Cloudera Docs

Configuring LDAP authentication

Learn how to configure LDAP authentication for Kafka. LDAP is configured by creating a Kubernetes secret that stores your LDAP truststore and configuring your Kafka resource to include a listener that has LDAP enabled.

Ensure that you have the following:
  • An LDAP server running that is accessible from the Kafka Kubernetes environment.
  • A truststore container that contains the CA certificate of the LDAP server (ldap.truststore.jks).
To set up LDAP, create a secret from the truststore in Kubernetes. The Strimzi Cluster Operator will be able to mount the secret for the brokers
kubectl create secret -n kafka generic ldap-truststore --from-file=ldap-truststore.jks

Afterward, modify the Kafka resource configuration to include the LDAP configuration.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: ldap
        port: 9094
        type: internal
        tls: false
        authentication:
          type: custom
          sasl: true
          listenerConfig:
            plain.sasl.server.callback.handler.class: org.apache.kafka.common.security.ldap.internals.LdapPlainServerCallbackHandler
            plain.sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required ssl.truststore.password="<ssl-truststore-password>" ssl.truststore.location="/opt/kafka/custom-authn-secrets/custom-listener-ldap-9094/ldap-truststore/ldap-truststore.jks" ldap_url="ldaps://<ldap-server-url:port>" user_dn_template="cn={0},ou=users,dc=ldap-dc,dc=ldap";'
            sasl.enabled.mechanisms: PLAIN
          secrets:
            - key: ldap-truststore.jks
              secretName: ldap-truststore

Apply the configuration changes to the Kafka resource and wait for the Strimzi Cluster Operator to reconcile the cluster.

Configuring allowed URLs for LDAP authentication

You can restrict which LDAP URLs Kafka is allowed to connect to by setting the com.cloudera.kafka.ldap.allowed.urls environment variable. Setting this variable to a trusted list of LDAP servers makes it possible to have stricter control over the LDAP servers Kafka can access.

Configure the variable in your KafkaNodePool resource using spec.jvmOptions.javaSystemProperties. If this variable is left empty, Kafka can connect to any LDAP URL. When configured, only the specified URLs are allowed.
#...
kind: KafkaNodePool
spec:
  jvmOptions:
    javaSystemProperties:
      - name: com.cloudera.kafka.ldap.allowed.urls
        value: http://www.ldap-example-1.com,https://www.ldap-example-2.com