Problem with connecting Nifi and Nifi registry via LDAP (anonymous user)

294 views Asked by At

I have Nifi instance and Nifi registry. Both use LDAP for authentication.

The problem is - "anonymous" user, and I cant get rid of it.

enter image description here

Nifi logs when I try to add version control of proccess group in Nifi

enter image description here

Nifi does not show any bucket

If I add anonymous user to Nifi registry, buckets will appear, but it's not behavior I want.

I have tried to add DC of my Nifi cert to LDAP, it also didn't help.

Configurations below.

authorizers

\\<?xml version="1.0" encoding="UTF-8" standalone="yes"?\>

\<authorizers\>

\<userGroupProvider\>
\<identifier\>file-user-group-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider\</class\>
\<property name="Users File"\>./conf/users.xml\</property\>
\<property name="Initial User Identity 1"/\>
\</userGroupProvider\>

\<userGroupProvider\>
\<identifier\>ldap-user-group-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider\</class\>
\<property name="Authentication Strategy"\>SIMPLE\</property\>
\<property name="Manager DN"\>CN=nifi-admin,OU=Service,OU=Users,OU=###,DC=###,DC=###\</property\>
\<property name="Manager Password"\>#####\<PASSWORD\>###\</property\>
\<property name="TLS - Keystore"/\>
\<property name="TLS - Keystore Password"/\>
\<property name="TLS - Keystore Type"/\>
\<property name="TLS - Truststore"/\>
\<property name="TLS - Truststore Password"/\>
\<property name="TLS - Truststore Type"/\>
\<property name="TLS - Client Auth"/\>
\<property name="TLS - Protocol"/\>
\<property name="TLS - Shutdown Gracefully"/\>
\<property name="Referral Strategy"\>FOLLOW\</property\>
\<property name="Connect Timeout"\>10 secs\</property\>
\<property name="Read Timeout"\>10 secs\</property\>
\<property name="Url"\>####ldap://\<address\>:\<port\>####\</property\>
\<property name="Page Size"/\>
\<property name="Sync Interval"\>30 mins\</property\>
\<property name="Group Membership - Enforce Case Sensitivity"\>false\</property\>
\<property name="User Search Base"\>DC=#,DC=#\</property\>
\<property name="User Object Class"\>user\</property\>
\<property name="User Search Scope"\>SUBTREE\</property\>
\<property name="User Search Filter"\>(|(memberOf=CN=NiFi-Admins,OU=NiFi,OU=Ordinary,OU=Groups,OU=#,DC=#,DC=#)(memberOf=CN=NiFi-Developers,OU=NiFi,OU=Ordinary,OU=Groups,OU=#,DC=#,DC=#))\</property\>
\<property name="User Identity Attribute"\>cn\</property\>
\<property name="User Group Name Attribute"/\>
\<property name="User Group Name Attribute - Referenced Group Attribute"/\>
\<property name="Group Search Base"\>OU=NiFi,OU=Ordinary,OU=Groups,OU=#,DC=#,DC=#\</property\>
\<property name="Group Object Class"\>group\</property\>
\<property name="Group Search Scope"\>SUBTREE\</property\>
\<property name="Group Search Filter"/\>
\<property name="Group Name Attribute"\>cn\</property\>
\<property name="Group Member Attribute"\>member\</property\>
\<property name="Group Member Attribute - Referenced User Attribute"/\>
\</userGroupProvider\>

\<userGroupProvider\>
\<identifier\>composite-configurable-user-group-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider\</class\>
\<property name="Configurable User Group Provider"\>file-user-group-provider\</property\>
\<property name="User Group Provider 1"\>ldap-user-group-provider\</property\>
\</userGroupProvider\>

\<accessPolicyProvider\>
\<identifier\>file-access-policy-provider\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider\</class\>
\<property name="User Group Provider"\>composite-configurable-user-group-provider\</property\>
\<property name="Authorizations File"\>./conf/authorizations.xml\</property\>
\<property name="Initial Admin Identity"\>nifi-admin\</property\>
\<property name="NiFi Group Name"\>NIFI-Admins\</property\>
\<!--\<property name="NiFi Identity 1"\>\</property\>--\>
\</accessPolicyProvider\>

\<authorizer\>
\<identifier\>managed-authorizer\</identifier\>
\<class\>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer\</class\>
\<property name="Access Policy Provider"\>file-access-policy-provider\</property\>
\</authorizer\>
\</authorizers\>

identityProviders

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<identityProviders>

  <provider>
    <identifier>ldap-identity-provider</identifier>
    <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
    <property name="Authentication Strategy">SIMPLE</property>
    <property name="Manager DN">CN=nifi-admin,OU=Service,OU=Users,OU=#,DC=#,DC=#</property>
    <property name="Manager Password">#####\<PASSWORD\>###</property>
    <property name="Referral Strategy">FOLLOW</property>
    <property name="Connect Timeout">10 secs</property>
    <property name="Read Timeout">10 secs</property>
    <property name="Url">####ldap://\<address\>:\<port\>####</property>
    <property name="User Search Base">DC=#,DC=#</property>
    <property name="User Search Filter">(sAMAccountName={0})</property>
    <property name="Identity Strategy">USE_USERNAME</property>
    <property name="Authentication Expiration">12 hours</property>
  </provider>

</identityProviders>
0

There are 0 answers