Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Configuring the LDAP Authorizer

Configuration Overview

The broker configuration (e.g. in server.properties file) must set authorizer.class.name to io.confluent.kafka.security.ldap.authorizer.LdapAuthorizer to enable LDAP group-based authorization.

authorizer.class.name=io.confluent.kafka.security.ldap.authorizer.LdapAuthorizer

authorizer.class.name

Fully qualified class name of the Apache Kafka® broker authorizer implementation class that implements the kafka.security.auth.Authorizer interface.

• Type: class
• Default: “”
• Importance: low

The following configuration options of SimpleAclAuthorizer are also processed by the LDAP Authorizer.

super.users

Semicolon-separated list of principals of super users or super groups who are allowed access to all of the resources for all of the actions for all of the hosts. If a resource has no ACLs associated with it, then only super users can access the resource. For an example of how to set this, see Configure Brokers.

• Type: string
• Default: “”
• Importance: medium

allow.everyone.if.no.acl.found

Boolean flag that indicates if everyone is allowed access to a resource if no ACL is found for the user principal or any of the groups that the user belongs to.

• Type: boolean
• Default: false
• Importance: medium

Additional configuration options for the LDAP Authorizer described below are prefixed with ldap.authorizer.. These options should be configured to match the settings on your LDAP server to enable the LDAP Authorizer to obtain the mapping of user principals to groups from your LDAP server.

Configuring LDAP Context

All broker configuration options starting with ldap.authorizer.java.naming. and ldap.authorizer.com.sun.jndi. will be stripped of the ldap.authorizer. prefix and used in the creation of the LDAP context used to make connections to the LDAP server. ldap.authorizer.java.naming.provider.url must be configured with the URL of your LDAP server. For example:

ldap.authorizer.java.naming.provider.url=ldap://somehost:389

Configuring GSSAPI for LDAP

GSSAPI may be used to authenticate the LDAP Authorizer with your LDAP server if Kerberos is enabled on your LDAP server. The JAAS configuration for GSSAPI may be configured using the config option ldap.authorizer.sasl.jaas.config. For example:

ldap.authorizer.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
  keyTab="/tmp/keytabs/ldap.keytab" \
  principal="ldap@EXAMPLE.COM" \
  storeKey="true" \
  useKeyTab="true";

If ldap.authorizer.sasl.jaas.config is not configured, the default JAAS configuration of the broker will be used. The default JAAS configuration (e.g configured using the system property java.security.auth.login.config) is loaded from the login context KafkaServer that is used as broker’s login context using a single shared login. This should be used for LDAP only if the principal in this context can be used to search LDAP.

Configuring SSL for LDAP

You can enable SSL for the connections from the LDAP Authorizer to your LDAP server by setting ldap.authorizer.java.naming.security.protocol=SSL. All the SSL configuration options of Kafka clients are supported and must be prefixed with ldap.authorizer.. For example:

ldap.authorizer.java.naming.security.protocol=SSL
ldap.authorizer.ssl.truststore.location=/path/to/truststore.jks
ldap.authorizer.ssl.truststore.password=truststore-secret

Using Persistent LDAP Search

By default, the mapping of users to groups obtained from LDAP is refreshed periodically with a refresh interval that can be configured using ldap.authorizer.refresh.interval.ms. If your LDAP server supports persistent search, the refresh interval may be set to zero to initiate a persistent LDAP search in the LDAP Authorizer. LDAP updates are processed as soon as notifications are received, enabling any changes to be used for authorization immediately. Note that persistent search requires a connection to be kept open between each broker and the LDAP server and may add load to your LDAP server.

ldap.authorizer.refresh.interval.ms=0

LDAP Authorizer Configuration Options

Confluent License

ldap.authorizer.license

Confluent issues a license key to each subscriber. The license key is a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, please contact Confluent Support at support@confluent.io.

• Type: string
• Default: “”
• Importance: high

LDAP Search Configuration

ldap.authorizer.refresh.interval.ms

LDAP group cache refresh interval in milliseconds. If set to zero, persistent LDAP search is used.

• Type: int
• Default: 60000
• Importance: medium

ldap.authorizer.search.page.size

Page size for LDAP search if persistent search is disabled (refresh interval is greater than zero). Paging is disabled by default.

• Type: int
• Default: 0
• Importance: medium

ldap.authorizer.search.mode

LDAP search mode that indicates if user to group mapping is retrieved by searching for group or user entries. Valid values are USERS and GROUPS.

