing users.xml and authorizations.xml but I’m still
>> getting the same error.
>>
>>
>>
>> Suspect it’s something to do with authorizers.xml, but I can’t see
>> any issues with it.
>>
>>
>>
>> I see this in the nifi-user.log :
>>
>>
>>
>> <image001.png>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto.apache@gmail.com
>> <ma...@gmail.com>>
>> *Sent:* 23 August 2020 00:12
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation. Do
>> not click links or open attachments unless you recognise the sender
>> and know the content is safe.
>>
>>
>>
>> Daniel,
>>
>>
>>
>> A couple options:
>>
>>
>>
>> The “easy way” is to shut down NiFi, delete “users.xml” and
>> “authorizations.xml” in the “conf/“ directory, and then restart
>> NiFi. Whatever user was specified as the IAI should have enough
>> permissions to get started now.
>>
>>
>>
>> Once you can access the main canvas, you’ll want to go into the
>> global policies dialog (global menu top right > policies) and give
>> yourself the specific view & modify permissions on the root process
>> group. I understand this manual effort is less than ideal, but the
>> stages in which things are defined has mandated this for now.
>>
>>
>>
>> I think the User Guide does a good job of explaining the theory here
>> as well as specific component steps (but doesn’t go soup to nuts on
>> the process), so I’d recommend that as well as the “end” (the last
>> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>>
>>
>>
>> I’m on my phone so I don’t have all my usual resources available,
>> but hopefully this guides you in the right direction. If not, please
>> let me know and tomorrow I can provide more specific instructions.
>>
>>
>>
>>
>>
>> Andy LoPresto
>>
>> alopresto@apache.org <ma...@apache.org>
>> alopresto.apache@gmail.com <ma...@gmail.com>
>>
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
>> <ma...@lgim.com>> wrote:
>>
>>
>>
>> Hi Andy,
>>
>>
>>
>> I’ve now managed to login to Nifi using my AD account but am
>> getting the following error :
>>
>>
>>
>> Insufficient Permissions – No applicable policies could be found.
>>
>>
>>
>> <image001.png>
>>
>>
>>
>> Any pointers would be gratefully received.
>>
>>
>>
>> Thanks
>>
>> Dan
>>
>>
>>
>> *From:*Andy LoPresto <alopresto@apache.org
>> <ma...@apache.org>>
>> *Sent:* 03 August 2020 03:07
>> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
>> *Subject:* Re: SSL/LDAP Configuration
>>
>>
>>
>> CAUTION:This email originated from outside of the organisation.
>> Do not click links or open attachments unless you recognise the
>> sender and know the content is safe.
>>
>>
>>
>> Also, your authorizers.xml is not correct — you haven’t
>> configured (or even uncommented) the LDAP user group provider,
>> so the specified user group provider is the file users.xml, and
>> you haven’t configured any initial admins, so no users will be
>> allowed to log in. Did you follow the steps in the NiFi Admin
>> Guide [3][4] for configuring this? Authentication and
>> authorization are decoupled in NiFi, and while you can use LDAP
>> for both, you’ll have to configure it for each.
>>
>>
>>
>> Also, your login-identity-providers.xml uses START_TLS as the
>> authentication strategy but does not specify any properties for
>> the keystore or truststore, which will be required.
>>
>>
>>
>> [3] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhbHJD2DhUwPp8%2BXrVc%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23l
>> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com
>> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d
>> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhbH
>> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>>
>> [4] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZeJDRTb%2Fo3U%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
>> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23l
>> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717
>> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C
>> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZeJ
>> DRTb%2Fo3U%3D&reserved=0>
>>
>>
>>
>>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org <ma...@apache.org>
>> /alopresto.apache@gmail.com <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
>> EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
>> <alopresto@apache.org <ma...@apache.org>> wrote:
>>
>>
>>
>> Hi Daniel,
>>
>>
>>
>> Did you verify that the provided credentials are correct?
>> There will be two sets — the “manager” DN and password which
>> are provided as configuration values in the authorizers.xml
>> file, and the individual user credentials provided on each
>> login attempt. The manager credentials allow NiFi to make an
>> authenticated request to the LDAP service, and the request
>> itself contains the user’s credentials.
>>
>>
>>
>> You can verify these credentials by using the ldapsearch
>> [1][2] tool from one of the machines where NiFi is
>> installed. This allows you to verify TLS, ports, network
>> reachability, and the correctness of the credentials
>> themselves.
>>
>>
>>
>> Something like:
>>
>>
>>
>> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
>> ldap://<ldap_server_url> -D
>> "cn=admin,dc=<your_org>,dc=com" -W
>>
>>
>>
>> That will conduct a general search using the account
>> provided by -D, and prompt for the password with -W. You can
>> also switch out the account in -D for the specific user
>> you’re trying to log in as to verify those credentials.
>>
>>
>>
>> [1] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1voicx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
>> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-
>> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDani
>> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004
>> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1vo
>> icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>>
>> [2] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevconnected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
>> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&da
>> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13b
>> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
>> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved=
>> 0>
>>
>>
>>
>> Andy LoPresto
>> alopresto@apache.org <ma...@apache.org>
>> /alopresto.apache@gmail.com <ma...@gmail.com>/
>> He/Him
>>
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
>> 2F7D EF69
>>
>>
>>
>>
>> On Aug 2, 2020, at 1:11 PM, White, Daniel
>> <Daniel.White@lgim.com <ma...@lgim.com>>
>> wrote:
>>
>>
>>
>> Confidential
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Looking for some assistance with setting up SSL/LDAP to
>> enable user admin within Nifi.
