Configuring LDAP authentication
Learn how to configure LDAP authentication for Kafka. LDAP is configured by creating a Kubernetes secret that stores your LDAP truststore and configuring your Kafka resource to include a listener that has LDAP enabled.
- An LDAP server running that is accessible from the Kafka Kubernetes environment.
- A truststore container that contains the CA certificate of the LDAP
server (
ldap.truststore.jks).
To set up LDAP, create a secret from the truststore in Kubernetes. The Strimzi
Cluster Operator will be able to mount the secret for the
brokers
kubectl create secret -n kafka generic ldap-truststore --from-file=ldap-truststore.jks
Afterward, modify the Kafka resource configuration to include the LDAP configuration.
#...
kind: Kafka
spec:
kafka:
listeners:
- name: ldap
port: 9094
type: internal
tls: false
authentication:
type: custom
sasl: true
listenerConfig:
plain.sasl.server.callback.handler.class: org.apache.kafka.common.security.ldap.internals.LdapPlainServerCallbackHandler
plain.sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required ssl.truststore.password="<ssl-truststore-password>" ssl.truststore.location="/opt/kafka/custom-authn-secrets/custom-listener-ldap-9094/ldap-truststore/ldap-truststore.jks" ldap_url="ldaps://<ldap-server-url:port>" user_dn_template="cn={0},ou=users,dc=ldap-dc,dc=ldap";'
sasl.enabled.mechanisms: PLAIN
secrets:
- key: ldap-truststore.jks
secretName: ldap-truststore
Apply the configuration changes to the Kafka resource and wait for the Strimzi Cluster Operator to reconcile the cluster.
