Configure LDAP Authentication

You can configure all REST services in the Confluent Platform to authenticate against LDAP using the centralized authentication service provided by the Metadata Service (MDS). MDS performs basic username/password authentication for REST services by authenticating with the LDAP server configured on brokers in the MDS cluster. You must configure LDAP credentials that perform authentication on behalf of the login user on all brokers in the MDS cluster. Because these brokers can be behind a firewall, this architecture enables you to avoid the requirement to have LDAP access from user-facing components outside the firewall.

Many of the LDAP authentication configuration options in MDS are the same as those used by the LDAP Authorizer; however, when used in the context of MDS, you must use the prefix ldap. rather than ldap.authorizer. for these attributes. The following configuration attributes (described in detail in Configuring the LDAP Authorizer) are also used for authentication:

  • ldap.user.object.class

You can also use LDAP attributes used to configure authorization to create LDAP context for authentication. For more details, see Configuring the LDAP Authorizer. This configuration includes standard Java naming service provider options as well as JNDI options prefixed with ldap. (see LDAP Naming Service Provider for the Java Naming and Directory Interface (JNDI)).


The LDAP authorizer plugin is included in the Confluent Platform commercial component confluent-server package. To use LDAP authorizer, you must install or migrate to Confluent Server. The LDAP authorizer is not supported with confluent-kafka or Apache Kafka®. Refer to Migrate to Confluent Server for installation instructions.

LDAP Authentication Using Simple Bind

The recommended authentication method for LDAP performs a simple bind using the password provided by the user. The following privileges are required to do so:

  • You must configure LDAP credentials for performing LDAP searches to acquire the DN of the login user on brokers in the MDS cluster. For brokers using LDAP group-based authorization, the same credentials used by the Authorizer can also be used during authentication. This credential must be able to access all users connecting to Confluent services.
  • You must enable LDAP Simple bind using a login user’s DN and password for all users connecting to Confluent services.

MDS authenticates using its LDAP credential to perform a search to acquire a user’s DN. After the DN is known, the broker performs a simple LDAP bind using the DN and login password. Authentication succeeds if the bind succeeds.

If LDAP credentials are not configured for brokers in the MDS cluster, then an anonymous search is used to determine a user’s DN. This authentication option may prove useful during development and testing, but is not secure for production use. Therefore, you must disable anonymous search and configure LDAP credentials on the broker when connecting to production-level LDAP servers.