>>
>>
>>
>> I’ve setup and configured my non-prod environment but am
>> having issue login in :
>>
>>
>>
>> Unable to validate the supplied credentials. Please
>> contact the system administrator
>>
>>
>>
>> I’ve followed the config guide and am stuck as to what
>> the issue could be.
>>
>>
>>
>> The steps I followed :
>>
>>
>>
>> 1. Generate keys etc using tls-toolkit.sh
>> 2. Updated nifi.properties to set
>> nifi.security.user.login.identity.provider=ldap-provider
>> 3. Modified login-identity-providers.xml (copy attached)
>> 4. Modified authorizers.xml (copy attached)
>>
>>
>>
>> Nifi starts and I can get to the login page, just unable
>> to login (with error shown above).
>>
>>
>>
>> Any help will be very grateful.
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Dan White *
>> *Lead Technical Architect**
>> *Legal & General Investment Management
>> One Coleman Street, London, EC2R 5AA
>> Tel: +44 203 124 4048
>>
>> Mob: +44 7980 027 656
>>
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMtgM%3D&reserved=0
>>
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914
>> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C63736
>> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMtg
>> M%3D&reserved=0>
>>
>>
>>
>> This e-mail (and any attachments) may contain privileged
>> and/or confidential information. If you are not the
>> intended recipient please do not disclose, copy,
>> distribute, disseminate or take any action in reliance
>> on it. If you have received this message in error please
>> reply and tell us and then delete it. Should you wish to
>> communicate with us by e-mail we cannot guarantee the
>> security of any data outside our own computer systems.
>>
>> Any information contained in this message may be subject
>> to applicable terms and conditions and must not be
>> construed as giving investment advice within or outside
>> the United Kingdom or Republic of Ireland.
>>
>> Telephone Conversations may be recorded for your
>> protection and to ensure quality of service
>>
>> Legal & General Investment Management Limited (no
>> 2091894), LGIM Real Assets (Operator) Limited (no
>> 05522016), LGIM (International) Limited (no 7716001)
>> Legal & General Unit Trust Managers (no 1009418), GO ETF
>> Solutions LLP (OC329482) and LGIM Corporate Director
>> Limited (no 7105051) are authorised and regulated by the
>> Financial Conduct Authority. All are registered in
>> England & Wales with a registered office at One Coleman
>> Street, London, EC2R 5AA
>>
>> Legal & General Assurance (Pensions Management) Limited
>> (no 1006112) is authorised by the Prudential Regulation
>> Authority and regulated by the Financial Conduct
>> Authority and the Prudential Regulation Authority. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> Legal & General Property Limited (no 2091897) is
>> authorised and regulated by the Financial Conduct
>> Authority for insurance mediation activities. It is
>> registered in England & Wales with a registered office
>> at One Coleman Street, London, EC2R 5AA.
>>
>> LGIM Managers (Europe) Limited is authorised and
>> regulated by the Central Bank of Ireland (C173733). It
>> is registered in the Republic of Ireland (no 609677)
>> with a registered office at 33/34 Sir John Rogerson's
>> Quay, Dublin 2, D02 XK09.
>>
>> Legal & General Group PLC, Registered Office One Coleman
>> Street, London, EC2R 5AA.
>>
>> Registered in England no: 1417162
>> ________________________________________________________________________
>> **** This email has come from the internet and has been
>> scanned for all viruses and potentially offensive
>> content by Messagelabs on behalf of Legal & General ****
>> <authorizers.xml><login-identity-providers.xml>
>>
>>
>>
>>
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General. Please report unwanted spam email
>> to security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned
>> for all viruses and potentially offensive content by Messagelabs
>> on behalf of Legal & General ****
>>
>>
>> ________________________________________________________________________
>> *** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ________________________________________________________________________
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on
>> behalf of Legal & General ****
>>
>>
>> ______________________________________________________________________
>> __
>> *** This email has come from the internet and has been scanned for all
>> viruses and potentially offensive content by Messagelabs on behalf of
>> Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ______________________________________________________________________
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on behalf
>> of Legal & General ****
>>
>> ______________________________________________________________________
>> __
>> *** This email has come from the internet and has been scanned for all
>> viruses and potentially offensive content by Messagelabs on behalf of
>> Legal & General. Please report unwanted spam email to
>> security@lgim.com <ma...@lgim.com> ***
>>
>> Please consider the environment before printing this email.
>>
>>
>> ______________________________________________________________________
>> __
>> **** This email has come from the internet and has been scanned for
>> all viruses and potentially offensive content by Messagelabs on behalf
>> of Legal & General ****
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com ***
>
> Please consider the environment before printing this email.
> This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/.
>
> Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
>
RE: SSL/LDAP Configuration
Posted by "White, Daniel" <Da...@lgim.com>.
Hi Johannes,
Thanks.
So do I need to configure all of those in the authorizers.xml or just the ones that relate to LDAP? I'm only going to be authorizing via LDAP and don't really understand the need for the file-user-group-provider?
Apologies if this is a stupid question but we are new to Nifi.
Are there any worked examples that you know of for these config files?
Thanks
Dan
-----Original Message-----
From: Johannes Meixner <jo...@meixner.ch>
Sent: 24 September 2020 12:35
To: users@nifi.apache.org; White, Daniel <Da...@lgim.com>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Hi Daniel
Your NiFi setup is choking because in line 278 of authorizers.xml you define a file-user-group-provider but never create it (lines 47-54 are commented out).
