nifildapsecurityauthentication

Apache NiFi LDAP Authentication Setup Guide (Including Cloudera CFM)

Step-by-step guide to configuring LDAP authentication in NiFi, covering login-identity-providers.xml, authorizers.xml, and Cloudera Manager settings.

Data DynamicsApril 13, 202612 min read

Apache NiFi runs without user authentication by default, but in production environments, authentication must be enabled. One of the most widely used approaches is LDAP (Lightweight Directory Access Protocol) authentication. This post explains NiFi LDAP authentication configuration for both open-source NiFi and Cloudera CFM (Cloudera Flow Management) environments. It references the Cloudera CFM LDAP Authentication documentation and the Apache NiFi Administration Guide.

1. Prerequisites

The following conditions must be met before configuring LDAP authentication.

Item	Description
TLS/SSL enabled	HTTPS must be enabled on NiFi to support authentication
LDAP server	An accessible LDAP server such as OpenLDAP, Active Directory, or 389 Directory Server
Service account	Manager DN and password for searching users on the LDAP server
Certificates	Truststore containing the LDAP server's CA certificate when using LDAPS or START_TLS

Note: NiFi cannot enable authentication without HTTPS. You must configure TLS/SSL before setting up LDAP.

2. How LDAP Authentication Works

NiFi's LDAP authentication consists of two components.

User → NiFi Login Screen → Login Identity Provider (Authentication)
                                    ↓
                              Bind to LDAP server to verify user
                                    ↓
                              Authorizer (Authorization) → Check permissions

Component	Configuration File	Role
Login Identity Provider	`login-identity-providers.xml`	Authenticates by binding username/password against the LDAP server
Authorizer	`authorizers.xml`	Determines which resources an authenticated user can access

3. LDAP Configuration in Open-Source NiFi

3.1 nifi.properties Configuration

First, enable the Login Identity Provider in nifi.properties.

# Enable LDAP Login Identity Provider
nifi.security.user.login.identity.provider=ldap-provider

Configure the LDAP Provider in conf/login-identity-providers.xml. This file is the core of NiFi's LDAP authentication setup.

<loginIdentityProviders>
    <provider>
        <identifier>ldap-provider</identifier>
        <class>org.apache.nifi.ldap.LdapProvider</class>
        <property name="Authentication Strategy">START_TLS</property>
 
        <property name="Manager DN">uid=admin,ou=people,dc=example,dc=com</property>
        <property name="Manager Password">admin-password</property>
 
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>
 
        <property name="Url">ldap://ldap.example.com:389</property>
        <property name="User Search Base">ou=people,dc=example,dc=com</property>
        <property name="User Search Filter">uid={0}</property>
 
        <property name="Identity Strategy">USE_USERNAME</property>
        <property name="Authentication Expiration">12 hours</property>
 
        <!-- TLS settings (required for START_TLS or LDAPS) -->
        <property name="TLS - Keystore">/opt/nifi/conf/keystore.jks</property>
        <property name="TLS - Keystore Password">keystore-password</property>
        <property name="TLS - Keystore Type">JKS</property>
        <property name="TLS - Truststore">/opt/nifi/conf/truststore.jks</property>
        <property name="TLS - Truststore Password">truststore-password</property>
        <property name="TLS - Truststore Type">JKS</property>
        <property name="TLS - Client Auth">NONE</property>
        <property name="TLS - Protocol">TLSv1.2</property>
        <property name="TLS - Shutdown Gracefully">false</property>
    </provider>
</loginIdentityProviders>

3.3 Key Properties Explained

Authentication Strategy

Strategy	Description	LDAP URL Example
ANONYMOUS	Connect to LDAP without authentication. For testing only	`ldap://ldap.example.com:389`
SIMPLE	Bind with Manager DN/Password in plaintext. Should be used with LDAPS	`ldap://ldap.example.com:389`
LDAPS	SSL-encrypted connection (port 636). Secure from the start	`ldaps://ldap.example.com:636`
START_TLS	Plaintext connection upgraded to TLS (port 389)	`ldap://ldap.example.com:389`

Production recommendation: Use LDAPS or START_TLS. SIMPLE transmits passwords in plaintext over the network.

Identity Strategy

Strategy	Description	Example
USE_DN	Uses the full DN from LDAP search result as NiFi user ID	`uid=john,ou=people,dc=example,dc=com`
USE_USERNAME	Uses the login username as-is for NiFi user ID	`john`

Recommendation: USE_USERNAME displays cleaner usernames in the NiFi UI and simplifies authorizers.xml configuration for Initial Admin Identity.

