I'm trying to add LDAP (not LDAPS) authentication in NiFi 1.25.0 in Windows so that users can login using their network IDs, but I can't get past this error:
"FactoryBean threw exception on object creation; nested exception is java.lang.ClassCastException: class org.apache.nifi.ldap.LdapProvider"
After a reboot, it takes a couple of minutes to get an error. Between reboots, it takes about 15 seconds. The service never starts.
NiFi runs fine with the default "single-user-authorizer" setup.
When I launch NiFi, no LDAP protocol requests come from my machine, so I'm assuming the code never makes it to the point where it tries to connect. "ClassCastException" sounds like a code error, but I'm assuming my configuration (below) has a problem.
The error log entries include:
ni-fi-bootstrap.log
ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.ClassCastException: class org.apache.nifi.ldap.LdapProvider
ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down...
INFO [main] org.apache.nifi.bootstrap.RunNiFi NiFi never started. Will not restart NiFi
2024-04-30 09:08:29,954 ERROR [main] o.s.web.context.ContextLoader Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.ClassCastException: class org.apache.nifi.ldap.LdapProvider
...
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.ClassCastException: class org.apache.nifi.ldap.LdapProvider
...
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.ClassCastException: class org.apache.nifi.ldap.LdapProvider
...
Caused by: java.lang.ClassCastException: class org.apache.nifi.ldap.LdapProvider
(Apologies about the formatting. I've been fighting with the editor all morning.)
Config settings are below. Our LDAP server is not using SSL/TLS, so there are no config values for Keystore, Truststore, etc.
NiFi.properties:
nifi.security.user.authorizer=ldap-provider
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=ldap-provider
authorizers.xml:
<authorizer>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
</authorizer>
login-identity-providers.xml:
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">CN=ourLdapUser,CN=Users,DC=ourDomain,DC=local</property>
<property name="Manager Password">########</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://[ip address]:389</property>
<property name="User Search Base">CN=Users,DC=ourDomain,DC=local</property>
<property name="User Search Filter">sAMAccountName={0}</property><!-- also tried uid={0} -->
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
I've tried other config settings for the LDAP authorizer that I found on the web, but the ClassCastException error for LdapProvider always halts execution. I added a set of configs for "ldap-user-group-provider" which requires "composite-configurable-user-group-provider," "file-access-policy-provider" and "managed-authorizer," but there was no difference.
I made sure I can access the LDAP server from my machine, and I've allowed Java "domain" and "private" access through Windows firewall.
I've tried the same settings on Windows 10 and Windows 11.
I attached a debugger from Visual Studio 2019 Pro to the NiFi port, but it basically stopped execution.
I found the source code for class LdapIdentityProvider, which is where the ldap-provider values from login-identity-providers.xml are read. There's supposed to be an INFO message when the "Identity Strategy" property is not set, but it didn't come through. (I enabled INFO logging with this line in logback.xml: <logger name="org.apache.nifi" level="INFO" />, and I get other INFO entries.) Again, I don't think execution is getting that far.
I was able to resolve this, but I'm not positive what fixed it. I believe it was this a combination of changes.
In nifi.properties: nifi.security.user.authorizer=managed-authorizer
In authorizers.xml: I removed the ldap-provider authorizer, which I had apparently added to try to get past an earlier error saying it wasn't defined. I also enabled the managed-authorizer definition and configured the file-access-policy-provider with our Initial Admin Identity.