nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Doran <>
Subject Re: LDAP provider not recognizing the u/p combination
Date Fri, 16 Feb 2018 13:55:07 GMT


Glad to hear you got this working and thanks for the information. Perhaps this is an area
that could be improved so that it is easier to configure or troubleshoot, or better documented.
That’s something worth taking a look at. Good tip on Apache Directory Studio, I agree that
being able to easily browse the directory helps when configuring LDAP integration in a new




From: Mike Thomsen <>
Reply-To: <>
Date: Friday, February 16, 2018 at 07:49
To: <>
Subject: Re: LDAP provider not recognizing the u/p combination




The issue was that I forgot that there is also a separate configuration file for looking up
the users (config-something-providers.xml). After a little tweaking to that, u/p works fine


Apache Directory Studio worked really well for the debugging. I would strongly recommend it
to new users in the documentation as a tool for connecting to LDAP and poking around to verify
the LDAP settings against the live schema.




On Tue, Feb 13, 2018 at 11:33 AM, Kevin Doran <> wrote:

Hi Mike,


I don’t know enough about Active Directory and LDAP in general to answer your question off
the type of my help, but I’m familiar with how the NiFi LDAP client is configured using
the fields you’ve mentioned, so I may be able to help you figure it out.


I think you’re on the right track, but you may need to use the User Identity Attribute as


It would be helpful for me if I could try to reproduce the environment you are working in.
As I don’t know the details of the Active Directory structure, would you be able to provide
an example snippet of the directory in LDIF format [1] [2]? Please scrub any sensitive information
(actual names or password hashes) before sending, I just need a better sense of the structure
of the directory, not the value of fields themselves.


If that’s not possible for you, just let me know and I can try to follow up without those
details as soon as I get a chance to dig into the specifics of AD a bit more.








From: Mike Thomsen <>
Reply-To: <>
Date: Tuesday, February 13, 2018 at 11:18
To: <>
Subject: LDAP provider not recognizing the u/p combination


We're using AD, and I have verified that we can actually pull the users and groups by logging
in as the initial admin and checking the users. It shows the users and the LDAP groups we
assigned. Looks fine there.


When a user goes to login with their domain account, it says invalid username and password.


So if their domain account is like this:




I expect them to be able to put "john.smith" in the username field.


These are the search settings:


Search Filter: (CN={0})

Identity Strategy: USE_USERNAME


Based on the documentation, I would expect that that would take the username and password,
put the username into the CN attribute of the search filter and filter on the search base
(exact copy of the one that is working in the user/group search configuration).


Any suggestions on what might be wrong and/or how to debug this?






View raw message