.. _client-auth-with-ldap:

Configuring Client Authentication with LDAP 
-------------------------------------------

You can use Active Directory (AD) and/or LDAP to configure client authentication 
across all of your |ak| clusters that use SASL/PLAIN. The SASL/PLAIN binding to 
LDAP requires a password provided by the client. Note that you cannot bind SASL/SCRAM   
to LDAP because client credentials (the password) cannot be sent by the client.

You must set up an LDAP server (for example, AD) before starting up the |ak| 
cluster. The configuration that follows is based on the assumption that you have 
an LDAP server at the URL ``LDAPSERVER.EXAMPLE.COM:3268`` that is accessible using DNS 
lookup from the host where the broker is run. The configuration expects a 
Kerberos-enabled LDAP server (although Kerberos is not required--you can perform a 
simple bind if your LDAP supports it) and the |ldap-auth| configuration uses ``GSSAPI`` 
for authentication. These security settings must match your LDAP server configuration.

If your LDAP server authenticates clients using Kerberos, a keytab file is 
required for the LDAP authorizer and the keytab file and principal should be 
updated in authorizer JAAS configuration option ``ldap.sasl.jaas.config``. 

To configure LDAP, refer to :ref:`ldap-auth-config`.

To configure client authentication with AD/LDAP:

#. Start the LDAP server. 

#. Add the user name and password to LDAP:

   ::
   
       dn: uid=client,ou=people,dc=planetexpress,dc=com
       userPassword: client-secret
      
#. Enable LDAP authentication for |ak| clients by adding the LDAP callback handler 
   to ``server.properties`` in the broker. 
   
   Add the SASL configuration:
   
   :: 
   
      listener.name.sasl_plaintext.sasl.enabled.mechanisms=PLAIN
      listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required;

      listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=
      io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler 
      
   If you want to use LDAP authentication for inter-broker communication, then 
   you must include the broker's user name and password in your SASL configuration.
   
   Add the LDAP configuration:
   
   ::
   
      ldap.java.naming.provider.url=ldap://openldap:389
      # Authenticate to LDAP
      ldap.java.naming.security.principal=CN=admin,DC=planetexpress,DC=com
      ldap.java.naming.security.credentials=GoodNewsEveryone
      ldap.java.naming.security.authentication=simple
      # Locate users 
      ldap.user.search.base=ou=people,dc=planetexpress,dc=com
      ldap.user.name.attribute=uid
      ldap.user.object.class=user
      ldap.user.password.attribute=userPassword
      
#. Restart the |ak| broker.

   ::
   
      /bin/kafka-server-start etc/kafka/server.properties      
   
#. Specify the client configuration in ``producer.properties`` and ``consumer.properties``:

   :: 
   
      sasl.mechanism=PLAIN
      security.protocol=SASL_PLAINTEXT
      sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule 
        required username="client" password="client-secret"; 
        
   It's recommended that you encrypt the password in your client configuration 
   using :ref:`secrets`. The following example shows an encrypted client configuration:
    
   ::
    
      sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
        required username="client" password=${securepass:/secretsDemo/server.properties:server.properties/sasl.jaas.config/=org.apache.kafka.common.security.plain.PlainLoginModule /password};                               
        
   .. note::
   
        Credentials are sent in PLAIN text, so be sure to use TLS with LDAP.