What you might want to do is look into the CompositeConfigurableUserGroupProvider class with subs file-user-group-provider and ldap-user-group-provider.
So you get something like this:
StandardManagedAuthorizer --> FileAccessPolicyProvider --> CompositeConfigurableUserGroupProvider --> file-user-group-provider / ldap-user-group-provider (all in authorizers.xml).
Hope that helps
--
Johannes Meixner
web: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.meixner.ch%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=YoAhW1w3y9%2Fse9H4W0oIrNRVA5kSuTeu3Yrx23yDMDc%3D&reserved=0
Meixner GmbH
Switzerland
On 2020-09-24 13:16, White, Daniel wrote:
> Welcome anyone else’s view on this or experience/examples used in the setup.
>
>
>
> *From:*White, Daniel <Da...@lgim.com>
> *Sent:* 24 September 2020 10:15
> *To:* users@nifi.apache.org
> *Subject:* RE: SSL/LDAP Configuration
>
>
>
> Hi Andy,
>
>
>
> Still getting issues trying to make LDAP integration work – Is there a
> reference document which shows worked examples of the configurations?
>
>
>
> I’ve attached my latest .xml files – Any help is gratefully received.
>
>
>
> I’m currently getting the following error on startup :
>
>
>
>
>
> Thanks
>
> Dan
>
>
>
> *From:*Andy LoPresto <alopresto.apache@gmail.com
> <ma...@gmail.com>>
> *Sent:* 23 August 2020 01:06
> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
> *Subject:* Re: SSL/LDAP Configuration
>
>
>
> CAUTION:This email originated from outside of the organisation. Do not
> click links or open attachments unless you recognise the sender and
> know the content is safe.
>
>
>
> Ok to diagnose, look at the users.xml to see if there is a user
> matching that DN, and if so, it should have a UUID. Then in the
> authorizations.xml there should be policies defined in a hierarchical
> manner associating those users with a right on a specific resource
> (component/processor). If so, you can copy/paste as many as you want
> to define them.
>
>
>
> Again, this is not the ideal situation; most of this should be
> possible through the UI but I’m not sitting there to diagnose the issue.
>
> Andy LoPresto
>
> alopresto@apache.org <ma...@apache.org>
> alopresto.apache@gmail.com <ma...@gmail.com>
>
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
>
>
> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
> <ma...@lgim.com>> wrote:
>
>
>
> Hi Andy,
>
>
>
> I tried removing users.xml and authorizations.xml but I’m still
> getting the same error.
>
>
>
> Suspect it’s something to do with authorizers.xml, but I can’t see
> any issues with it.
>
>
>
> I see this in the nifi-user.log :
>
>
>
> <image001.png>
>
> Thanks
>
> Dan
>
>
>
> *From:*Andy LoPresto <alopresto.apache@gmail.com
> <ma...@gmail.com>>
> *Sent:* 23 August 2020 00:12
> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
> *Subject:* Re: SSL/LDAP Configuration
>
>
>
> CAUTION:This email originated from outside of the organisation. Do
> not click links or open attachments unless you recognise the sender
> and know the content is safe.
>
>
>
> Daniel,
>
>
>
> A couple options:
>
>
>
> The “easy way” is to shut down NiFi, delete “users.xml” and
> “authorizations.xml” in the “conf/“ directory, and then restart
> NiFi. Whatever user was specified as the IAI should have enough
> permissions to get started now.
>
>
>
> Once you can access the main canvas, you’ll want to go into the
> global policies dialog (global menu top right > policies) and give
> yourself the specific view & modify permissions on the root process
> group. I understand this manual effort is less than ideal, but the
> stages in which things are defined has mandated this for now.
>
>
>
> I think the User Guide does a good job of explaining the theory here
> as well as specific component steps (but doesn’t go soup to nuts on
> the process), so I’d recommend that as well as the “end” (the last
> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>
>
>
> I’m on my phone so I don’t have all my usual resources available,
> but hopefully this guides you in the right direction. If not, please
> let me know and tomorrow I can provide more specific instructions.
>
>
>
>
>
> Andy LoPresto
>
> alopresto@apache.org <ma...@apache.org>
> alopresto.apache@gmail.com <ma...@gmail.com>
>
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
> EF69
>
>
>
> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
> <ma...@lgim.com>> wrote:
>
>
>
> Hi Andy,
>
>
>
> I’ve now managed to login to Nifi using my AD account but am
> getting the following error :
>
>
>
> Insufficient Permissions – No applicable policies could be found.
>
>
>
> <image001.png>
>
>
>
> Any pointers would be gratefully received.
>
>
>
> Thanks
>
> Dan
>
>
>
> *From:*Andy LoPresto <alopresto@apache.org
> <ma...@apache.org>>
> *Sent:* 03 August 2020 03:07
> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
> *Subject:* Re: SSL/LDAP Configuration
>
>
>
> CAUTION:This email originated from outside of the organisation.
> Do not click links or open attachments unless you recognise the
> sender and know the content is safe.
>
>
>
> Also, your authorizers.xml is not correct — you haven’t
> configured (or even uncommented) the LDAP user group provider,
> so the specified user group provider is the file users.xml, and
> you haven’t configured any initial admins, so no users will be
> allowed to log in. Did you follow the steps in the NiFi Admin
> Guide [3][4] for configuring this? Authentication and
> authorization are decoupled in NiFi, and while you can use LDAP
> for both, you’ll have to configure it for each.
