Configuring LDAP authentication

Learn how to configure an LDAP server for user authentication in your NiFi or NiFi Registry cluster.

CFM Operator can configure NiFi to connect to an LDAP server for user authentication.

Prerequisites:

  • Full LDAP URL, i.e. ldap://[***LDAP SERVER URL***]:[***LDAP PORT***]

  • Desired authentication strategy

  • Authentication credentials and key/trust stores if using LDAPS.

  • User search filters

For LDAP servers protected with any authentication, a Secret must be created containing the correct authentication credentials and TLS resources (if applicable). The Secret must contain the following data fields:

  • managerPassword

  • keystore (if TLS is configured)

  • keystorePassword (if TLS is configured)

  • truststore (if TLS is configured)

  • truststorePassword (if TLS is configured)

Create the secret usiing the cubectl CLI utility:

kubectl create secret generic my-ldap-creds \
       --from-literal=managerPassword=myMan@gerPassw0rd \
	--from-file=keystore=/path/to/keystore \
	--from-literal=keystorePassword=myKeystorePassword \
	--from-file=truststore=/path/to/truststore \
	--from-literal=truststorePassword=myTruststorePassword

The following example shows a connection to an LDAP server protected with basic authentication with TLS.

spec:
  security:
    initialAdminIdentity: mynifiadmin
    ldap:
      authenticationStrategy: SIMPLE
      managerDN: "cn=admin,dc=example,dc=org"
      secretName: my-openldap-creds
      referralStrategy: FOLLOW
      connectTimeout: 3 secs
      readTimeout: 10 secs
      url: ldap://my-ldap-url:389
      userSearchBase: "dc=example,dc=org"
      userSearchFilter: "(uid={0})"
      identityStrategy: USE_USERNAME
      authenticationExpiration: 12 hours
	tls:
	  keystoreType: jks
	  truststoreType: jks
	  clientAuth: NONE
	  protocol: TLSv1.2

By default, CFM Operator does not deploy a UserGroupProvider using the LDAP target. This means NiFi does not pull down any users, only queries the LDAP server for authentication. This impedes configuring user access, requiring the NiFi administrator to create each user manually.

The following example shows configuring user synchronization with the LDAP server:

spec:
  security:
    ldap:
      sync:
        interval: 30 min
        userObjectClass: inetOrgPerson
        userSearchScope: SUBTREE
        userIdentityAttribute: cn
        userGroupNameAttribute: ou
        userGroupNameReferencedGroupAttribute: ou
        groupSearchBase: "dc=example,dc=org"
        groupObjectClass: organizationalUnit
        groupSearchScope: OBJECT
        groupNameAttribute: ou