diff --git a/CHANGELOG.md b/CHANGELOG.md
index f7315c5156..be0a3caf94 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
### Added
+- [PR #391](https://github.com/konpyutaika/nifikop/pull/391) - **[Operator/NifiUserGroup]** Added settings missing for secure LDAP connections in login_identity_providers.xml
+
- [PR #381](https://github.com/konpyutaika/nifikop/pull/381) - **[Operator/NifiUserGroup]** Added ability to set `NifiUserGroup.Spec.Identity` when users need to override the default naming convention.
### Changed
diff --git a/api/v1/nificluster_types.go b/api/v1/nificluster_types.go
index 45aaf31458..b29dbe29e9 100644
--- a/api/v1/nificluster_types.go
+++ b/api/v1/nificluster_types.go
@@ -576,11 +576,34 @@ type LdapConfiguration struct {
ManagerDn string `json:"managerDn,omitempty"`
// The password of the manager that is used to bind to the LDAP server to search for users.
ManagerPassword string `json:"managerPassword,omitempty"`
+ // Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
+ // The TLS Keystore settings are optional and only used if your LDAP/AD server needs mutual TLS.
+ TLSKeystore string `json:"tlsKeystore,omitempty"`
+ // Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
+ TLSKeystorePassword string `json:"tlsKeystorePassword,omitempty"`
+ // Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).
+ TLSKeystoretype string `json:"tlsKeystoreType,omitempty"`
+ // Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
+ // The Truststore should contain the valid CA that your LDAPS/AD server is in to allow NiFi to trust it
+ TLSTruststore string `json:"tlsTruststore,omitempty"`
+ // Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
+ TLSTruststorePassword string `json:"tlsTruststorePassword,omitempty"`
+ // Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12).
+ TLSTruststoreType string `json:"tlsTruststoreType,omitempty"`
+ // Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE.
+ ClientAuth string `json:"clientAuth,omitempty"`
+ // Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc).
+ Protocol string `json:"protocol,omitempty"`
+ // Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.
+ ShutdownGracefully string `json:"shutdownGracefully,omitempty"`
+ // Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
+ ReferralStrategy string `json:"referralStrategy,omitempty"`
// Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
// The default functionality if this property is missing is USE_DN in order to retain backward compatibility.
// USE_DN will use the full DN of the user entry if possible.
// USE_USERNAME will use the username the user logged in with.
IdentityStrategy string `json:"identityStrategy,omitempty"`
+
}
// NifiClusterTaskSpec specifies the configuration of the nifi cluster Tasks.
diff --git a/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml b/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml
index 3ac14a4724..f0f5a9ffa0 100644
--- a/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml
+++ b/config/crd/bases/nifi.konpyutaika.com_nificlusters.yaml
@@ -759,6 +759,26 @@ spec:
type: string
managerPassword:
type: string
+ tlsKeystore:
+ type: string
+ tlsKeytorePassword:
+ type: string
+ tlsKeytoreType:
+ type: string
+ tlsTruststore:
+ type: string
+ tlsTruststorePassword:
+ type: string
+ tlsTruststoreType:
+ type: string
+ clientAuth:
+ type: string
+ protocol:
+ type: string
+ shutdownGracefully:
+ type: string
+ referralStrategy:
+ type: string
searchBase:
type: string
searchFilter:
diff --git a/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml b/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml
index ad3dc034e9..01a35c12ed 100644
--- a/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml
+++ b/docs/tutorials/secured_nifi_cluster_on_gcp/kubernetes/nifikop/nifi.orange.com_nificlusters_crd.yaml
@@ -1116,6 +1116,26 @@ spec:
type: string
identityStrategy:
type: string
+ tlsKeystore:
+ type: string
+ tlsKeytorePassword:
+ type: string
+ tlsKeytoreType:
+ type: string
+ tlsTruststore:
+ type: string
+ tlsTruststorePassword:
+ type: string
+ tlsTruststoreType:
+ type: string
+ clientAuth:
+ type: string
+ protocol:
+ type: string
+ shutdownGracefully:
+ type: string
+ referralStrategy:
+ type: string
type: object
listenersConfig:
description: listenerConfig specifies nifi's listener specifig configs
diff --git a/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml b/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml
index 3ac14a4724..f0f5a9ffa0 100644
--- a/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml
