Join Log in
Score:1
Pro avatar Server

Kubernetes Nifi cluster LDAP configuration

cn flag
Pro

We are using cetic/helm for nifi cluster. We have configured LDAP credentials as below:

 ldap:
    enabled: true
    host: "ldaps://ldaphost.net"
    searchBase: "ou=People,o=ABC" #CN=Users,DC=ldap,DC=example,DC=be
    admin: "cn=Keycloak_business_managed_Acc,ou=SystemUsers,ou=Accounts,o=ABC"
    pass: changeme
    searchFilter: (objectClass=abcEDPerson, inetorgperson, organizationalPerson, person, top, dspswuser, posixAccount, shadowAccount)
    userIdentityAttribute: uid
    authStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
    identityStrategy: USE_USERNAME
    authExpiration: 12 hours
    userSearchScope: SUBTREE # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
    groupSearchScope: SUBTREE # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.

However, we always get invalid user credentials when we try to login using our individual login accounts from NIFI UI.

The same thing works through ldapsearch

root@bh-gsn-57-asca-dev-01:~# ldapsearch -h ldaphost.net -D "cn=Keycloak_business_managed_Acc,ou=SystemUsers,ou=Accounts,o=ABC" -w "changeme" -b "ou=people,o=abc" uid=myuserid
# extended LDIF
#
# LDAPv3
# base <ou=people,o=abc> with scope subtree
# filter: uid=myuserid
# requesting: ALL
#

# 62XXXXXX, Internal, People, ABC
dn: employeeNumber=62XXXXXX,ou=Internal,ou=People,o=ABC
displayName: Prabir Choudhury (ABC-D)

Kindly advise on what I am doing wrong.

I understand from the document that Manager DN(admin)/password is basically the DN and password of the manager that is used to bind to the LDAP server to search for users. Therefore, we are providing the BIND DN in place of admin and BIND PASSWORD in place of pass.

186
1 + 1
cn flag
natxo asenjo
you are using ldaps in the config, but ldap in ldapsearch working example. Could you try ldaps in your ldapsearch query and post the results?
0
Reply
Score:0
EricLavault avatar Server
cn flag
EricLavault

It seems your host and searchFilter settings are wrong. In order to replicate the ldapsearch command, you would need the following configuration :

auth: 
  
  # ... 
  
  ldap:
    enabled: true
    host: "ldap://ldaphost.net:389"
    searchBase: "ou=People,o=ABC"
    admin: "cn=Keycloak_business_managed_Acc,ou=SystemUsers,ou=Accounts,o=ABC"
    pass: changeme
    searchFilter: (uid={0})
    userIdentityAttribute: uid
    authStrategy: SIMPLE
    identityStrategy: USE_USERNAME
    authExpiration: 12 hours
    userSearchScope: SUBTREE
    groupSearchScope: SUBTREE

However - at the time of writing - this won't work because the config files login-identity-providers-ldap.xml and authorizers.xml have hard-coded values, notably the search filter :

<property name="User Search Filter">(cn={0})</property>

which should be :

<property name="User Search Filter">{{.Values.auth.ldap.searchFilter}}</property>

There are 2 pull requests addressing the issue (#260 and #280). I guess you can try to fix this manually for now until they are merged, either as described above, or by setting directly the proper values in the ldap login identity provider config, just like you would do without Helm.

See https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.