Cloudera Docs

LDAP Login Identity Provider Configuration

Cloudera Manager has default LDAP login identity provider properties available for configuration. You can use the following to set up the Default LDAP login provider for CFM services.

Table 1. NiFi configuration properties from the nifi.properties.xml file
Property Name Description Default Value
nifi.security.user.login.identity.provider Indicates the type of login identity provider.

Enter: ldap-provider
Table 2. NiFi configuration properties from the login-identity-providers.xml file
Property Name Description Possible Values
xml.loginIdentityProviders.provider.ldap-provider.class Default LDAP Provider Class org.apache.nifi.ldap.LdapProvider
xml.loginIdentityProviders.provider.ldap-provider.property.Identity Strategy Strategy to identify users.

The default functionality if this property is missing is USE_DN in order to retain backward compatibility.

USE_DN uses the full DN of the user entry if possible.

USE_USERNAME uses the username the user logged in with.

 USE_DN (default), USE_USERNAME
xml.loginIdentityProviders.provider.ldap-provider.property.Authentication Strategy How the connection to the LDAP server is authenticated. ANONYMOUS, SIMPLE, LDAPS, START_TLS (default)
xml.loginIdentityProviders.provider.ldap-provider.property.Manager DN The DN of the manager that is used to bind to the LDAP server to search for users.
xml.loginIdentityProviders.provider.ldap-provider.property.Manager Password The password of the manager that is used to bind to the LDAP server to search for users.
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Keystore Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Keystore Password Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Keystore Type Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. Examples: JKS, PKCS12
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Truststore Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Truststore Password Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Truststore Type Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. Examples: JKS, PKCS12
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Client Auth Client authentication policy when connecting to LDAP using LDAPS or START_TLS. REQUIRED, WANT, NONE
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Protocol Protocol to use when connecting to LDAP using LDAPS or START_TLS. Examples: TLS, TLSv1.1, TLSv1.2
xml.loginIdentityProviders.provider.ldap-provider.property.TLS - Shutdown Gracefully Specifies whether the TLS should be shut down gracefully before the target context is closed. TRUE, FALSE (default)
xml.loginIdentityProviders.provider.ldap-provider.property.Referral Strategy Strategy for handling referrals. FOLLOW (default), IGNORE, THROW
xml.loginIdentityProviders.provider.ldap-provider.property.Connect Timeout Duration of connect timeout. Example: 10 secs (default)
xml.loginIdentityProviders.provider.ldap-provider.property.Read Timeout Duration of read timeout. Example: 10 secs (default)
xml.loginIdentityProviders.provider.ldap-provider.property.Url Space-separated list of URLs of the LDAP servers (ldap://<hostname>:<port>) Example: ldap://localhost:389
xml.loginIdentityProviders.provider.ldap-provider.property.User Search Base Base DN for searching for users. Example: CN=Users,DC=example,DC=com
xml.loginIdentityProviders.provider.ldap-provider.property.User Search Filter Filter for searching for users against the User Search Base. Example: sAMAccountName={0}The user specified name is inserted into '{0}'.
xml.loginIdentityProviders.provider.ldap-provider.property.Authentication Expiration The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration. Example: 12 hours (default)

You can add any properties that are not available by default in Cloudera Manager to the login-identity-providers.xml file using the NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/login-identity-providers.xml.

Table 3. NiFi Registry configuration properties from the nifi.properties.xml file
Property Name Description Default Value
nifi.registry.security.identity.provider Indicates the type of login identity provider.

Enter: ldap-provider
Table 4. NiFi Registry configuration properties from the identity-providers.xml file
Property Name Description Possible values
xml.identityProviders.provider.ldap-provider.class Default LDAP Provider Class org.apache.nifi.registry.security.ldap.LdapIdentityProvider
xml.identityProviders.provider.ldap-provider.property.Identity Strategy Strategy to identify users.

The default functionality if this property is missing is USE_DN in order to retain backward compatibility.

USE_DN uses the full DN of the user entry if possible.

USE_USERNAME uses the username the user logged in with.

 USE_DN (default), USE_USERNAME
xml.identityProviders.provider.ldap-provider.property.Authentication Strategy How the connection to the LDAP server is authenticated. ANONYMOUS, SIMPLE, LDAPS, START_TLS (default)
xml.identityProviders.provider.ldap-provider.property.Manager DN The DN of the manager that is used to bind to the LDAP server to search for users.
xml.identityProviders.provider.ldap-provider.property.Manager Password The password of the manager that is used to bind to the LDAP server to search for users.
xml.identityProviders.provider.ldap-provider.property.Connect Timeout Duration of connect timeout. Example: 10 secs (default)
xml.identityProviders.provider.ldap-provider.property.Read Timeout Duration of read timeout. Example: 10 secs (default)
xml.identityProviders.provider.ldap-provider.property.Url Space-separated list of URLs of the LDAP servers (ldap://<hostname>:<port>) Example: ldap://localhost:389
xml.identityProviders.provider.ldap-provider.property.User Search Base Base DN for searching for users. Example: CN=Users,DC=example,DC=com

xml.identityProviders.provider.ldap-provider.property.User Search Filter

 Filter for searching for users against the User Search Base. Example: sAMAccountName={0}The user specified name is inserted into '{0}'.
xml.identityProviders.provider.ldap-provider.property.Authentication Expiration The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration. Example: 12 hours (default)
xml.identityProviders.provider.ldap-provider.property.Referral Strategy Strategy for handling referrals. FOLLOW (default), IGNORE, THROW

You can add any properties that are not available by default in Cloudera Manager to the identity-providers.xml file using the NiFi Registry Advanced Configuration Snippet (Safety Valve) for staging/identity-providers.xml.