Major Description
Hi
When trying to integrate both Authentication and Authorization of NiFi with Microsoft Active Directory via LDAP, we have seen that NiFi is unable to relate a valid Authentication done via ldap-provider (org.apache.nifi.ldap.LdapProvider) with an Authorization (user to group relationship) done via ldap-user-group-provider (org.apache.nifi.ldap.tenants.LdapUserGroupProvider).
As we have seen in the NiFi logs (enabling DEBUG mode) and on TCPDUMP dumps, the issue seems to be related on the ldap-provider authentication. Summarizing:
1.- ldap-provider binds to the LDAP service with the "Manager DN" credentials.
2.- LDAP server (Microsoft Active Directory) responses with a successful bind
3.- ldap-provider searches for the user trying to log in (using sAMAccountName attribute)
4.- LDAP server (Microsoft Active Directory) responses with the information of the relevant user. In this information, the attribute "distinghuishedName" is provided like "CN=John,OU=Users,OU=domain,OU=internal"
5.- ldap-provider binds to the LDAP service with the logged user credentials but using the distiguishedName "cn=John,ou=Users,ou=domain,ou=internal", with lowercase LDAP prefixes
6.- LDAP server (Microsoft Active Directory) responses with a successful bind as the LDAP prefixes are accepted in uppercase or lowercase
7.- ldap-user-group-provider searches for "CN=John,OU=Users,OU=domain,OU=internal", the authenticated user, against "CN=John,OU=Users,OU=domain,OU=internal", the user that has been found in the LDAP authorization. The difference in the LDAP prefixes causes the "CN=John,OU=Users,OU=domain,OU=internal" not to belong to any authorized group, thereafter rejecting the user.
The solution will be that ldap-provider performs the bind to the Active Directory LDAP server using the same string for distinghishedName as it received it from the LDAP server, not changing it to lowercase.
Our configuration
NiFi login-identity-providers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <loginIdentityProviders> <!-- https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldap_login_identity_provider --> <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=Nifi,OU=Special Accounts,DC=domain,DC=internal</property> <property name="Manager Password">*****************</property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://adserver.domain.internal:389</property> <property name="User Search Base">OU=Users,DC=domain,DC=internal</property> <property name="User Search Filter">sAMAccountName={0}</property> <property name="Identity Strategy">USE_DN</property> <property name="Authentication Expiration">12 hours</property> </provider> </loginIdentityProviders>
NiFi authorizers.cml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <!-- https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#ldapusergroupprovider --> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity Node1">CN=nifi_admin, OU=nifi</property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=Nifi,OU=Special Accounts,DC=domain,DC=internal</property> <property name="Manager Password">*****************</property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://adserver.domain.internal:389</property> <property name="Page Size"></property> <property name="Sync Interval">10 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">OU=Users,DC=domain,DC=internal</property> <property name="User Object Class">user</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter">(memberOf=CN=GG_NIFI_Allowed_Users,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal)</property> <property name="User Identity Attribute">distinguishedName</property> <property name="User Group Name Attribute">memberOf</property> <property name="User Group Name Attribute - Referenced Group Attribute">distinguishedName</property> <property name="Group Search Base">OU=NIFI_App_Groups,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">ONE_LEVEL</property> <property name="Group Search Filter"></property> <property name="Group Name Attribute"></property> <!-- <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attributee">distinguishedName</property>--> </userGroupProvider> <userGroupProvider> <identifier>composite-user-group-provider</identifier> <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class> <property name="User Group Provider 1">ldap-user-group-provider</property> <property name="User Group Provider 2">file-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=nifi_admin, OU=nifi</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1"></property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>
Extract of NiFi nifi-app.log:
2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider ------------------------------------- 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following users from LDAP: 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[e4e7bd27-cad9-37c1-af53-a5fb7898de66], identity[CN=Peter,OU=Development,OU=Users,DC=domain,DC=internal] 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[1f8d8309-31d9-3831-a3c0-2a9909500d7f], identity[CN=Frank,OU=Development,OU=Users,DC=domain,DC=internal] 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[7c635418-5897-32a9-8e5b-5a7d9594b7f9], identity[CN=John,OU=Users,DC=domain,DC=internal] 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider -------------------------------------- 2021-02-16 06:44:45,813 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider Loaded the following groups from LDAP: 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[f26c7633-396e-3bdd-83b3-1e395606346d], name[CN=GG_NIFI_Admins,OU=NIFI_App_Groups,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal], users[7c635418-5897-32a9-8e5b-5a7d9594b7f9] 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider - identifier[39854ab9-993e-3523-8c52-193e7e1fdb89], name[CN=GG_NIFI_Users,OU=NIFI_App_Groups,OU=Nifi,OU=Admin Rights,OU=Groups,DC=domain,DC=internal], users[1f8d8309-31d9-3831-a3c0-2a9909500d7f, e4e7bd27-cad9-37c1-af53-a5fb7898de66] 2021-02-16 06:44:45,814 DEBUG [ (ldap-user-group-provider) - background sync thread] o.a.n.ldap.tenants.LdapUserGroupProvider --------------------------------------
Extract of NiFi nifi-user.log:
2021-02-15 14:07:59,252 INFO [NiFi Web Server-170] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.domain.internal:9443/nifi-api/flow/current-user (source ip: X.Y.Z.W) 2021-02-15 14:07:59,260 INFO [NiFi Web Server-170] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=John,ou=Users,ou=domain,ou=internal 2021-02-15 14:07:59,301 INFO [NiFi Web Server-170] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=John,ou=Users,ou=domain,ou=internal], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=John,ou=Users,ou=domain,ou=internal'. Returning Forbidden response.