Referral Strategy

Strategy	Description
FOLLOW	Automatically follow LDAP referrals (recommended for Active Directory)
IGNORE	Ignore LDAP referrals
THROW	Throw an exception when LDAP referrals occur

User Search Filter

{0} is replaced with the login ID entered by the user.

LDAP Server	Common Filter	Description
OpenLDAP	`uid={0}`	Search by uid attribute
Active Directory	`sAMAccountName={0}`	Search by SAM account name
Active Directory (UPN)	`userPrincipalName={0}`	Search by UPN

3.4 authorizers.xml Configuration

After authentication, configure authorizers.xml for authorization. The Initial Admin Identity designates the first administrator among LDAP-authenticated users.

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">admin</property>
    </userGroupProvider>
 
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">admin</property>
        <property name="Node Identity 1">CN=nifi-node1.example.com, OU=NiFi</property>
    </accessPolicyProvider>
 
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

Important: The Initial Admin Identity value must match the Identity Strategy in login-identity-providers.xml. With USE_USERNAME it should be admin; with USE_DN it should be uid=admin,ou=people,dc=example,dc=com.

3.5 LDAP User Group Provider (Optional)

To automatically sync users and groups from the LDAP server, configure the LdapUserGroupProvider.

<userGroupProvider>
    <identifier>ldap-user-group-provider</identifier>
    <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
    <property name="Authentication Strategy">START_TLS</property>
 
    <property name="Manager DN">uid=admin,ou=people,dc=example,dc=com</property>
    <property name="Manager Password">admin-password</property>
 
    <property name="Url">ldap://ldap.example.com:389</property>
 
    <property name="User Search Base">ou=people,dc=example,dc=com</property>
    <property name="User Object Class">person</property>
    <property name="User Search Scope">ONE_LEVEL</property>
    <property name="User Search Filter">(objectClass=person)</property>
    <property name="User Identity Attribute">uid</property>
 
    <property name="Group Search Base">ou=groups,dc=example,dc=com</property>
    <property name="Group Object Class">groupOfNames</property>
    <property name="Group Search Scope">ONE_LEVEL</property>
    <property name="Group Search Filter">(objectClass=groupOfNames)</property>
    <property name="Group Name Attribute">cn</property>
    <property name="Group Member Attribute">member</property>
    <property name="Group Member Attribute - Referenced Member Identity">dn</property>
 
    <property name="Sync Interval">30 mins</property>
    <property name="Page Size">500</property>
    <property name="Group Membership - Enforce Case Sensitivity">false</property>
 
    <!-- TLS settings (for START_TLS or LDAPS) -->
    <property name="TLS - Keystore">/opt/nifi/conf/keystore.jks</property>
    <property name="TLS - Keystore Password">keystore-password</property>
    <property name="TLS - Keystore Type">JKS</property>
    <property name="TLS - Truststore">/opt/nifi/conf/truststore.jks</property>
    <property name="TLS - Truststore Password">truststore-password</property>
    <property name="TLS - Truststore Type">JKS</property>
    <property name="TLS - Client Auth">NONE</property>
    <property name="TLS - Protocol">TLSv1.2</property>
</userGroupProvider>

Key LdapUserGroupProvider properties:

Property	Description
`User Search Base`	LDAP base DN for user searches
`User Object Class`	User object class (e.g., `person`, `inetOrgPerson`)
`User Identity Attribute`	LDAP attribute to use as NiFi user ID (e.g., `uid`, `sAMAccountName`)
`Group Search Base`	LDAP base DN for group searches
`Group Object Class`	Group object class (e.g., `groupOfNames`, `group`)
`Group Name Attribute`	LDAP attribute for group names (e.g., `cn`)
`Group Member Attribute`	Attribute representing group membership (e.g., `member`, `memberUid`)
`Sync Interval`	How often to sync users/groups from LDAP (e.g., `30 mins`)
`Page Size`	LDAP search page size (essential for large directories)

4. LDAP Configuration in Cloudera CFM

In environments managed through Cloudera Manager (CM), settings are configured via the CM UI instead of editing XML files directly.

4.1 NiFi LDAP Settings (Cloudera Manager)

Navigate to the NiFi service's Configuration tab in CM and set the following properties.

CM Property Name	Example Value	Description
Enable TLS/SSL for NiFi Node	Checked	Enable HTTPS (required prerequisite)
LDAP Enabled	Checked	Activate LDAP authentication
Login Identity Provider: Default LDAP Provider Class	`org.apache.nifi.ldap.LdapProvider`	LDAP Provider class
Login Identity Provider ID	`ldap-provider`	Provider identifier
Initial Admin Identity	`admin`	Initial administrator user
LDAP Authentication Strategy	`START_TLS`	Authentication strategy
LDAP Manager DN	`uid=admin,ou=people,dc=example,dc=com`	LDAP service account DN
LDAP Manager Password	(password)	Service account password
LDAP URL	`ldap://ldap.example.com:389`	LDAP server URL
LDAP User Search Base	`ou=people,dc=example,dc=com`	User search base DN
Login Identity Provider: Default LDAP User Search Filter	`uid={0}`	User search filter
Login Identity Provider: Default LDAP Identity Strategy	`USE_USERNAME`	Identity strategy

TLS Properties (When Using LDAPS or START_TLS)

CM Property Name	Example Value
Login Identity Provider: Default LDAP TLS - Keystore	`/opt/nifi/conf/keystore.jks`
Login Identity Provider: Default LDAP TLS - Keystore Password	(password)
Login Identity Provider: Default LDAP TLS - Keystore Type	`JKS`
Login Identity Provider: Default LDAP TLS - Truststore	`/opt/nifi/conf/truststore.jks`
Login Identity Provider: Default LDAP TLS - Truststore Password	(password)
Login Identity Provider: Default LDAP TLS - Truststore Type	`JKS`
TLS - Client Auth	`NONE`
TLS - Protocol	`TLSv1.2`
TLS - Shutdown Gracefully	`false`

4.2 NiFi Registry LDAP Settings (Cloudera Manager)

NiFi Registry requires its own LDAP configuration. Properties are nearly identical to NiFi but use a different class name.

CM Property Name	Value
Identity Provider: Default LDAP Provider Class	`org.apache.nifi.registry.security.ldap.LdapIdentityProvider`
Identity Provider Identifier	`ldap-provider`

All other settings (LDAP URL, Manager DN, Search Base, TLS) are configured identically to NiFi.

4.3 Resetting Initial Admin Identity

If Initial Admin Identity was configured incorrectly in CM, execute Actions > Reset File-based Authorizer Users and Policies on the service. This regenerates users.xml and authorizations.xml, archiving previous versions.

5. Active Directory Configuration Example

When using Active Directory (AD), certain settings differ from standard OpenLDAP configurations.

<provider>
    <identifier>ldap-provider</identifier>
    <class>org.apache.nifi.ldap.LdapProvider</class>
    <property name="Authentication Strategy">LDAPS</property>
 
    <property name="Manager DN">CN=svc-nifi,OU=ServiceAccounts,DC=corp,DC=example,DC=com</property>
    <property name="Manager Password">service-account-password</property>
 
    <property name="Referral Strategy">FOLLOW</property>
    <property name="Connect Timeout">10 secs</property>
    <property name="Read Timeout">10 secs</property>
 
    <property name="Url">ldaps://ad.corp.example.com:636</property>
    <property name="User Search Base">OU=Users,DC=corp,DC=example,DC=com</property>
    <property name="User Search Filter">sAMAccountName={0}</property>
 
    <property name="Identity Strategy">USE_USERNAME</property>
    <property name="Authentication Expiration">12 hours</property>
 
    <property name="TLS - Keystore">/opt/nifi/conf/keystore.jks</property>
    <property name="TLS - Keystore Password">keystore-password</property>
    <property name="TLS - Keystore Type">JKS</property>
    <property name="TLS - Truststore">/opt/nifi/conf/truststore.jks</property>
    <property name="TLS - Truststore Password">truststore-password</property>
    <property name="TLS - Truststore Type">JKS</property>
    <property name="TLS - Client Auth">NONE</property>
    <property name="TLS - Protocol">TLSv1.2</property>
    <property name="TLS - Shutdown Gracefully">false</property>
</provider>

Key differences between Active Directory and OpenLDAP:

Item	OpenLDAP	Active Directory
User Search Filter	`uid={0}`	`sAMAccountName={0}`
Manager DN Format	`uid=admin,ou=people,dc=...`	`CN=svc-nifi,OU=ServiceAccounts,DC=...`
Default Port (SSL)	636	636
Default Port (Plaintext)	389	389
Referral Strategy	`IGNORE` possible	`FOLLOW` recommended (cross-domain referrals)
Group Object Class	`groupOfNames`	`group`
Member Attribute	`member`	`member`

6. Cluster Environment Considerations

Additional considerations when configuring LDAP authentication in a NiFi cluster.

