.. _kafka_ldap_authorizer:

|ldap-auth-long|
=====================

|commercial|

|ldap-auth-long| enables group-based authorization using the principal type ``Group`` as well
as user-principal-based authorization using the principal type ``User``. If a ``Deny`` rule matches
the user principal or any of the groups that the user belongs to, access will be denied. Otherwise
access is allowed if an ``Allow`` rule matches the user principal or any of the groups that the user belongs to.
The configuration option ``allow.everyone.if.no.acl.found`` can be set to ``true`` to allow access
if no ACLs match the user or groups. Super users or super groups with access to all resources
can be configured using the configuration option ``super.users``. This may contain user principals
as well as group principals. For example:

.. codewithvars:: bash

  super.users=User:kafkaBroker;Group:admin

Kerberos users with LDAP servers that provide Kerberos authentication as well group management
can use the same LDAP server (e.g. Active Directory or Apache Directory Server) for both
authentication and group-based authorization. Brokers using other security protocols or
SASL mechanisms may also use group-based authorization using LDAP without using the LDAP
server for authentication.


.. toctree::

    quickstart
    configuration
    ../rbac/configure-mds/ldap-auth-mds