You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Rafael Micó (Jira)" <ji...@apache.org> on 2021/02/16 09:38:00 UTC
[jira] [Created] (NIFI-8228) Microsoft Active Directory LDAP
integration bug
Rafael Micó created NIFI-8228:
---------------------------------
Summary: Microsoft Active Directory LDAP integration bug
Key: NIFI-8228
URL: https://issues.apache.org/jira/browse/NIFI-8228
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.12.1
Reporter: Rafael Micó
Fix For: 1.12.1
Hi
When trying to integrate both Authentication and Authorization of NiFi with Microsoft Active Directory via LDAP, we have seen that NiFi is unable to relate a valid Authentication done via ldap-provider (org.apache.nifi.ldap.LdapProvider) with an Authorization (user to group relationship) done via ldap-user-group-provider (org.apache.nifi.ldap.tenants.LdapUserGroupProvider).
As we have seen in the NiFi logs (enabling DEBUG mode) and on TCPDUMP dumps, the issue seems to be related on the ldap-provider authentication. Summarizing:
1.- ldap-provider binds to the LDAP service with the "Manager DN" credentials.
2.- LDAP server (Microsoft Active Directory) responses with a successful bind
3.- ldap-provider searches for the user trying to log in (using sAMAccountName attribute)
4.- LDAP server (Microsoft Active Directory) responses with the information of the relevant user. In this information, the attribute "distinghuishedName" is provided like "CN=John,OU=Users,OU=domain,OU=internal"
5.- ldap-provider binds to the LDAP service with the logged user credentials but using the distiguishedName "cn=John,ou=Users,ou=domain,ou=internal", with lowercase LDAP prefixes
6.- LDAP server (Microsoft Active Directory) responses with a successful bind as the LDAP prefixes are accepted in uppercase or lowercase
7.- ldap-user-group-provider searches for "CN=John,OU=Users,OU=domain,OU=internal", the authenticated user, against "CN=John,OU=Users,OU=domain,OU=internal", the user that has been found in the LDAP authorization. The difference in the LDAP prefixes causes the "CN=John,OU=Users,OU=domain,OU=internal" not to belong to any authorized group, thereafter rejecting the user.
Our configuration
NiFi login-identity-providers.xml:
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginIdentityProviders>
<!-- https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider -->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=Nifi,OU=Special Accounts,DC=domain,DC=internal</property>
<property name="Manager Password">*****************</property> <property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property> <property name="Url">ldap://adserver.domain.internal:389</property>
<property name="User Search Base">OU=Users,DC=domain,DC=internal</property>
<property name="User Search Filter">sAMAccountName={0}</property> <property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property> </provider>
</loginIdentityProviders>
{code}
NiFi authorizers.cml:
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<!-- https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider -->
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity Node1">CN=nifi_admin, OU=nifi</property>
</userGroupProvider> <userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=Nifi,OU=Special Accounts,DC=domain,DC=internal</property>
<property name="Manager Password">*****************</property> <property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property> <property name="Url">ldap://adserver.domain.internal:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">10 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">OU=Users,DC=domain,DC=internal</property>
<property name="User Object Class">user</property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter">(memberOf=CN=GG_NIFI_Allowed_Users,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal)</property>
<property name="User Identity Attribute">distinguishedName</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group Attribute">distinguishedName</property> <property name="Group Search Base">OU=NIFI_App_Groups,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute"></property>
<!-- <property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attributee">distinguishedName</property>--> </userGroupProvider> <userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
<property name="User Group Provider 1">ldap-user-group-provider</property>
<property name="User Group Provider 2">file-user-group-provider</property>
</userGroupProvider> <accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=nifi_admin, OU=nifi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider> <authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
{code}
Extract of NiFi nifi-app.log:
{noformat}
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider -------------------------------------
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following users from LDAP:
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[e4e7bd27-cad9-37c1-af53-a5fb7898de66], identity[CN=Peter,OU=Development,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[1f8d8309-31d9-3831-a3c0-2a9909500d7f], identity[CN=Frank,OU=Development,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[7c635418-5897-32a9-8e5b-5a7d9594b7f9], identity[CN=John,OU=Users,DC=domain,DC=internal]
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider --------------------------------------
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following groups from LDAP:
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[f26c7633-396e-3bdd-83b3-1e395606346d], name[CN=GG_NIFI_Admins,OU=NIFI_App_Groups,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal], users[7c635418-5897-32a9-8e5b-5a7d9594b7f9]
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[39854ab9-993e-3523-8c52-193e7e1fdb89], name[CN=GG_NIFI_Users,OU=NIFI_App_Groups,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal], users[1f8d8309-31d9-3831-a3c0-2a9909500d7f, e4e7bd27-cad9-37c1-af53-a5fb7898de66]
2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider --------------------------------------{noformat}
Extract of NiFi nifi-user.log:
{noformat}
2021-02-15 14:07:59,252 INFO [NiFi Web Server-170] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.domain.internal:9443/nifi-api/flow/current-user (source ip: X.Y.Z.W)
2021-02-15 14:07:59,260 INFO [NiFi Web Server-170] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=John,ou=Users,ou=domain,ou=internal
2021-02-15 14:07:59,301 INFO [NiFi Web Server-170] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=John,ou=Users,ou=domain,ou=internal], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=John,ou=Users,ou=domain,ou=internal'. Returning Forbidden response.
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)