+++ b/helm/nifikop/crds/nifi.konpyutaika.com_nificlusters.yaml
@@ -759,6 +759,26 @@ spec:
type: string
managerPassword:
type: string
+ tlsKeystore:
+ type: string
+ tlsKeytorePassword:
+ type: string
+ tlsKeytoreType:
+ type: string
+ tlsTruststore:
+ type: string
+ tlsTruststorePassword:
+ type: string
+ tlsTruststoreType:
+ type: string
+ clientAuth:
+ type: string
+ protocol:
+ type: string
+ shutdownGracefully:
+ type: string
+ referralStrategy:
+ type: string
searchBase:
type: string
searchFilter:
diff --git a/pkg/resources/templates/config/login_identity_providers.go b/pkg/resources/templates/config/login_identity_providers.go
index 08d1012952..a096737ff6 100644
--- a/pkg/resources/templates/config/login_identity_providers.go
+++ b/pkg/resources/templates/config/login_identity_providers.go
@@ -73,17 +73,17 @@ var LoginIdentityProvidersTemplate = `{{or .LdapConfiguration.AuthenticationStrategy "START_TLS"}}
{{.LdapConfiguration.ManagerDn}}
{{.LdapConfiguration.ManagerPassword}}
-
-
-
-
-
-
-
-
-
+ {{.LdapConfiguration.TLSKeystore}}
+ {{.LdapConfiguration.TLSKeystorePassword}}
+ {{.LdapConfiguration.TLSKeystoreType}}
+ {{.LdapConfiguration.TLSTruststore}}
+ {{.LdapConfiguration.TLSTruststorePassword}}
+ {{.LdapConfiguration.TLSTruststoreType}}
+ {{.LdapConfiguration.ClientAuth}}
+ {{.LdapConfiguration.Protocol}}
+ {{.LdapConfiguration.ShutdownGracefully}}
- FOLLOW
+ {{or .LdapConfiguration.ReferralStrategy "FOLLOW"}}
10 secs
10 secs
{{.LdapConfiguration.Url}}
diff --git a/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md b/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md
index e3a6a99ec7..a468f150b7 100644
--- a/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md
+++ b/site/docs/5_references/1_nifi_cluster/1_nifi_cluster.md
@@ -188,12 +188,26 @@ spec:
## LdapConfiguration
-| Field | Type | Description | Required | Default |
-| ------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------- |
-| enabled | boolean | if set to true, we will enable ldap usage into nifi.properties configuration. | No | false |
-| url | string | space-separated list of URLs of the LDAP servers (i.e. ldap://$\{hostname}:$\{port}). | No | "" |
-| searchBase | string | base DN for searching for users (i.e. CN=Users,DC=example,DC=com). | No | "" |
-| searchFilter | string | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'. | No | "" |
+| Field | Type | Description | Required | Default |
+| ----------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------- |
+| enabled | boolean | if set to true, we will enable ldap usage into nifi.properties configuration. | No | false |
+| url | string | space-separated list of URLs of the LDAP servers (i.e. ldap://$\{hostname}:$\{port}). | No | "" |
+| searchBase | string | base DN for searching for users (i.e. CN=Users,DC=example,DC=com). | No | "" |
+| searchFilter | string | Filter for searching for users against the 'User Search Base'. (i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'. | No | "" |
+| authenticationStrategy | string | How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. | No | START_TLS |
+| managerDn | string | The DN of the manager that is used to bind to the LDAP server to search for users. | No | "" |
+| managerPassword | string | The password of the manager that is used to bind to the LDAP server to search for users. | No | "" |
+| tlsKeystore | string | Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. Not required for LDAPS. Only used for mutual TLS | No | "" |
+| tlsKeystorePassword | string | Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS. | No | "" |
+| tlsKeystoreType | string | Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). | No | "" |
+| tlsTruststore | string | Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. Required for LDAPS | No | "" |
+| tlsTruststorePassword | string | Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS. | No | "" |
+| tlsTruststoreType | string | Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. JKS or PKCS12). | No | "" |
+| clientAuth | string | Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are REQUIRED, WANT, NONE. | No | "" |
+| protocol | string | Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS, TLSv1.1, TLSv1.2, etc). | No | "" |
+| shutdownGracefully | string | Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false. | No | "" |
+| referralStrategy | string | Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW. | No | FOLLOW |
+| identityStrategy | string | Strategy to identify users. Possible values are USE_DN and USE_USERNAME. | No | USE_DN |
## SingleUserConfiguration