Configuring LDAP authentication
Learn how to configure LDAP authentication for Kafka. LDAP is configured by creating a Kubernetes Secret that stores your LDAP truststore, configuring your Kafka resource to include a custom type listener for LDAP, and adding your LDAP server to the allowed list of LDAP URLs in the KafkaNodePool resource.
- An LDAP server is available. The server is accessible from the Kafka Kubernetes environment.
- You have access to a truststore that contains the CA certificate of the LDAP server.
To set up LDAP, create a Secret from the truststore. The Strimzi
Cluster Operator will be able to mount the Secret for the
brokers.
kubectl create secret generic [***SECRET NAME***] \
--namespace [***NAMESPACE***] \
--from-file=[***LDAP SERVER TRUSTSTORE FILE***]Afterward, configure your Kafka and KafkaNodePool resources to include the LDAP configuration.
#...
kind: Kafka
spec:
kafka:
listeners:
- name: ldap
port: 9094
type: internal
tls: false
authentication:
type: custom
sasl: true
listenerConfig:
plain.sasl.server.callback.handler.class: org.apache.kafka.common.security.ldap.internals.LdapPlainServerCallbackHandler
plain.sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required ssl.truststore.password="[***SSL TRUSTSTORE PASSWORD***]" ssl.truststore.location="/mnt/[***SECRET NAME***]/[***LDAP SERVER TRUSTSTORE FILE***]" ldap_url="ldaps://[***LDAP SERVER URL***]:[***PORT***]" user_dn_template="cn={0},ou=users,dc=ldap-dc,dc=ldap";'
sasl.enabled.mechanisms: PLAIN
template:
pod:
volumes:
- name: [***VOLUME NAME***]
secret:
secretName: [***SECRET NAME***]
kafkaContainer:
volumeMounts:
- name: [***VOLUME NAME***]
mountPath: /mnt/[***SECRET NAME***]
---
#...
kind: KafkaNodePool
spec:
jvmOptions:
javaSystemProperties:
- name: com.cloudera.kafka.ldap.allowed.urls
value: [***LDAP SERVER URL 1***],[***LDAP SERVER URL 2***]Apply the configuration changes to the Kafka resource and wait for the Strimzi Cluster Operator to reconcile the cluster.
