LDAP Authentication
After you install NiFi or NiFi Registry, you can enable LDAP authentication.
In a kerberized environment, enabling the LDAP Login Identity Provider takes precedence over the Kerberos Login Identity Provider.
Set the following required LDAP parameters for NiFi:
| LDAP Parameters for NiFi | Sample Value |
|---|---|
| Enable TLS/SSL for NiFi Node | Checked |
| LDAP Enabled | Checked |
| Login Identity Provider: Default LDAP Provider Class | org.apache.nifi.ldap.LdapProvider |
| Initial Admin Identity | admin |
| Login Identity Provider ID | ldap-provider |
| LDAP Authentication Strategy | SIMPLE, LDAPS, or START_TLS |
| LDAP Manager DN | uid=admin,ou=people,dc=hadoop,dc=apache,dc=org |
| LDAP Manager Password | admin-password |
| LDAP URL | ldap://<ldap-hostname>:33389 |
| LDAP User Search Base | ou=people,dc=hadoop,dc=apache,dc=org |
| Login Identity Provider: Default LDAP User Search Filter | uid={0} |
| Login Identity Provider: Default LDAP Identity Strategy | USE_USERNAME |
| Login Identity Provider: Default LDAP TLS - Keystore | /<path to>/keystore.jks |
| Login Identity Provider: Default LDAP TLS - Keystore Password | Default LDAP TLS - Keystore Password |
| Login Identity Provider: Default LDAP TLS - Keystore Type | JKS or PKCS12 |
| Login Identity Provider: Default LDAP TLS - Truststore | /<path to>/truststore.jks |
| Login Identity Provider: Default LDAP TLS - Truststore Password | Default LDAP TLS - Truststore Password |
| Login Identity Provider: Default LDAP TLS - Truststore Type | JKS or PKCS12 |
| TLS - Client Auth | Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
Possible values are |
| TLS - Protocol | Protocol to use when connecting to LDAP using LDAPS or START_TLS. For example,
|
| TLS - Shutdown Gracefully | Specifies whether the TLS should be shut down gracefully before the target context is
closed. Defaults to false. |
Set the following required LDAP parameters for NiFi Registry:
| LDAP Parameter for NiFi Registry | Sample Value |
|---|---|
| Enable TLS/SSL for NiFi Registry | Checked |
| LDAP Enabled | Checked |
| Identity Provider: Default LDAP Provider Class | org.apache.nifi.registry.security.ldap.LdapIdentityProvider |
| Initial Admin Identity | admin |
| Identity Provider Identifier | ldap-provider |
| LDAP Authentication Strategy | SIMPLE, LDAPS, or START_TLS |
| LDAP Manager DN | uid=admin,ou=people,dc=hadoop,dc=apache,dc=org |
| LDAP Manager Password | admin-password |
| LDAP URL | ldap://<ldap-hostname>:33389 |
| LDAP User Search Base | ou=people,dc=hadoop,dc=apache,dc=org |
| Identity Provider: Default LDAP User Search Filter | uid={0} |
| Identity Provider: Default LDAP Identity Strategy | USE_USERNAME |
| Client Authentication Required | Unchecked |
| Identity Provider: Default LDAP TLS - Keystore | /<path to>/keystore.jks |
| Identity Provider: Default LDAP TLS - Keystore Password | Default LDAP TLS - Keystore Password |
| Identity Provider: Default LDAP TLS - Keystore Type | JKS or PKCS12 |
| Identity Provider: Default LDAP TLS - Truststore | /<path to>/truststore.jks |
| Identity Provider: Default LDAP TLS - Truststore Password | Default LDAP TLS - Truststore Password |
| Identity Provider: Default LDAP TLS - Truststore Type | JKS or PKCS12 |
| TLS - Client Auth | Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
Possible values are |
| TLS - Protocol | Protocol to use when connecting to LDAP using LDAPS or START_TLS. For example,
|
| TLS - Shutdown Gracefully | Specifies whether the TLS should be shut down gracefully before the target context is
closed. Defaults to false. |
