SecurityPDF version

Configuring LDAP authentication

Learn how to configure LDAP authentication for Kafka. LDAP is configured by creating a Kubernetes secret that stores your LDAP truststore and configuring your Kafka resource to include a listener that has LDAP enabled.

Ensure that you have the following:
  • An LDAP server running that is accessible from the Kafka Kubernetes environment.
  • A truststore container that contains the CA certificate of the LDAP server (ldap.truststore.jks).
To set up LDAP, create a secret from the truststore in Kubernetes. The Strimzi Cluster Operator will be able to mount the secret for the brokers
kubectl create secret -n kafka generic ldap-truststore --from-file=ldap-truststore.jks

Afterward, modify the Kafka resource configuration to include the LDAP configuration.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: ldap
        port: 9094
        type: internal
        tls: false
        authentication:
          type: custom
          sasl: true
          listenerConfig:
            plain.sasl.server.callback.handler.class: org.apache.kafka.common.security.ldap.internals.LdapPlainServerCallbackHandler
            plain.sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required ssl.truststore.password="<ssl-truststore-password>" ssl.truststore.location="/opt/kafka/custom-authn-secrets/custom-listener-ldap-9094/ldap-truststore/ldap-truststore.jks" ldap_url="ldaps://<ldap-server-url:port>" user_dn_template="cn={0},ou=users,dc=ldap-dc,dc=ldap";'
            sasl.enabled.mechanisms: PLAIN
          secrets:
            - key: ldap-truststore.jks
              secretName: ldap-truststore

Apply the configuration changes to the Kafka resource and wait for the Strimzi Cluster Operator to reconcile the cluster.

We want your opinion

How can we improve this page?

What kind of feedback do you have?