• Type: string
• Default: GROUPS
• Valid Values: [GROUPS, USERS]
• Importance: medium

LDAP search by groups

ldap.authorizer.group.search.base

LDAP search base for group-based search.

• Type: string
• Default: ou=groups
• Importance: high

ldap.authorizer.group.search.filter

LDAP search filter for group-based search.

• Type: string
• Default: “”
• Importance: medium

ldap.authorizer.group.search.scope

LDAP search scope for group-based search. Valid values are 0 (OBJECT), 1 (ONELEVEL) and 2 (SUBTREE).

• Type: int
• Default: 1
• Importance: medium

ldap.authorizer.group.object.class

LDAP object class for groups.

• Type: string
• Default: groupOfNames
• Importance: medium

ldap.authorizer.group.name.attribute

Name of attribute that contains the name of the group in a group entry obtained using an LDAP search. A regex pattern may be specified to extract the group name used in ACLs from this attribute by configuring ldap.authorizer.group.name.attribute.pattern.

• Type: string
• Default: cn
• Importance: high

ldap.authorizer.group.name.attribute.pattern

Java regular expression pattern used to extract the group name used in ACLs from the name of the group obtained from the LDAP attribute specified using ‘ldap.authorizer.group.name.attribute`. By default the full value of the attribute is used.

• Type: string
• Default: “”
• Importance: low

ldap.authorizer.group.member.attribute

Name of attribute that contains the members of the group in a group entry obtained using an LDAP search. A regex pattern may be specified to extract the user principals from this attribute by configuring ldap.authorizer.group.member.attribute.pattern.

• Type: string
• Default: member
• Importance: high

ldap.authorizer.group.member.attribute.pattern

Java regular expression pattern used to extract the user principals of group members from group member entries obtained from the LDAP attribute specified using ldap.authorizer.group.member.attribute. By default the full value of the attribute is used.

• Type: string
• Default: “”
• Importance: medium

ldap.authorizer.user.dn.name.pattern

Java regular expression pattern used to extract user name from the distinguished name of the user when user is renamed. This is used only when persistent search is enabled. By default ldap.authorizer.user.name.attribute is extracted from the DN.

• Type: string
• Default: “”
• Importance: low

LDAP search by users

ldap.authorizer.user.search.base

LDAP search base for user-based search.

• Type: string
• Default: ou=users
• Importance: medium

ldap.authorizer.user.search.filter

LDAP search filter for user-based search.

• Type: string
• Default: “”
• Importance: medium

ldap.authorizer.user.search.scope

LDAP search scope for user-based search. Valid values are 0 (OBJECT), 1 (ONELEVEL) and 2 (SUBTREE).

• Type: int
• Default: 1
• Importance: medium

ldap.authorizer.user.object.class

LDAP object class for users.

• Type: string
• Default: person
• Importance: medium

ldap.authorizer.user.name.attribute

Name of attribute that contains the user principal in a user entry obtained using an LDAP search. A regex pattern may be specified to extract the user principal from this attribute by configuring ‘ldap.authorizer.user.name.attribute.pattern’.

• Type: string
• Default: uid
• Importance: medium

ldap.authorizer.user.name.attribute.pattern

Java regular expression pattern used to extract the user principal from the name of the user obtained from the LDAP attribute specified using ‘ldap.authorizer.user.name.attribute`. By default the full value of the attribute is used.

• Type: string
• Default: “”
• Importance: medium

ldap.authorizer.user.memberof.attribute

Name of attribute that contains the groups in a user entry obtained using an LDAP search. A regex pattern may be specified to extract the group names used in ACLs from this attribute by configuring ldap.authorizer.user.memberof.attribute.pattern.

• Type: string
• Default: memberof
• Importance: medium

ldap.authorizer.user.memberof.attribute.pattern

Java regular expression pattern used to extract the names of groups from user entries obtained from the LDAP attribute specified using ldap.authorizer.user.memberof.attribute. By default the full value of the attribute is used.

• Type: string
• Default: “”
• Importance: medium

Error Handling Configuration

ldap.authorizer.retry.backoff.ms

Initial retry backoff in milliseconds. Exponential backoff is used if ldap.authorizer.retry.backoff.max.ms is set to a higher value.

• Type: int
• Default: 100
• Importance: medium

ldap.authorizer.retry.backoff.max.ms

Maximum retry backoff in milliseconds. Exponential backoff is used if ldap.authorizer.retry.backoff.ms is set to a lower value.

• Type: int
• Default: 1000
• Importance: medium

ldap.authorizer.retry.timeout.ms

Timeout for LDAP search retries after which the LDAP Authorizer is marked as failed. All requests are denied access if a successful cache refresh cannot be performed within this time.