>
>
>
> Also, your login-identity-providers.xml uses START_TLS as the
> authentication strategy but does not specify any properties for
> the keystore or truststore, which will be required.
>
>
>
> [3] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhbHJD2DhUwPp8%2BXrVc%3D&reserved=0
>
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23l
> dap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com
> %7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d
> %7C0%7C1%7C637365441895130494&sdata=1Jd20hyK%2BaV3AC8ftm7hjGdFnhbH
> JD2DhUwPp8%2BXrVc%3D&reserved=0>
>
> [4] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZeJDRTb%2Fo3U%3D&reserved=0
>
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnif
> i.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23l
> dapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7C0717
> aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C
> 1%7C637365441895130494&sdata=fSs3cI%2Fob2aFJApOHygrWoNMETozYqgKZeJ
> DRTb%2Fo3U%3D&reserved=0>
>
>
>
>
>
>
>
> Andy LoPresto
> alopresto@apache.org <ma...@apache.org>
> /alopresto.apache@gmail.com <ma...@gmail.com>/
> He/Him
>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D
> EF69
>
>
>
>
> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
> <alopresto@apache.org <ma...@apache.org>> wrote:
>
>
>
> Hi Daniel,
>
>
>
> Did you verify that the provided credentials are correct?
> There will be two sets — the “manager” DN and password which
> are provided as configuration values in the authorizers.xml
> file, and the individual user credentials provided on each
> login attempt. The manager credentials allow NiFi to make an
> authenticated request to the LDAP service, and the request
> itself contains the user’s credentials.
>
>
>
> You can verify these credentials by using the ldapsearch
> [1][2] tool from one of the machines where NiFi is
> installed. This allows you to verify TLS, ports, network
> reachability, and the correctness of the credentials
> themselves.
>
>
>
> Something like:
>
>
>
> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
> ldap://<ldap_server_url> -D
> "cn=admin,dc=<your_org>,dc=com" -W
>
>
>
> That will conduct a general search using the account
> provided by -D, and prompt for the password with -W. You can
> also switch out the account in -D for the specific user
> you’re trying to log in as to verify those credentials.
>
>
>
> [1] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1voicx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0
>
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffor
> ums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-
> tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDani
> el.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004
> ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=C9%2BL2s1vo
> icx%2BjYZpvszhpUZvojlrDuN8%2FaCWYMZcqU%3D&reserved=0>
>
> [2] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevconnected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved=0
>
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev
> connected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&da
> ta=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13b
> a%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&
> sdata=aIPAFPeRD7kVNgQoTGKeC3LL%2BaGx%2BlbzfojK5qllb7w%3D&reserved=
> 0>
>
>
>
> Andy LoPresto
> alopresto@apache.org <ma...@apache.org>
> /alopresto.apache@gmail.com <ma...@gmail.com>/
> He/Him
>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
> 2F7D EF69
>
>
>
>
> On Aug 2, 2020, at 1:11 PM, White, Daniel
> <Daniel.White@lgim.com <ma...@lgim.com>>
> wrote:
>
>
>
> Confidential
>
>
>
> Hi All,
>
>
>
> Looking for some assistance with setting up SSL/LDAP to
> enable user admin within Nifi.
>
>
>
> I’ve setup and configured my non-prod environment but am
> having issue login in :
>
>
>
> Unable to validate the supplied credentials. Please
> contact the system administrator
>
>
>
> I’ve followed the config guide and am stuck as to what
> the issue could be.
>
>
>
> The steps I followed :
>
>
>
> 1. Generate keys etc using tls-toolkit.sh
> 2. Updated nifi.properties to set
> nifi.security.user.login.identity.provider=ldap-provider
> 3. Modified login-identity-providers.xml (copy attached)
> 4. Modified authorizers.xml (copy attached)
>
>
>
> Nifi starts and I can get to the login page, just unable
> to login (with error shown above).
>
>
>
> Any help will be very grateful.
>
>
>
> Thanks
>
>
>
> *Dan White *
> *Lead Technical Architect**
> *Legal & General Investment Management
> One Coleman Street, London, EC2R 5AA
> Tel: +44 203 124 4048
>
> Mob: +44 7980 027 656
>
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMtgM%3D&reserved=0
>
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
> lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7C0717aac2d3914
> b6f48aa08d8607e13ba%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C63736
> 5441895130494&sdata=bElIS0c4Hxzntmord5s3D%2BUb5Ssp5Use74a0eZ%2BMtg
> M%3D&reserved=0>
>
>
>
> This e-mail (and any attachments) may contain privileged
> and/or confidential information. If you are not the
> intended recipient please do not disclose, copy,
> distribute, disseminate or take any action in reliance
> on it. If you have received this message in error please
> reply and tell us and then delete it. Should you wish to
> communicate with us by e-mail we cannot guarantee the
> security of any data outside our own computer systems.
>
> Any information contained in this message may be subject
> to applicable terms and conditions and must not be
> construed as giving investment advice within or outside
> the United Kingdom or Republic of Ireland.
