Configuring LDAP authentication

Learn how to configure LDAP authentication for Kafka. LDAP is configured by creating a Kubernetes secret that stores your LDAP truststore and configuring your Kafka resource to include a listener that has LDAP enabled.

Ensure that you have the following:
  • An LDAP server running that is accessible from the Kafka Kubernetes environment.
  • A truststore container that contains the CA certificate of the LDAP server (ldap.truststore.jks).
To set up LDAP, create a secret from the truststore in Kubernetes. The Strimzi Cluster Operator will be able to mount the secret for the brokers
kubectl create secret -n kafka generic ldap-truststore --from-file=ldap-truststore.jks

Afterward, modify the Kafka resource configuration to include the LDAP configuration.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: ldap
        port: 9094
        type: internal
        tls: false
        authentication:
          type: custom
          sasl: true
          listenerConfig:
            plain.sasl.server.callback.handler.class: org.apache.kafka.common.security.ldap.internals.LdapPlainServerCallbackHandler
            plain.sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required ssl.truststore.password="<ssl-truststore-password>" ssl.truststore.location="/opt/kafka/custom-authn-secrets/custom-listener-ldap-9094/ldap-truststore/ldap-truststore.jks" ldap_url="ldaps://<ldap-server-url:port>" user_dn_template="cn={0},ou=users,dc=ldap-dc,dc=ldap";'
            sasl.enabled.mechanisms: PLAIN
          secrets:
            - key: ldap-truststore.jks
              secretName: ldap-truststore

Apply the configuration changes to the Kafka resource and wait for the Strimzi Cluster Operator to reconcile the cluster.