[jira] [Created] (NIFI-14025) LDAP Authorizer/Login Identity Provider fails when keystore config is empty

Mon, 18 Nov 2024 13:05:40 -0800 

Isha Lamboo created NIFI-14025:
----------------------------------

             Summary: LDAP Authorizer/Login Identity Provider fails when 
keystore config is empty
                 Key: NIFI-14025
                 URL: https://issues.apache.org/jira/browse/NIFI-14025
             Project: Apache NiFi
          Issue Type: Bug
          Components: Core Framework
    Affects Versions: 2.0.0
         Environment: Red Hat Enterprise Linux 9, Java 21, Microsoft Azure AD 
LDAP.
            Reporter: Isha Lamboo


When starting NiFi 2.0.0 with migrated settings that include the LDAP 
authorizer (LDAPS strategy), NiFi failed to start with the error that the PKIX 
pathbuilding failed for the secure LDAP server. 

Keystore and truststore were copied from NiFi 1.28.0 and confirmed working in 
that version. All certificates involved validate correctly with openssl verify.

The configuration in question normally has only truststore details, no keystore 
involved. After finding NIFI-13985, I copied the truststore filename, password 
and type to the keystore entries in authorizers.xml. This resulted in NiFi 
starting correctly, but LDAP login failing. Making the same additions to 
login-identity-providers.xml restored LDAP login as well.

Working configuration snippet:
{code:java}
    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">LDAPS</property>
        <property name="Manager DN">redacted_account</property>
        <property name="Manager Password">redacted_password</property>
        <property name="TLS - Keystore">./conf/truststore.jks</property>
        <property name="TLS - Keystore 
Password">redacted_truststore_password</property>
        <property name="TLS - Keystore Type">jks</property>
        <property name="TLS - Truststore">./conf/truststore.jks</property>
        <property name="TLS - Truststore 
Password">redacted_truststore_password</property>
        <property name="TLS - Truststore Type">jks</property>
        <property name="TLS - Client Auth">NONE</property>
        <property name="TLS - Protocol">TLSv1.2</property>
        <property name="TLS - Shutdown Gracefully"></property>
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">30 secs</property>
        <property name="Url">ldap://adds.redacted_domain.nl:636</property>
        <property name="Page Size">50</property>
        <property name="Sync Interval">30 mins</property>
        <!-- more settings redacted -->
    </userGroupProvider> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to