>
> Telephone Conversations may be recorded for your
> protection and to ensure quality of service
>
> Legal & General Investment Management Limited (no
> 2091894), LGIM Real Assets (Operator) Limited (no
> 05522016), LGIM (International) Limited (no 7716001)
> Legal & General Unit Trust Managers (no 1009418), GO ETF
> Solutions LLP (OC329482) and LGIM Corporate Director
> Limited (no 7105051) are authorised and regulated by the
> Financial Conduct Authority. All are registered in
> England & Wales with a registered office at One Coleman
> Street, London, EC2R 5AA
>
> Legal & General Assurance (Pensions Management) Limited
> (no 1006112) is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct
> Authority and the Prudential Regulation Authority. It is
> registered in England & Wales with a registered office
> at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (no 2091897) is
> authorised and regulated by the Financial Conduct
> Authority for insurance mediation activities. It is
> registered in England & Wales with a registered office
> at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and
> regulated by the Central Bank of Ireland (C173733). It
> is registered in the Republic of Ireland (no 609677)
> with a registered office at 33/34 Sir John Rogerson's
> Quay, Dublin 2, D02 XK09.
>
> Legal & General Group PLC, Registered Office One Coleman
> Street, London, EC2R 5AA.
>
> Registered in England no: 1417162
> ________________________________________________________________________
> **** This email has come from the internet and has been
> scanned for all viruses and potentially offensive
> content by Messagelabs on behalf of Legal & General ****
> <authorizers.xml><login-identity-providers.xml>
>
>
>
>
>
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned
> for all viruses and potentially offensive content by Messagelabs
> on behalf of Legal & General. Please report unwanted spam email
> to security@lgim.com <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned
> for all viruses and potentially offensive content by Messagelabs
> on behalf of Legal & General ****
>
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on
> behalf of Legal & General. Please report unwanted spam email to
> security@lgim.com <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on
> behalf of Legal & General ****
>
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
>
> ______________________________________________________________________
> __
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to
> security@lgim.com <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ______________________________________________________________________
> __
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on behalf
> of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com ***
Please consider the environment before printing this email.
This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland.
Telephone Conversations may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/.
Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
Re: SSL/LDAP Configuration
Posted by Johannes Meixner <jo...@meixner.ch>.
Hi Daniel
Your NiFi setup is choking because in line 278 of authorizers.xml you
define a file-user-group-provider but never create it (lines 47-54 are
commented out).
What you might want to do is look into the
CompositeConfigurableUserGroupProvider class with subs
file-user-group-provider and ldap-user-group-provider.
So you get something like this:
StandardManagedAuthorizer --> FileAccessPolicyProvider -->
CompositeConfigurableUserGroupProvider --> file-user-group-provider /
ldap-user-group-provider (all in authorizers.xml).
Hope that helps
--
Johannes Meixner
web: https://www.meixner.ch
Meixner GmbH
Switzerland
On 2020-09-24 13:16, White, Daniel wrote:
> Welcome anyone else’s view on this or experience/examples used in the setup.
>
>
>
> *From:*White, Daniel <Da...@lgim.com>
> *Sent:* 24 September 2020 10:15
> *To:* users@nifi.apache.org
> *Subject:* RE: SSL/LDAP Configuration
>
>
>
> Hi Andy,
>
>
>
> Still getting issues trying to make LDAP integration work – Is there a
> reference document which shows worked examples of the configurations?
>
>
>
> I’ve attached my latest .xml files – Any help is gratefully received.
>
>
>
> I’m currently getting the following error on startup :
>
>
>
>
>
> Thanks
>
> Dan
>
>
>
> *From:*Andy LoPresto <alopresto.apache@gmail.com
> <ma...@gmail.com>>
> *Sent:* 23 August 2020 01:06
> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
> *Subject:* Re: SSL/LDAP Configuration
>
>
>
> CAUTION:This email originated from outside of the organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
>
>
> Ok to diagnose, look at the users.xml to see if there is a user matching
> that DN, and if so, it should have a UUID. Then in the
> authorizations.xml there should be policies defined in a hierarchical
> manner associating those users with a right on a specific resource
> (component/processor). If so, you can copy/paste as many as you want to
> define them.
>
>
>
> Again, this is not the ideal situation; most of this should be possible
> through the UI but I’m not sitting there to diagnose the issue.
>
> Andy LoPresto
>
> alopresto@apache.org <ma...@apache.org>
> alopresto.apache@gmail.com <ma...@gmail.com>
>
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
>
>
> On Aug 22, 2020, at 16:56, White, Daniel <Daniel.White@lgim.com
> <ma...@lgim.com>> wrote:
>
>
>
> Hi Andy,
>
>
>
> I tried removing users.xml and authorizations.xml but I’m still
> getting the same error.
>
>
>
> Suspect it’s something to do with authorizers.xml, but I can’t see
> any issues with it.
>
>
>
> I see this in the nifi-user.log :
>
>
>
> <image001.png>
>
> Thanks
>
> Dan
>
>
>
> *From:*Andy LoPresto <alopresto.apache@gmail.com
> <ma...@gmail.com>>
> *Sent:* 23 August 2020 00:12
> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
> *Subject:* Re: SSL/LDAP Configuration
>
>
>
> CAUTION:This email originated from outside of the organisation. Do
> not click links or open attachments unless you recognise the sender
> and know the content is safe.
>
>
>
> Daniel,
>
>
>
> A couple options:
>
>
>
> The “easy way” is to shut down NiFi, delete “users.xml” and
> “authorizations.xml” in the “conf/“ directory, and then restart
> NiFi. Whatever user was specified as the IAI should have enough
> permissions to get started now.
>
>
>
> Once you can access the main canvas, you’ll want to go into the
> global policies dialog (global menu top right > policies) and give
> yourself the specific view & modify permissions on the root process
> group. I understand this manual effort is less than ideal, but the
> stages in which things are defined has mandated this for now.
