Configuring Control Center with LDAP authentication

Control Center provides HTTP Basic Authentication via JAAS.

The following tutorial describes the steps necessary to enable HTTP Basic Authentication backed by LDAP. This includes but is not limited to the Active Directory (AD) LDAP implementation.

Escaping special characters

Important

Escape any restricted LDAP characters. For best results, avoid characters that require escaping. Follow Best Practices for LDAP Naming Attributes.

Character Description
, Comma [1]
\ Backslash
# Pound (hash)
+ Plus sign
= Equals sign
< Less than
> Greater than
; Semi-colon
'' Double quote
  Spaces [2]
[1]Requires escaping with a double backslash or \5c. See RFC 2254.
[2]Leading or trailing spaces must be escaped. Embedded spaces are not escaped.

Configure Control Center JAAS

  1. Create a JAAS configuration file with the following content and save as control-center-jaas.conf.

    c3 {
      org.eclipse.jetty.jaas.spi.LdapLoginModule required
    
      useLdaps="false"
      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
      hostname="ad.confluent.io"
      port="389"
      bindDn="cn=admin,dc=confluent,dc=io"
      bindPassword="password"
      authenticationMethod="simple"
      forceBindingLogin="true"
      userBaseDn="ou=People,dc=confluent,dc=io"
      userRdnAttribute="sAMAccountName"
      userIdAttribute="sAMAccountName"
      userPasswordAttribute="userPassword"
      userObjectClass="user"
      roleBaseDn="ou=Groups,DC=confluent,DC=org"
      roleNameAttribute="cn"
      roleMemberAttribute="member"
      roleObjectClass="group";
    };
    

    Important

    If the bindDn, userBaseDn, or roleBaseDn contains special characters, escape them with a backslash. The comma character is designated by the LDAP filter specification as a reserved separator character for CN and OU. Any CN or OU that contains a comma , character needs to be escaped with a double backslash in the LDAP JAAS configuration file. For example, "CN=adminstrator, firstclass, is escaped as follows: "CN=administrator\\, firstclass,OU=users,DC=confluent,DC=io". For further discussion about LDAP filtering and escaping, refer to this Stack Overflow article.

  2. Add these configuration options to the Control Center configuration file (control-center.properties).

    1
    2
    3
    4
    5
    6
    7
    8
     # The name of the configuration block in the JAAS configuration
     confluent.controlcenter.rest.authentication.realm=c3
     # HTTP authentication type
     confluent.controlcenter.rest.authentication.method=BASIC
     # To enabled restricted access, add this line
     confluent.controlcenter.auth.restricted.roles=RestrictedGroupName
     # Add roles defined in the JAAS config file here
     confluent.controlcenter.rest.authentication.roles=c3users,RestrictedGroupName
    

Be aware that Control Center allows restricted access as shown above in lines 5 and 6; no editing or creating is allowed using the UI. For more information about Control Center configuration, see Control Center Configuration Reference.

Start Control Center

You must pass a few system flags to the JVM at Control Center start up. To do so, export the CONTROL_CENTER_OPTS flag as shown below.

Note

Replace /path/to with the actual filepath.

CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/propertyfile.jaas" \
control-center-start /path/to/control-center.properties``

Configure LdapLoginModule

Configure the LdapLoginModule.

debug
Indicate whether to turn on debug output.
contextFactory
Specify the LDAP context factory class; for example, com.sun.jndi.ldap.LdapCtxFactory.
providerUrl
Specify the LDAP URL for the server; for example, ldap://server:389, ldaps://server:636.
bindDn

Optional. If not using binding authentication, set this to the root DN that should bind; for example, cn=administrator,dc=confluent,dc=io.

See Escaping special characters.

bindPassword

Specify the password for bindDn.

See Escaping special characters.

authenticationMethod
Specify the authentication method; for example simple.
forceBindingLogin
Indicate whether to bind as the user that is authenticating (true), otherwise bind as the manager and perform a search to verify user password (false).
forceBindingLoginUseRootContextForRoles
Indicate whether role membership searches will be performed in the root context. If set to true and forceBindingLogin is true, then role membership searches will be performed in the root context, rather than in the bound user context.
userBaseDn

Specify the base DN to search for users; for example: ou=People,dc=cops,dc=confluent,dc=io.

See Escaping special characters.

userRdnAttribute
Specify the attribute name for username, used when searching for user role membership by DN, default uid.
userIdAttribute
Specify the attribute name to identify user by username. The default value is acn.
userPasswordAttribute
Specify the attribute name for user password. The default value is userPassword.
userObjectClass
Specify the attribute name for user object class. The default value is inetOrgPerson.
roleBaseDn

Specify the base DN for role membership search; for example, ou=Groups,dc=cops,dc=confluent,dc=io.

See Escaping special characters.

roleNameAttribute
Specify the attribute name for role name. The default value is roleName.
roleMemberAttribute
Specify the attribute name for a role that would contain a user’s DN. The default value is uniqueMember.
roleUsernameMemberAttribute
Specify the attribute name for a role that would contain a user’s username. If set, this overrides the roleMemberAttribute behavior.
roleObjectClass
Specify the object class for role. The default value is groupOfUniqueNames.
rolePrefix
Specify the prefix string to remove from role names before returning to the application, for example, confluent\_.
cacheDurationMillis
Specify the duration that authorization should be cached, in milliseconds. The default value is 0. A value of 0 indicates no caching should be used.
reportStatistics
Indicate whether to send output cache statistics to the log.