[jira] [Commented] (NIFI-14025) LDAP Authorizer/Login Identity Provider fails when keystore config is empty

Wed, 20 Nov 2024 01:47:55 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-14025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899440#comment-17899440
 ] 

Isha Lamboo commented on NIFI-14025:
------------------------------------

I tried to find the error in the source and think I have found it. Line 859 
below only executes if the keystore is not null. It should be outside that 
conditional block.
The same applies for line 273 in the LdapProvider.java for the 
LoginIdentityProvider.

File: 
nifi-2.0.0\nifi-framework-bundle\nifi-framework-extensions\nifi-ldap-iaa-providers-bundle\nifi-ldap-iaa-providers\src\main\java\org\apache\nifi\ldap\tenants\LdapUserGroupProvider.java
840:         SSLContext sslContext = null;
841:         try {
842:             final KeyStore trustStore = 
getTrustStore(configurationContext);
843:             if (trustStore == null) {
844:                 logger.debug("Truststore not configured");
845:             } else {
846:                 final StandardSslContextBuilder sslContextBuilder = new 
StandardSslContextBuilder();
847:                 sslContextBuilder.protocol(rawProtocol);
848:                 sslContextBuilder.trustStore(trustStore);
849: 
850:                 final KeyStore keyStore = 
getKeyStore(configurationContext);
851:                 if (keyStore == null) {
852:                     logger.debug("Keystore not configured");
853:                 } else {
854:                     final String keyStorePassword = 
configurationContext.getProperty(ProviderProperty.KEYSTORE_PASSWORD.getProperty()).getValue();
855:                     final char[] keyPassword = 
keyStorePassword.toCharArray();
856: 
857:                     sslContextBuilder.keyStore(keyStore);
858:                     sslContextBuilder.keyPassword(keyPassword);
{color:#de350b}859:                     sslContext = 
sslContextBuilder.build();{color}
860:                 }
861:             }

> LDAP Authorizer/Login Identity Provider fails when keystore config is empty
> ---------------------------------------------------------------------------
>
>                 Key: NIFI-14025
>                 URL: https://issues.apache.org/jira/browse/NIFI-14025
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 2.0.0
>         Environment: Red Hat Enterprise Linux 9, Java 21, Microsoft Azure AD 
> LDAP.
>            Reporter: Isha Lamboo
>            Assignee: David Handermann
>            Priority: Major
>
> When starting NiFi 2.0.0 with migrated settings that include the LDAP 
> authorizer (LDAPS strategy), NiFi failed to start with the error that the 
> PKIX pathbuilding failed for the secure LDAP server.
> Keystore and truststore were copied from NiFi 1.28.0 and confirmed working in 
> that version. All certificates involved validate correctly with openssl 
> verify.
> The configuration in question normally has only truststore details, no 
> keystore involved. After finding NIFI-13985, I copied the truststore 
> filename, password and type to the keystore entries in authorizers.xml. This 
> resulted in NiFi starting correctly, but LDAP login failing. Making the same 
> additions to login-identity-providers.xml restored LDAP login as well.
> Working configuration snippet:
> {code:java}
>     <userGroupProvider>
>         <identifier>ldap-user-group-provider</identifier>
>         <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
>         <property name="Authentication Strategy">LDAPS</property>
>         <property name="Manager DN">redacted_account</property>
>         <property name="Manager Password">redacted_password</property>
>         <property name="TLS - Keystore">./conf/truststore.jks</property>
>         <property name="TLS - Keystore 
> Password">redacted_truststore_password</property>
>         <property name="TLS - Keystore Type">jks</property>
>         <property name="TLS - Truststore">./conf/truststore.jks</property>
>         <property name="TLS - Truststore 
> Password">redacted_truststore_password</property>
>         <property name="TLS - Truststore Type">jks</property>
>         <property name="TLS - Client Auth">NONE</property>
>         <property name="TLS - Protocol">TLSv1.2</property>
>         <property name="TLS - Shutdown Gracefully"></property>
>         <property name="Referral Strategy">FOLLOW</property>
>         <property name="Connect Timeout">10 secs</property>
>         <property name="Read Timeout">30 secs</property>
>         <property name="Url">ldap://adds.redacted_domain.nl:636</property>
>         <property name="Page Size">50</property>
>         <property name="Sync Interval">30 mins</property>
>         <!-- more settings redacted -->
>     </userGroupProvider> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to