>
>
>
> I think the User Guide does a good job of explaining the theory here
> as well as specific component steps (but doesn’t go soup to nuts on
> the process), so I’d recommend that as well as the “end” (the last
> 3-4 steps) of the Walkthrough guide section on securing NiFi.
>
>
>
> I’m on my phone so I don’t have all my usual resources available,
> but hopefully this guides you in the right direction. If not, please
> let me know and tomorrow I can provide more specific instructions.
>
>
>
>
>
> Andy LoPresto
>
> alopresto@apache.org <ma...@apache.org>
> alopresto.apache@gmail.com <ma...@gmail.com>
>
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
>
>
> On Aug 22, 2020, at 16:05, White, Daniel <Daniel.White@lgim.com
> <ma...@lgim.com>> wrote:
>
>
>
> Hi Andy,
>
>
>
> I’ve now managed to login to Nifi using my AD account but am
> getting the following error :
>
>
>
> Insufficient Permissions – No applicable policies could be found.
>
>
>
> <image001.png>
>
>
>
> Any pointers would be gratefully received.
>
>
>
> Thanks
>
> Dan
>
>
>
> *From:*Andy LoPresto <alopresto@apache.org
> <ma...@apache.org>>
> *Sent:* 03 August 2020 03:07
> *To:* users@nifi.apache.org <ma...@nifi.apache.org>
> *Subject:* Re: SSL/LDAP Configuration
>
>
>
> CAUTION:This email originated from outside of the organisation.
> Do not click links or open attachments unless you recognise the
> sender and know the content is safe.
>
>
>
> Also, your authorizers.xml is not correct — you haven’t
> configured (or even uncommented) the LDAP user group provider,
> so the specified user group provider is the file users.xml, and
> you haven’t configured any initial admins, so no users will be
> allowed to log in. Did you follow the steps in the NiFi Admin
> Guide [3][4] for configuring this? Authentication and
> authorization are decoupled in NiFi, and while you can use LDAP
> for both, you’ll have to configure it for each.
>
>
>
> Also, your login-identity-providers.xml uses START_TLS as the
> authentication strategy but does not specify any properties for
> the keystore or truststore, which will be required.
>
>
>
> [3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=1u7d84x2WRXSyHeRrJJ5laXsmxrVFbc5F0GROkBDOyI%3D&reserved=0>
>
> [4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=AVTFxC2Y%2Binx7z%2BYXEYuNvKigqAH1mvU7rmpf8x4P8g%3D&reserved=0>
>
>
>
>
>
>
>
> Andy LoPresto
> alopresto@apache.org <ma...@apache.org>
> /alopresto.apache@gmail.com <ma...@gmail.com>/
> He/Him
>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
>
>
>
> On Aug 2, 2020, at 7:02 PM, Andy LoPresto
> <alopresto@apache.org <ma...@apache.org>> wrote:
>
>
>
> Hi Daniel,
>
>
>
> Did you verify that the provided credentials are correct?
> There will be two sets — the “manager” DN and password which
> are provided as configuration values in the authorizers.xml
> file, and the individual user credentials provided on each
> login attempt. The manager credentials allow NiFi to make an
> authenticated request to the LDAP service, and the request
> itself contains the user’s credentials.
>
>
>
> You can verify these credentials by using the ldapsearch
> [1][2] tool from one of the machines where NiFi is
> installed. This allows you to verify TLS, ports, network
> reachability, and the correctness of the credentials
> themselves.
>
>
>
> Something like:
>
>
>
> $ ldapsearch -x -b “dc=<your_org>,dc=com" -H
> ldap://<ldap_server_url> -D "cn=admin,dc=<your_org>,dc=com" -W
>
>
>
> That will conduct a general search using the account
> provided by -D, and prompt for the password with -W. You can
> also switch out the account in -D for the specific user
> you’re trying to log in as to verify those credentials.
>
>
>
> [1] https://forums.opensuse.org/showthread.php/401522-performing-ldapsearch-over-tls-ssl-against-active-directory#post1908811
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=%2BNopyhmscKe3nbIfhjLcqV6zPkS85rHURX7HNbMYIf8%3D&reserved=0>
>
> [2] https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevconnected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349839952&sdata=HwiMVh2dV0QDmrsVjUa1LeIeNtqee0pjxProyF3Fk9E%3D&reserved=0>
>
>
>
> Andy LoPresto
> alopresto@apache.org <ma...@apache.org>
> /alopresto.apache@gmail.com <ma...@gmail.com>/
> He/Him
>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B
> 2F7D EF69
>
>
>
>
> On Aug 2, 2020, at 1:11 PM, White, Daniel
> <Daniel.White@lgim.com <ma...@lgim.com>>
> wrote:
>
>
>
> Confidential
>
>
>
> Hi All,
>
>
>
> Looking for some assistance with setting up SSL/LDAP to
> enable user admin within Nifi.
>
>
>
> I’ve setup and configured my non-prod environment but am
> having issue login in :
>
>
>
> Unable to validate the supplied credentials. Please
> contact the system administrator
>
>
>
> I’ve followed the config guide and am stuck as to what
> the issue could be.
>
>
>
> The steps I followed :
>
>
>
> 1. Generate keys etc using tls-toolkit.sh
> 2. Updated nifi.properties to set
> nifi.security.user.login.identity.provider=ldap-provider
> 3. Modified login-identity-providers.xml (copy attached)
> 4. Modified authorizers.xml (copy attached)
>
>
>
> Nifi starts and I can get to the login page, just unable
> to login (with error shown above).
