Reputation: 159
Apache NiFi LDAPS configuration issue
I have spent a whole day trying to figure out this odd issue. I have my NiFi instance stand up on a Linux server. I configured ldap-provider in login-identity-providers.xml as below
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore">/Data/ssl/server_keystore.jks</property>
<property name="TLS - Keystore Password">changeit</property>
<property name="TLS - Keystore Type">JKS</property>
<property name="TLS - Truststore">/Data/ssl/server_truststore.jks</property>
<property name="TLS - Truststore Password">changeit</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol">TLSv1.2</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://myserver.hostname:636</property>
<property name="User Search Base">ou=people,dc=xxx,dc=net</property>
<property name="User Search Filter">cn={0}</property>
<property name="Authentication Expiration">12 hours</property>
When I starting nifi, I got a login page prompted first. However, I kept getting
2016-07-28 00:17:43,527 ERROR [NiFi Web Server-64] org.apache.nifi.ldap.LdapProvider myserver.hostname:636; nested exceptin is javax.naming.CommunicationException: myserver.hostname:636; [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
I then tried to use jvm argument in bootstrap.conf as
java.arg.15=-Djavax.net.ssl.trustStore=/Data/ssl/server_truststore.jks
It worked perfectly fine.
I also tried SSLPoke.class with the same truststore vm argument, it also worked fine.
java -Djavax.net.ssl.trustStore=/Data/ssl/server_truststore.jks SSLPoke myserver.hostname 636
"Successfully connected"
Now my question is why my configuration in NiFi login-identity-providers.xml doesn't work?
Upvotes: 2
Views: 1922
Answers (2)
Reputation: 754
@davy_wei,
while Matt's comment is correct, if you are for some reason restricted from using LDAP to you LDAP/AD server (e.g. firewall rules), one option is to use stunnel or socat to tunnel between the protected LDAP and NiFi's LDAP client.
sample stunnel config would look like:
...
[ldap2ldaps]
accept = 127.0.0.1:whatever_port_you_want
client = yes
connect = your.real.ldaps.fqdn.or.ip:636
...
Remember this is the basic config. You may want to fine tune your stunnel to match your security requirements (e.g. restrict to particular ciphers, TLS version, etc)
Upvotes: 2
Reputation: 1134
Unfortunately, NiFi does not support LDAPS currently. There is a JIRA [1] to build this capability. SIMPLE (plaintext) or START_TLS are the only valid options. Further, the SSL context configuration options are only considered when the Authentication Strategy is START_TLS.
[1] https://issues.apache.org/jira/browse/NIFI-2325
Upvotes: 3
Related Questions
- Apache NIFI login issue after installation
- nifi asking for signin after installation
- Nifi rest api Username/Password login not supported by this NiFi reponse
- LDAP authentication with Apache Nifi not working
- Setup authorizers.xml for secured Nifi server
- NiFi: LDAP Authentication Issue
- Nifi to Ldap integration configution error
- apache-nifi and LDAP integration error
- LDAP Authentication for Nifi on HDP Sandbox
- Secured Nifi Cluster Setup