Configure LDAP authentication for Kafka brokers

Learn how to configure LDAP authentication for Kafka brokers.

You can enable Kafka to use LDAP credentials for client to broker authentication. Broker configuration is done by configuring the required properties in Cloudera Manager.

  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Enable LDAP authentication.
    1. Find the SASL/PLAIN Authentication property.
    2. Click the radio button next to LDAP. Do this for all required Kafka services.
  4. Configure the LDAP URL:
    1. Find the LDAP URL property.
    2. Add your LDAP server URL.
      For example:
      ldap://cloudera.example.com:636
  5. Find and configure the LDAP User DN Template property.
    The property specifies a template that Kafka uses to translate short names into Distinguished Names (DNs). The template that you need to specify will depend on your LDAP service and the schema of the DN's it accepts. The following list collects a number of common examples.
    • If your DN's include the short name in the uid component, for example:
      uid=jsmith,ou=users,dc=mycompany,dc=com
      You can use a template similar to the following:
      uid={0},ou=users,dc=mycompany,dc=com
    • If your LDAP service accepts usernames in the form of:
      jsmith@mycompany.com
      You can use the following template:
      {0}@mycompany.com
    • If your LDAP service accepts usernames that do not have a domain, for example:
      jsmith
      You can use the following template:
      {0}
  6. Optional: Configure the allow list of LDAP URLs.
    You can restrict which LDAP URLs Kafka is allowed to connect to by configuring the com.cloudera.kafka.ldap.allowed.urls Java option. By specifying a trusted list of LDAP servers, you can have stricter control over the LDAP servers Kafka can access.
    1. Find the Additional Broker Java Options property.
    2. Add the com.cloudera.kafka.ldap.allowed.urls Java option. For example:
      -Dcom.cloudera.kafka.ldap.allowed.urls=http://www.ldap-example-1.com,http://www.ldap-example-2.com
  7. Click the Save Changes button.
  8. Restart the Kafka service.
LDAP authentication is configured for the brokers.
Configure clients to use LDAP authentication.