You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/12/02 05:49:58 UTC
[jira] [Commented] (NIFI-2325) Add support for LDAPS in
authentication provider
[ https://issues.apache.org/jira/browse/NIFI-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15714157#comment-15714157 ]
ASF GitHub Bot commented on NIFI-2325:
--------------------------------------
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1275
I set up a Docker container running OpenLDAP with certificates I generated using the NiFI TLS toolkit. If I configure `TLS_VERIFY_CLIENT=never` on OpenLDAP and `<property name="TLS - Client Auth">NONE</property>` in `login-identity-providers.xml`, the LDAP login provider works fine.
<img width="1920" alt="Successful user authentication via LDAPS" src="https://cloud.githubusercontent.com/assets/798465/20823670/2c913e58-b80b-11e6-8353-a98746c5dfb6.png">
However, if I switch to `TLS_VERIFY_CLIENT=demand` and `<property name="TLS - Client Auth">REQUIRED</property>`, I get a "Unable to validate the supplied credentials" error on login and the `logs/nifi-bootstrap.log` fills with TLS negotiation output including the lines below:
```
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** CertificateVerify
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut Signature Algorithm SHA256withRSA
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 264
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 12, 201, 103, 33, 205, 116, 165, 164, 117, 65, 44, 206 }
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut ***
2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 96
2016-12-01 21:19:12,956 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Change Cipher Spec, length = 1
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Handshake, length = 96
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 67, 162, 103, 118, 253, 199, 182, 215, 157, 89, 207, 22 }
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut ***
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut %% Cached client session: [Session-346, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, setSoTimeout(0) called
2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 112
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, received EOFException: ignored
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(false)
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, SEND TLSv1.2 ALERT: warning, description = close_notify
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, WRITE: TLSv1.2 Alert, length = 80
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeSocket(false)
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called close()
2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(true)
2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 250
2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 7
```
I want to continue investigating this tomorrow because I can produce odd results even using the `ldapsearch` tool locally (OpenLDAP configured with client verify `never`):
```
### Trying on port 389 (no TLS)
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
🔓 4s @ 21:41:04 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 389 -v
ldap_initialize( ldap://localhost:389 )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.org
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example
# admin, example.org
dn: cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9NWsyemxnYmc3dk1wR2RqVERRQkJCVVlIQ0tQYm04aUo=
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
### Trying on port 636 (LDAPS)
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
🔓 23s @ 21:41:28 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v
ldap_initialize( ldap://localhost:636 )
ldap_result: Can't contact LDAP server (-1)
### Trying to force TLS (-Z is actually for START_TLS)
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
🔓 6s @ 21:42:54 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v -Z
ldap_initialize( ldap://localhost:636 )
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
### Verifying that a successful TLS session is negotiated on port 636
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
🔓 3s @ 21:42:57 $ openssl s_client -connect localhost:636 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7f87c1dc3a00 [0x7f87c2811600] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 09 b3 3c a2 de ..../...+....<..
...
---
SSL handshake has read 2195 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4B35F1...5641E8
Session-ID-ctx:
Master-Key: DBCB82...996654
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480657473
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Q
DONE
write to 0x7f87c1dc3a00 [0x7f87c281b203] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 0b 43 b5-33 0f 65 b2 0a 9d 80 e5 ......C.3.e.....
0010 - ef e5 54 12 a9 e5 a9 da-1f d5 87 31 5f 5c d7 ..T........1_\.
SSL3 alert write:warning:close notify
### Verifying that a TLS session is not negotiated over port 389
hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto
🔓 102s @ 21:44:40 $ openssl s_client -connect localhost:389 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7f9808700450 [0x7f9809001c00] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 98 11 20 40 b6 ..../...+.... @.
...
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480657486
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
```
> Add support for LDAPS in authentication provider
> ------------------------------------------------
>
> Key: NIFI-2325
> URL: https://issues.apache.org/jira/browse/NIFI-2325
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.0.0
> Reporter: Joseph Witt
> Assignee: Matt Gilman
> Fix For: 1.2.0
>
>
> [~mcgilman] [~alopresto] please add thoughts if you have them.
> I propose we add support for LDAPS despite StartTLS being the now preferred approach. This offers more flexibility for use with many of the long standing LDAP environments out there.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)