6.1 Configuration Consistency Across Nodes

login-identity-providers.xml and authorizers.xml must be identical across all cluster nodes. Inconsistent configurations between nodes cause authentication behavior mismatches and unexpected errors.

6.2 Node Identity Configuration

Each cluster node must be registered as a Node Identity in authorizers.xml.

<property name="Node Identity 1">CN=nifi-node1.example.com, OU=NiFi</property>
<property name="Node Identity 2">CN=nifi-node2.example.com, OU=NiFi</property>
<property name="Node Identity 3">CN=nifi-node3.example.com, OU=NiFi</property>

6.3 LDAP Server Availability

If the LDAP server goes down, users cannot log into NiFi. In production environments, LDAP server redundancy is recommended. You can specify multiple space-separated LDAP URLs in the Url property.

<property name="Url">ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636</property>

7. Troubleshooting

Symptom	Cause	Solution
Login page not displayed	HTTPS not enabled	Enable HTTPS in `nifi.properties`
"Login credentials were not verified"	LDAP server connection failure	Check LDAP URL, Manager DN/Password
Login succeeds but no permissions	Initial Admin Identity mismatch	Correct value to match Identity Strategy
"Connect timeout" error	LDAP server network issue	Check firewall, ports (389/636)
"PKIX path building failed"	TLS certificate trust issue	Add LDAP server's CA certificate to truststore
Referral-related errors	AD referrals not handled	Change Referral Strategy to `FOLLOW`

7.2 Log Inspection

# Check LDAP-related messages in NiFi logs
grep -i "ldap\|login\|identity\|auth" /opt/nifi/logs/nifi-app.log | tail -50
 
# Check certificate-related errors
grep -i "ssl\|tls\|certificate\|pkix" /opt/nifi/logs/nifi-app.log | tail -30

7.3 LDAP Connection Testing

Test LDAP connectivity before restarting NiFi.

# Test connection with ldapsearch (OpenLDAP)
ldapsearch -x -H ldap://ldap.example.com:389 \
    -D "uid=admin,ou=people,dc=example,dc=com" \
    -w admin-password \
    -b "ou=people,dc=example,dc=com" \
    "uid=testuser"
 
# Test connection with ldapsearch (Active Directory, LDAPS)
ldapsearch -x -H ldaps://ad.corp.example.com:636 \
    -D "CN=svc-nifi,OU=ServiceAccounts,DC=corp,DC=example,DC=com" \
    -w service-account-password \
    -b "OU=Users,DC=corp,DC=example,DC=com" \
    "sAMAccountName=testuser"

8. Configuration Checklist

Step	Check Item
1	Is HTTPS (TLS/SSL) enabled on NiFi?
2	Is the LDAP server accessible over the network? (port 389 or 636)
3	Can you bind to the LDAP server with the Manager DN? (test with `ldapsearch`)
4	Can users be found with the User Search Filter?
5	Is the LdapProvider correctly configured in `login-identity-providers.xml`?
6	Is `nifi.security.user.login.identity.provider=ldap-provider` set in `nifi.properties`?
7	Does Initial Admin Identity in `authorizers.xml` match the Identity Strategy?
8	When using LDAPS/START_TLS, does the truststore contain the LDAP server's CA certificate?
9	In a cluster environment, are configuration files identical across all nodes?
10	After restarting NiFi, are there no LDAP-related errors in the logs?

9. Summary

Item	Details
Required prerequisite	HTTPS enabled
Core configuration files	`login-identity-providers.xml`, `authorizers.xml`, `nifi.properties`
Recommended Authentication Strategy	LDAPS or START_TLS
Recommended Identity Strategy	USE_USERNAME (cleaner user IDs)
AD User Search Filter	`sAMAccountName={0}`
OpenLDAP User Search Filter	`uid={0}`
LDAP server redundancy	Specify multiple space-separated URLs in the Url property
Cluster environment	Configuration files must be identical across all nodes
CM environment (Cloudera)	Configure via CM UI, no direct XML editing needed
Reset Initial Admin Identity	CM > Actions > Reset File-based Authorizer

LDAP authentication is the most fundamental step in NiFi security. The configuration itself isn't complex, but errors frequently occur from Identity Strategy and Initial Admin Identity mismatches, or TLS certificate issues. Test LDAP connectivity with ldapsearch before making changes, and always check NiFi logs after configuration.

If you need assistance with NiFi LDAP authentication setup, feel free to reach out.

— Data Dynamics Engineering Team