Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Configuring Client Authentication with LDAP

You can use Active Directory (AD) and/or LDAP to configure client authentication across all of your Kafka clusters that use SASL/PLAIN. The SASL/PLAIN binding to LDAP requires a password provided by the client. Note that you cannot bind SASL/SCRAM to LDAP because client credentials (the password) cannot be sent by the client.

You must set up an LDAP server (for example, AD) before starting up the Kafka cluster. The configuration that follows is based on the assumption that you have an LDAP server at the URL LDAPSERVER.EXAMPLE.COM:3268 that is accessible using DNS lookup from the host where the broker is run. The configuration expects a Kerberos-enabled LDAP server (although Kerberos is not required–you can perform a simple bind if your LDAP supports it) and the LDAP Authorizer configuration uses GSSAPI for authentication. These security settings must match your LDAP server configuration.

If your LDAP server authenticates clients using Kerberos, a keytab file is required for the LDAP authorizer and the keytab file and principal should be updated in authorizer JAAS configuration option ldap.sasl.jaas.config.

To configure LDAP, refer to Configure LDAP Group-Based Authorization for MDS.

To configure client authentication with AD/LDAP:

1. Start the LDAP server.

2. Add the user name and password to LDAP:

   dn: uid=client,ou=people,dc=planetexpress,dc=com
   userPassword: client-secret
   

3. Enable LDAP authentication for Kafka clients by adding the LDAP callback handler to server.properties in the broker.

   Add the SASL configuration:

   listener.name.sasl_plaintext.sasl.enabled.mechanisms=PLAIN
   listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required;
   
   listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=
   io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
   

   If you want to use LDAP authentication for inter-broker communication, then you must include the broker’s user name and password in your SASL configuration.

   Add the LDAP configuration:

   ldap.java.naming.provider.url=ldap://openldap:389
   # Authenticate to LDAP
   ldap.java.naming.security.principal=CN=admin,DC=planetexpress,DC=com
   ldap.java.naming.security.credentials=GoodNewsEveryone
   ldap.java.naming.security.authentication=simple
   # Locate users
   ldap.user.search.base=ou=people,dc=planetexpress,dc=com
   ldap.user.name.attribute=uid
   ldap.user.object.class=user
   ldap.user.password.attribute=userPassword
   

4. Restart the Kafka broker.

   /bin/kafka-server-start etc/kafka/server.properties
   

5. Specify the client configuration in producer.properties and consumer.properties:

   sasl.mechanism=PLAIN
   security.protocol=SASL_PLAINTEXT
   sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
     required username="client" password="client-secret";
   

   It’s recommended that you encrypt the password in your client configuration using Secrets. The following example shows an encrypted client configuration:

   sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
     required username="client" password=${securepass:/secretsDemo/server.properties:server.properties/sasl.jaas.config/=org.apache.kafka.common.security.plain.PlainLoginModule /password};
   

   Note

   Credentials are sent in PLAIN text, so be sure to use TLS with LDAP.