Cloudera Docs

LDAP authentication

After you install NiFi or NiFi Registry, you can enable LDAP authentication.

In a kerberized environment, enabling the LDAP Login Identity Provider takes precedence over the Kerberos Login Identity Provider.

Set the following required LDAP parameters for NiFi:
LDAP Parameters for NiFi Sample Value
Enable TLS/SSL for NiFi Node Checked
LDAP Enabled Checked
Login Identity Provider: Default LDAP Provider Class org.apache.nifi.ldap.LdapProvider
Initial Admin Identity admin
Login Identity Provider ID ldap-provider
LDAP Authentication Strategy SIMPLE, LDAPS, or START_TLS
LDAP Manager DN uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
LDAP Manager Password admin-password
LDAP URL ldap://<ldap-hostname>:33389
LDAP User Search Base ou=people,dc=hadoop,dc=apache,dc=org
Login Identity Provider: Default LDAP User Search Filter uid={0}
Login Identity Provider: Default LDAP Identity Strategy USE_USERNAME
Login Identity Provider: Default LDAP TLS - Keystore /<path to>/keystore.jks
Login Identity Provider: Default LDAP TLS - Keystore Password Default LDAP TLS - Keystore Password
Login Identity Provider: Default LDAP TLS - Keystore Type JKS or PKCS12
Login Identity Provider: Default LDAP TLS - Truststore /<path to>/truststore.jks
Login Identity Provider: Default LDAP TLS - Truststore Password Default LDAP TLS - Truststore Password
Login Identity Provider: Default LDAP TLS - Truststore Type JKS or PKCS12
TLS - Client Auth Client authentication policy when connecting to LDAP using LDAPS or START_TLS.

Possible values are REQUIRED, WANT, and NONE.
TLS - Protocol Protocol to use when connecting to LDAP using LDAPS or START_TLS.

For example, TLS, TLSv1.1, TLSv1.2, etc.
TLS - Shutdown Gracefully Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.
Set the following required LDAP parameters for NiFi Registry:
LDAP Parameter for NiFi Registry Sample Value
Enable TLS/SSL for NiFi Registry Checked
LDAP Enabled Checked
Identity Provider: Default LDAP Provider Class org.apache.nifi.registry.security.ldap.LdapIdentityProvider
Initial Admin Identity admin
Identity Provider Identifier ldap-provider
LDAP Authentication Strategy SIMPLE, LDAPS, or START_TLS
LDAP Manager DN uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
LDAP Manager Password admin-password
LDAP URL ldap://<ldap-hostname>:33389
LDAP User Search Base ou=people,dc=hadoop,dc=apache,dc=org
Identity Provider: Default LDAP User Search Filter uid={0}
Identity Provider: Default LDAP Identity Strategy USE_USERNAME
Client Authentication Required Unchecked
Identity Provider: Default LDAP TLS - Keystore /<path to>/keystore.jks
Identity Provider: Default LDAP TLS - Keystore Password Default LDAP TLS - Keystore Password
Identity Provider: Default LDAP TLS - Keystore Type JKS or PKCS12
Identity Provider: Default LDAP TLS - Truststore /<path to>/truststore.jks
Identity Provider: Default LDAP TLS - Truststore Password Default LDAP TLS - Truststore Password
Identity Provider: Default LDAP TLS - Truststore Type JKS or PKCS12
TLS - Client Auth Client authentication policy when connecting to LDAP using LDAPS or START_TLS.

Possible values are REQUIRED, WANT, and NONE.
TLS - Protocol Protocol to use when connecting to LDAP using LDAPS or START_TLS.

For example, TLS, TLSv1.1, TLSv1.2, etc.
TLS - Shutdown Gracefully Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.