>
>
>
> Any help will be very grateful.
>
>
>
> Thanks
>
>
>
> *Dan White *
> *Lead Technical Architect**
> *Legal & General Investment Management
> One Coleman Street, London, EC2R 5AA
> Tel: +44 203 124 4048
>
> Mob: +44 7980 027 656
>
> www.lgim.com
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349839952&sdata=VvtfSybUzHlRfXEw%2FalFkg4HMgiO3lIMFbPiuCL%2BJSE%3D&reserved=0>
>
>
>
> This e-mail (and any attachments) may contain privileged
> and/or confidential information. If you are not the
> intended recipient please do not disclose, copy,
> distribute, disseminate or take any action in reliance
> on it. If you have received this message in error please
> reply and tell us and then delete it. Should you wish to
> communicate with us by e-mail we cannot guarantee the
> security of any data outside our own computer systems.
>
> Any information contained in this message may be subject
> to applicable terms and conditions and must not be
> construed as giving investment advice within or outside
> the United Kingdom or Republic of Ireland.
>
> Telephone Conversations may be recorded for your
> protection and to ensure quality of service
>
> Legal & General Investment Management Limited (no
> 2091894), LGIM Real Assets (Operator) Limited (no
> 05522016), LGIM (International) Limited (no 7716001)
> Legal & General Unit Trust Managers (no 1009418), GO ETF
> Solutions LLP (OC329482) and LGIM Corporate Director
> Limited (no 7105051) are authorised and regulated by the
> Financial Conduct Authority. All are registered in
> England & Wales with a registered office at One Coleman
> Street, London, EC2R 5AA
>
> Legal & General Assurance (Pensions Management) Limited
> (no 1006112) is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct
> Authority and the Prudential Regulation Authority. It is
> registered in England & Wales with a registered office
> at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (no 2091897) is
> authorised and regulated by the Financial Conduct
> Authority for insurance mediation activities. It is
> registered in England & Wales with a registered office
> at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and
> regulated by the Central Bank of Ireland (C173733). It
> is registered in the Republic of Ireland (no 609677)
> with a registered office at 33/34 Sir John Rogerson's
> Quay, Dublin 2, D02 XK09.
>
> Legal & General Group PLC, Registered Office One Coleman
> Street, London, EC2R 5AA.
>
> Registered in England no: 1417162
> ________________________________________________________________________
> **** This email has come from the internet and has been
> scanned for all viruses and potentially offensive
> content by Messagelabs on behalf of Legal & General ****
> <authorizers.xml><login-identity-providers.xml>
>
>
>
>
>
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned
> for all viruses and potentially offensive content by Messagelabs
> on behalf of Legal & General. Please report unwanted spam email
> to security@lgim.com <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned
> for all viruses and potentially offensive content by Messagelabs
> on behalf of Legal & General ****
>
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on
> behalf of Legal & General. Please report unwanted spam email to
> security@lgim.com <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned for
> all viruses and potentially offensive content by Messagelabs on
> behalf of Legal & General ****
>
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to security@lgim.com
> <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General ****
>
> ________________________________________________________________________
> *** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General. Please report unwanted spam email to security@lgim.com
> <ma...@lgim.com> ***
>
> Please consider the environment before printing this email.
>
>
> ________________________________________________________________________
> **** This email has come from the internet and has been scanned for all
> viruses and potentially offensive content by Messagelabs on behalf of
> Legal & General ****
RE: SSL/LDAP Configuration
Posted by "White, Daniel" <Da...@lgim.com>.
Welcome anyone else’s view on this or experience/examples used in the setup.
From: White, Daniel <Da...@lgim.com>
Sent: 24 September 2020 10:15
To: users@nifi.apache.org
Subject: RE: SSL/LDAP Configuration
Hi Andy,
Still getting issues trying to make LDAP integration work – Is there a reference document which shows worked examples of the configurations?
I’ve attached my latest .xml files – Any help is gratefully received.
I’m currently getting the following error on startup :
[cid:image001.png@01D6926C.91114640]
Thanks
Dan
From: Andy LoPresto <al...@gmail.com>>
Sent: 23 August 2020 01:06
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Ok to diagnose, look at the users.xml to see if there is a user matching that DN, and if so, it should have a UUID. Then in the authorizations.xml there should be policies defined in a hierarchical manner associating those users with a right on a specific resource (component/processor). If so, you can copy/paste as many as you want to define them.
Again, this is not the ideal situation; most of this should be possible through the UI but I’m not sitting there to diagnose the issue.
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 22, 2020, at 16:56, White, Daniel <Da...@lgim.com>> wrote:
Hi Andy,
I tried removing users.xml and authorizations.xml but I’m still getting the same error.
Suspect it’s something to do with authorizers.xml, but I can’t see any issues with it.
I see this in the nifi-user.log :
<image001.png>
Thanks
Dan
From: Andy LoPresto <al...@gmail.com>>
Sent: 23 August 2020 00:12
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Daniel,
A couple options:
The “easy way” is to shut down NiFi, delete “users.xml” and “authorizations.xml” in the “conf/“ directory, and then restart NiFi. Whatever user was specified as the IAI should have enough permissions to get started now.
Once you can access the main canvas, you’ll want to go into the global policies dialog (global menu top right > policies) and give yourself the specific view & modify permissions on the root process group. I understand this manual effort is less than ideal, but the stages in which things are defined has mandated this for now.
