Im trying to bring up a nifi-2.0.0 instance using LDAP auth.
Using config that works for nifi 1.28.1
Im getting errors for the SSL communication to the LDAP server.
The root of the problem is
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I'll attach more detailed logs.
But as far as I can tell, it simply isnt using the ldap truststore
provided in login-identity-providers.xml. I might try combining things
into one truststore rather than using a separate
truststore for the ldap cacert.
Ive tried to debug the problem with setting
"-Djavax.net.debug=ssl,trustmanager"
It shows the server loading the main truststore specified in
nifi.properties.
But nothing about the ldap truststrore. But that might be because
authentication module isnt using the standard routines that
javax.net.debug effect.
I tried comparing it to the logs I get from a nifi 1.28.1 instance. But
that doesnt log anything at all. So must be using different code.
--
Robert Cohen
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
This file lists the login identity providers to use when running securely. In order
to use a specific provider it must be configured here and it's identifier
must be specified in the nifi.properties file.
-->
<loginIdentityProviders>
<!--
Identity Provider for users logging in with username/password against an LDAP server.
'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
'Manager Password' - The password of the manager that is used to bind to the LDAP server to
search for users.
'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
using LDAPS or START_TLS.
'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
Possible values are REQUIRED, WANT, NONE.
'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
TLSv1.1, TLSv1.2, etc).
'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
before the target context is closed. Defaults to false.
'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
'User Search Filter' - Filter for searching for users against the 'User Search Base'.
(i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
The default functionality if this property is missing is USE_DN in order to retain
backward compatibility. USE_DN will use the full DN of the user entry if possible.
USE_USERNAME will use the username the user logged in with.
'Authentication Expiration' - The duration of how long the user authentication is valid
for. If the user never logs out, they will be required to log back in following
this duration.
-->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN"/>
<property name="Manager Password"/>
<property name="TLS - Keystore"/>
<property name="TLS - Keystore Password"/>
<property name="TLS - Keystore Type"/>
<property name="TLS - Truststore">/opt/nifi/nifi-current/conf/ldap-truststore.jks</property>
<property name="TLS - Truststore Password">****</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully"/>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://ldap.nci.org.au</property>
<property name="User Search Base">ou=People,dc=apac,dc=edu,dc=au</property>
<property name="User Search Filter">uid={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
<!--
Identity Provider for users logging in with username/password against a Kerberos KDC server.
'Default Realm' - Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).
'Authentication Expiration' - The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
-->
<!-- To enable the kerberos-provider remove 2 lines. This is 1 of 2.
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm">NIFI.APACHE.ORG</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
To enable the kerberos-provider remove 2 lines. This is 2 of 2. -->
</loginIdentityProviders>
2024-12-03 14:31:16,166 INFO [NiFi Web Server-117]
org.apache.nifi.web.api.AccessResource Logout Request
[25f6a218-e24c-4d30-b8fb-6858eedeac48] Identity [rhc900] started
2024-12-03 14:31:16,230 INFO [NiFi Web Server-126]
org.apache.nifi.web.api.AccessResource Logout Request
[25f6a218-e24c-4d30-b8fb-6858eedeac48] Completed [rhc900]
2024-12-03 14:31:19,733 ERROR [NiFi Web Server-37]
o.a.n.w.a.c.AdministrationExceptionMapper
org.apache.nifi.admin.service.AdministrationException: Unable to validate the
supplied credentials. Please contact the system administrator.. Returning
Internal Server Error response.
org.apache.nifi.admin.service.AdministrationException: Unable to validate the
supplied credentials. Please contact the system administrator.
at
org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:146)
at
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at
org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
at
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
at
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
at
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at
org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
at
org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1614)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:219)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
at
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
at
org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:44)
at
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
at
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462)
at
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317)
at
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282)
at
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
at
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462)
at
org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51)
at
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317)
at
org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282)
at
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
at
org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
at
org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at
org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
at
org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1547)
at
org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:824)
at
org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436)
at
org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:464)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
at
org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
at
org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181)
at org.eclipse.jetty.server.Server.handle(Server.java:182)
at
org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
at
org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:414)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
at org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:136)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
at java.base/java.lang.Thread.run(Thread.java:1575)
Caused by: org.apache.nifi.authentication.exception.IdentityAccessException:
Unable to validate the supplied credentials. Please contact the system
administrator.
at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:378)
at
org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:281)
at
org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:135)
... 75 common frames omitted
Caused by:
org.springframework.security.authentication.InternalAuthenticationServiceException:
ldap.nci.org.au:636
at
org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:190)
at
org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:79)
at org.apache.nifi.ldap.LdapProvider.authenticate(LdapProvider.java:349)
... 77 common frames omitted
Caused by: org.springframework.ldap.CommunicationException: ldap.nci.org.au:636
at
org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:107)
at
org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:362)
at
org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:172)
at
org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:789)
at
org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:260)
at
org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:100)
at
org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:86)
at
org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:174)
... 79 common frames omitted
Caused by: javax.naming.CommunicationException: ldap.nci.org.au:636
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:256)
at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:144)
at
java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1656)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2859)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:351)
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:520)
at
java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at
java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at
org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:44)
at
org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:350)
... 85 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:651)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
at
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at
java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507)
at
java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1422)
at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at
java.naming/com.sun.jndi.ldap.Connection.initialSSLHandshake(Connection.java:375)
at
java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:293)
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:235)
... 100 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
at
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
at
java.base/sun.security.validator.Validator.validate(Validator.java:256)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
at
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:635)
... 114 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
at
java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
at
java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at
java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
... 119 common frames omitted
