Configuring LDAP authentication
Learn how to configure an LDAP server for user authentication in your NiFi or NiFi Registry cluster.
Cloudera Flow Management - Kubernetes Operator can configure NiFi to connect to an LDAP server for user authentication.
Prerequisites:
-
Full LDAP URL, i.e.
ldap://[***LDAP SERVER URL***]:[***LDAP PORT***]
-
Desired authentication strategy
-
Authentication credentials and key/trust stores if using LDAPS.
-
User search filters
For LDAP servers protected with any authentication, a Secret must be created containing the correct authentication credentials and TLS resources (if applicable). The Secret must contain the following data fields:
-
managerPassword
-
keystore (if TLS is configured)
-
keystorePassword (if TLS is configured)
-
truststore (if TLS is configured)
-
truststorePassword (if TLS is configured)
Create the secret usiing the cubectl CLI utility:
kubectl create secret generic my-ldap-creds \
--from-literal=managerPassword=myMan@gerPassw0rd \
--from-file=keystore=/path/to/keystore \
--from-literal=keystorePassword=myKeystorePassword \
--from-file=truststore=/path/to/truststore \
--from-literal=truststorePassword=myTruststorePassword
The following example shows a connection to an LDAP server protected with basic authentication with TLS.
spec:
security:
initialAdminIdentity: mynifiadmin
ldap:
authenticationStrategy: SIMPLE
managerDN: "cn=admin,dc=example,dc=org"
secretName: my-openldap-creds
referralStrategy: FOLLOW
connectTimeout: 3 secs
readTimeout: 10 secs
url: ldap://my-ldap-url:389
userSearchBase: "dc=example,dc=org"
userSearchFilter: "(uid={0})"
identityStrategy: USE_USERNAME
authenticationExpiration: 12 hours
tls:
keystoreType: jks
truststoreType: jks
clientAuth: NONE
protocol: TLSv1.2
By default, Cloudera Flow Management - Kubernetes Operator does not deploy a UserGroupProvider using the LDAP target. This means NiFi does not pull down any users, only queries the LDAP server for authentication. This impedes configuring user access, requiring the NiFi administrator to create each user manually.
The following example shows configuring user synchronization with the LDAP server:
spec:
security:
ldap:
sync:
interval: 30 min
userObjectClass: inetOrgPerson
userSearchScope: SUBTREE
userIdentityAttribute: cn
userGroupNameAttribute: ou
userGroupNameReferencedGroupAttribute: ou
groupSearchBase: "dc=example,dc=org"
groupObjectClass: organizationalUnit
groupSearchScope: OBJECT
groupNameAttribute: ou