I think the User Guide does a good job of explaining the theory here as well as specific component steps (but doesn’t go soup to nuts on the process), so I’d recommend that as well as the “end” (the last 3-4 steps) of the Walkthrough guide section on securing NiFi.
I’m on my phone so I don’t have all my usual resources available, but hopefully this guides you in the right direction. If not, please let me know and tomorrow I can provide more specific instructions.
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 22, 2020, at 16:05, White, Daniel <Da...@lgim.com>> wrote:
Hi Andy,
I’ve now managed to login to Nifi using my AD account but am getting the following error :
Insufficient Permissions – No applicable policies could be found.
<image001.png>
Any pointers would be gratefully received.
Thanks
Dan
From: Andy LoPresto <al...@apache.org>>
Sent: 03 August 2020 03:07
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: SSL/LDAP Configuration
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Also, your authorizers.xml is not correct — you haven’t configured (or even uncommented) the LDAP user group provider, so the specified user group provider is the file users.xml, and you haven’t configured any initial admins, so no users will be allowed to log in. Did you follow the steps in the NiFi Admin Guide [3][4] for configuring this? Authentication and authorization are decoupled in NiFi, and while you can use LDAP for both, you’ll have to configure it for each.
Also, your login-identity-providers.xml uses START_TLS as the authentication strategy but does not specify any properties for the keystore or truststore, which will be required.
[3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldap_login_identity_provider&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=1u7d84x2WRXSyHeRrJJ5laXsmxrVFbc5F0GROkBDOyI%3D&reserved=0>
[4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi.apache.org%2Fdocs%2Fnifi-docs%2Fhtml%2Fadministration-guide.html%23ldapusergroupprovider&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=AVTFxC2Y%2Binx7z%2BYXEYuNvKigqAH1mvU7rmpf8x4P8g%3D&reserved=0>
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 2, 2020, at 7:02 PM, Andy LoPresto <al...@apache.org>> wrote:
Hi Daniel,
Did you verify that the provided credentials are correct? There will be two sets — the “manager” DN and password which are provided as configuration values in the authorizers.xml file, and the individual user credentials provided on each login attempt. The manager credentials allow NiFi to make an authenticated request to the LDAP service, and the request itself contains the user’s credentials.
You can verify these credentials by using the ldapsearch [1][2] tool from one of the machines where NiFi is installed. This allows you to verify TLS, ports, network reachability, and the correctness of the credentials themselves.
Something like:
$ ldapsearch -x -b “dc=<your_org>,dc=com" -H ldap://<ldap_server_url> -D "cn=admin,dc=<your_org>,dc=com" -W
That will conduct a general search using the account provided by -D, and prompt for the password with -W. You can also switch out the account in -D for the specific user you’re trying to log in as to verify those credentials.
[1] https://forums.opensuse.org/showthread.php/401522-performing-ldapsearch-over-tls-ssl-against-active-directory#post1908811<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforums.opensuse.org%2Fshowthread.php%2F401522-performing-ldapsearch-over-tls-ssl-against-active-directory%23post1908811&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349829994&sdata=%2BNopyhmscKe3nbIfhjLcqV6zPkS85rHURX7HNbMYIf8%3D&reserved=0>
[2] https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevconnected.com%2Fhow-to-search-ldap-using-ldapsearch-examples%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349839952&sdata=HwiMVh2dV0QDmrsVjUa1LeIeNtqee0pjxProyF3Fk9E%3D&reserved=0>
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Aug 2, 2020, at 1:11 PM, White, Daniel <Da...@lgim.com>> wrote:
Confidential
Hi All,
Looking for some assistance with setting up SSL/LDAP to enable user admin within Nifi.
I’ve setup and configured my non-prod environment but am having issue login in :
Unable to validate the supplied credentials. Please contact the system administrator
I’ve followed the config guide and am stuck as to what the issue could be.
The steps I followed :
1. Generate keys etc using tls-toolkit.sh
2. Updated nifi.properties to set nifi.security.user.login.identity.provider=ldap-provider
3. Modified login-identity-providers.xml (copy attached)
4. Modified authorizers.xml (copy attached)
Nifi starts and I can get to the login page, just unable to login (with error shown above).
Any help will be very grateful.
Thanks
Dan White
Lead Technical Architect
Legal & General Investment Management
One Coleman Street, London, EC2R 5AA
Tel: +44 203 124 4048
Mob: +44 7980 027 656
www.lgim.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lgim.com%2F&data=02%7C01%7CDaniel.White%40lgim.com%7Ce0777ddac60143950cd608d8606a63d6%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C1%7C637365357349839952&sdata=VvtfSybUzHlRfXEw%2FalFkg4HMgiO3lIMFbPiuCL%2BJSE%3D&reserved=0>
This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems.
Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or Republic of Ireland.
Telephone Conversations may be recorded for your protection and to ensure quality of service
Legal & General Investment Management Limited (no 2091894), LGIM Real Assets (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA
Legal & General Assurance (Pensions Management) Limited (no 1006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
Legal & General Property Limited (no 2091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (C173733). It is registered in the Republic of Ireland (no 609677) with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R 5AA.
Registered in England no: 1417162
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
<authorizers.xml><login-identity-providers.xml>
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****
________________________________________________________________________
*** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General. Please report unwanted spam email to security@lgim.com<ma...@lgim.com> ***
Please consider the environment before printing this email.
________________________________________________________________________
**** This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General ****