• Type: long
• Default: 3600000
• Importance: medium

SSL Configuration for LDAP connection

ldap.authorizer.ssl.protocol

The SSL protocol used to generate the SSLContext. Default setting is TLS, which is fine for most cases. Allowed values in recent JVMs are TLS, TLSv1.1 and TLSv1.2. SSL, SSLv2 and SSLv3 may be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities.

• Type: string
• Default: TLS
• Importance: medium

ldap.authorizer.ssl.provider

The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.

• Type: string
• Default: null
• Importance: medium

ldap.authorizer.ssl.enabled.protocols

The list of protocols enabled for SSL connections.

• Type: list
• Default: TLSv1.2,TLSv1.1,TLSv1
• Importance: medium

ldap.authorizer.ssl.keystore.type

The file format of the key store file. This is optional for client.

• Type: string
• Default: JKS
• Importance: medium

ldap.authorizer.ssl.truststore.type

The file format of the trust store file.

• Type: string
• Default: JKS
• Importance: medium

ldap.authorizer.ssl.key.password

The password of the private key in the key store file. This is optional for client.

• Type: password
• Default: null
• Importance: high

ldap.authorizer.ssl.keystore.location

The location of the key store file. This is optional for client and can be used for two-way authentication for client.

• Type: string
• Default: null
• Importance: high

ldap.authorizer.ssl.keystore.password

The store password for the key store file. This is optional for client and only needed if ssl.keystore.location is configured.

• Type: password
• Default: null
• Importance: high

ldap.authorizer.ssl.truststore.location

The location of the trust store file.

• Type: string
• Default: null
• Importance: high

ldap.authorizer.ssl.truststore.password

The password for the trust store file. If a password is not set access to the truststore is still available, but integrity checking is disabled.

• Type: password
• Default: null
• Importance: high

ldap.authorizer.ssl.cipher.suites

A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. By default all the available cipher suites are supported.

• Type: list
• Default: null
• Importance: low

ldap.authorizer.ssl.endpoint.identification.algorithm

The endpoint identification algorithm to validate server hostname using server certificate.

• Type: string
• Default: https
• Importance: low

ldap.authorizer.ssl.keymanager.algorithm

The algorithm used by key manager factory for SSL connections. Default value is the key manager factory algorithm configured for the Java Virtual Machine.

• Type: string
• Default: SunX509
• Importance: low

ldap.authorizer.ssl.secure.random.implementation

The SecureRandom PRNG implementation to use for SSL cryptography operations.

• Type: string
• Default: null
• Importance: low

ldap.authorizer.ssl.trustmanager.algorithm

The algorithm used by trust manager factory for SSL connections. Default value is the trust manager factory algorithm configured for the Java Virtual Machine.

• Type: string
• Default: PKIX
• Importance: low

SASL Configuration for LDAP connection

ldap.authorizer.sasl.jaas.config

JAAS login context parameters for SASL connections in the format used by JAAS configuration files. JAAS configuration file format is described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html. The format for the value is: loginModuleClass controlFlag (optionName=optionValue)*;.

• Type: password
• Default: null
• Importance: medium

ldap.authorizer.sasl.kerberos.service.name

The Kerberos principal name that LDAP service runs as. The value is ldap in all standard LDAP deployments.

• Type: string
• Default: null
• Importance: medium

ldap.authorizer.sasl.login.callback.handler.class

The fully qualified name of a SASL login callback handler class that implements the AuthenticateCallbackHandler interface.

• Type: class
• Default: null
• Importance: medium

ldap.authorizer.sasl.login.class

The fully qualified name of a class that implements the Login interface.

• Type: class
• Default: null
• Importance: medium

ldap.authorizer.sasl.kerberos.kinit.cmd

Kerberos kinit command path.

• Type: string
• Default: /usr/bin/kinit
• Importance: low

ldap.authorizer.sasl.kerberos.min.time.before.relogin

Login thread sleep time between refresh attempts.

• Type: long
• Default: 60000
• Importance: low

ldap.authorizer.sasl.kerberos.ticket.renew.jitter

Percentage of random jitter added to the renewal time.

• Type: double
• Default: 0.05
• Importance: low

ldap.authorizer.sasl.kerberos.ticket.renew.window.factor

Login thread will sleep until the specified window factor of time from last refresh to ticket’s expiry has been reached, at which time it will try to renew the ticket.

• Type: double
• Default: 0.8
• Importance: low