Learn how to configure LDAP authentication for Kafka brokers.
You can enable Kafka to use LDAP credentials for client to broker authentication.
Broker configuration is done by configuring the required properties in Cloudera Manager.
In Cloudera Manager, select the Kafka service.
Go to Configuration.
Enable LDAP authentication.
Find the SASL/PLAIN Authentication property.
Click the radio button next to LDAP. Do this for all
required Kafka services.
Configure the LDAP URL:
Find the LDAP URL property.
Add your LDAP server URL.
For example:
ldap://cloudera.example.com:636
Find and configure the LDAP User DN Template property.
The property specifies a template that Kafka uses to translate short names into
Distinguished Names (DNs). The template that you need to specify will depend on your LDAP
service and the schema of the DN's it accepts. The following list collects a number of
common examples.
If your DN's include the short name in the uid component, for
example:
uid=jsmith,ou=users,dc=mycompany,dc=com
You
can use a template similar to the
following:
uid={0},ou=users,dc=mycompany,dc=com
If your LDAP service accepts usernames in the form
of:
jsmith@mycompany.com
You can use
the following
template:
{0}@mycompany.com
If your LDAP service accepts usernames that do not have a domain, for
example:
jsmith
You can use the
following template:
{0}
Optional: Configure the allow list of LDAP URLs.
You can restrict which LDAP URLs
Kafka is allowed to connect to by configuring the
com.cloudera.kafka.ldap.allowed.urls Java option. By specifying a
trusted list of LDAP servers, you can have stricter control over the LDAP servers Kafka
can access.
Find the Additional Broker Java Options property.
Add the com.cloudera.kafka.ldap.allowed.urls Java option. For
example: