LDAP configuration reference

Confluent license

confluent.license

Confluent issues a license key to each subscriber. The license key is a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, contact Confluent Support at support@confluent.io.

  • Type: string
  • Default: “”
  • Importance: high

Enable LDAP group authorization

ldap.group.authorization.enable

This flag allows for explicitly enabling or disabling the group authorization. One use case could be that the user wants LDAP authentication to function but does not require group authorization.

  • Type: boolean
  • Default: true
  • Valid Values: [true, false]
  • Importance: low
ldap.group.authorization.enable

This flag allows for explicitly enabling or disabling the group authorization. One use case could be that the user wants LDAP authentication to function but does not require group authorization.

  • Type: boolean
  • Default: true
  • Valid Values: [true, false]
  • Importance: low

LDAP search configuration

ldap.principal.mapping

LDAP principal mapping mode dictates the mechanism used to determine the LDAP user principal name for downstream authorization purposes.

  • Type: string
  • Default: default
  • Valid Values: [default, ldap]
  • Importance: medium

Mapping mode options:

  • default - Use the case-sensitive authentication username supplied by the

    user/caller as the user principal for authorization. This is the default value.

  • ldap - Use the case-sensitive user principal name from the LDAP server as the user principal for authorization. Note that even though the user principal name lookup is case-insensitive, the case from the LDAP records is used rather than the case used in the original authenticated username.

    Example: If a user principal in LDAP is all-caps “BOB”, the user can sign in with “bob” and during LDAP authentication, the lookup finds “BOB” and sets “BOB” as the user principal for authorization purposes.

Important

When the mapping mode is set to ldap, the user principal value specified in the Kafka cluster role bindings must match the case of the user principal name used in the LDAP records; otherwise, authorization fails.

ldap.refresh.interval.ms

LDAP group cache refresh interval in milliseconds. If set to zero, then persistent LDAP search is used.

  • Type: int
  • Default: 60000
  • Importance: medium
ldap.search.page.size

Page size for LDAP search if persistent search is disabled (in other words, when the refresh interval is greater than zero). Paging is disabled by default.

  • Type: int
  • Default: 0
  • Importance: medium
ldap.search.mode

LDAP search mode that indicates if the user-to-group mapping is retrieved by searching for group or user entries. Valid values are USERS and GROUPS.

  • Type: string
  • Default: GROUPS
  • Valid Values: [GROUPS, USERS]
  • Importance: medium

LDAP search by groups

ldap.group.search.base

LDAP search base for group-based search.

  • Type: string
  • Default: ou=groups
  • Importance: high
ldap.group.search.filter

LDAP search filter for group-based search.

  • Type: string
  • Default: “”
  • Importance: medium
ldap.group.search.scope

LDAP search scope for group-based search. Valid values are 0 (OBJECT), 1 (ONELEVEL) and 2 (SUBTREE).

  • Type: int
  • Default: 1
  • Importance: medium
ldap.group.object.class

LDAP object class for groups.

  • Type: string
  • Default: groupOfNames
  • Importance: medium
ldap.group.name.attribute

Name of attribute that contains the name of the group in a group entry obtained using an LDAP search. A regex pattern may be specified to extract the group name used in ACLs from this attribute by configuring ldap.group.name.attribute.pattern.

  • Type: string
  • Default: cn
  • Importance: high
ldap.group.name.attribute.pattern

A Java regular expression pattern that extracts the group name used in ACLs from the name of the group obtained from the LDAP attribute specified using ldap.group.name.attribute. By default the full value of the attribute is used.

  • Type: string
  • Default: “”
  • Importance: low
ldap.group.member.attribute

The name of the attribute that contains the members of the group in a group entry obtained using an LDAP search. A regex pattern may be specified to extract the user principals from this attribute by configuring ldap.group.member.attribute.pattern.

  • Type: string
  • Default: member
  • Importance: high
ldap.group.member.attribute.pattern

A Java regular expression pattern that extracts the user principals of group members from group member entries obtained from the LDAP attribute specified using ldap.group.member.attribute. By default the full value of the attribute is used.

  • Type: string
  • Default: “”
  • Importance: medium
ldap.group.dn.name.pattern

A Java regular expression pattern that extracts the group name from the distinguished name (DN) of the group when a group is renamed. This is used only when persistent search is enabled. By default the ldap.group.name.attribute is extracted from the DN.

  • Type: string
  • Default: “”
  • Importance: low
ldap.user.dn.name.pattern

A Java regular expression pattern used to extract user name from the distinguished name (DN) of the user when user is renamed. This is used only when persistent search is enabled. By default ldap.user.name.attribute is extracted from the DN.

  • Type: string
  • Default: “”
  • Importance: low

LDAP search by users

ldap.user.search.base

The LDAP search base for a user-based search.

  • Type: string
  • Default: ou=users
  • Importance: medium
ldap.user.search.filter

The LDAP search filter for a user-based search.

  • Type: string
  • Default: “”
  • Importance: medium
ldap.user.search.scope

The LDAP search scope for a user-based search. Valid values are 0 (OBJECT), 1 (ONELEVEL), and 2 (SUBTREE).

  • Type: int
  • Default: 1
  • Importance: medium
ldap.user.object.class

The LDAP object class for users.

  • Type: string
  • Default: person
  • Importance: medium
ldap.user.name.attribute

Name of attribute that contains the user principal in a user entry obtained using an LDAP search. A regex pattern may be specified to extract the user principal from this attribute by configuring ldap.user.name.attribute.pattern.

  • Type: string
  • Default: uid
  • Importance: medium
ldap.user.name.attribute.pattern

A Java regular expression pattern used to extract the user principal from the name of the user obtained from the LDAP attribute specified using ldap.user.name.attribute. By default the full value of the attribute is used.

  • Type: string
  • Default: “”
  • Importance: medium
ldap.user.memberof.attribute

The name of the attribute that contains the groups in a user entry obtained using an LDAP search. A regex pattern may be specified to extract the group names used in ACLs from this attribute by configuring ldap.user.memberof.attribute.pattern.

  • Type: string
  • Default: memberof
  • Importance: medium
ldap.user.memberof.attribute.pattern

A Java regular expression pattern used to extract the names of groups from user entries obtained from the LDAP attribute specified using ldap.user.memberof.attribute. By default the full value of the attribute is used.

  • Type: string
  • Default: “”
  • Importance: medium

Error handling configuration

ldap.retry.max.count

Maximum number of retries for LDAP search.

  • Type: int
  • Default: 3
  • Importance: medium
ldap.retry.backoff.ms

Initial retry backoff in milliseconds. Exponential backoff is used if ldap.retry.backoff.max.ms is set to a higher value.

  • Type: int
  • Default: 100
  • Importance: medium
ldap.retry.backoff.max.ms

Maximum retry backoff in milliseconds. Exponential backoff is used if ldap.retry.backoff.ms is set to a lower value.

  • Type: int
  • Default: 1000
  • Importance: medium
ldap.retry.timeout.ms

Timeout for LDAP search retries after which the Confluent Server Authorizer is marked as failed. All requests are denied access if a successful cache refresh cannot be performed within this time.

  • Type: long
  • Default: 86400000
  • Importance: medium

TLS configuration for LDAP connection

ldap.ssl.protocol

The TLS protocol used to generate the SSLContext. The default is TLSv1.3 when running with Java 11 or newer, TLSv1.2 otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, TLSv1.1, SSL, SSLv2 and SSLv3 might be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this configuration and ssl.enabled.protocols, clients downgrade to TLSv1.2 if the server does not support TLSv1.3. If this configuration is set to TLSv1.2, clients do not use TLSv1.3, even if it is one of the values in ssl.enabled.protocols and the server only supports TLSv1.3.

  • Type: string
  • Default: TLSv1.3
  • Importance: medium
ldap.ssl.provider

The name of the security provider used for TLS connections. The default value is the default security provider of the JVM.

  • Type: string
  • Default: null
  • Importance: medium
ldap.ssl.enabled.protocols

The comma-separated list of protocols enabled for TLS connections. The default value is TLSv1.2,TLSv1.3 when running with Java 11 or later, TLSv1.2 otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3), Kafka clients and brokers prefer TLSv1.3 if both support it, and falls back to TLSv1.2 otherwise (assuming both support at least TLSv1.2).

  • Type: list
  • Default: TLSv1.2,TLSv1.3
  • Importance: medium
ldap.ssl.keystore.type

The file format of the key store file. This attribute is optional for the client.

  • Type: string
  • Default: JKS
  • Importance: medium
ldap.ssl.truststore.type

The file format of the trust store file.

  • Type: string
  • Default: JKS
  • Importance: medium
ldap.ssl.key.password

The password of the private key in the key store file. This attribute is optional for client.

  • Type: password
  • Default: null
  • Importance: high
ldap.ssl.keystore.location

The location of the key store file. This attribute is optional for the client and can be used for two-way client authentication.

  • Type: string
  • Default: null
  • Importance: high
ldap.ssl.keystore.password

The store password for the key store file. This attribute is optional for the client and is only needed if ssl.keystore.location is configured.

  • Type: password
  • Default: null
  • Importance: high
ldap.ssl.truststore.location

The location of the trust store file.

  • Type: string
  • Default: null
  • Importance: high
ldap.ssl.truststore.password

The password for the trust store file. If a password is not set, then access to the truststore is still available, but integrity checking is disabled.

  • Type: password
  • Default: null
  • Importance: high
ldap.ssl.cipher.suites

A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS. By default all the available cipher suites are supported.

  • Type: list
  • Default: null
  • Importance: low
ldap.ssl.keymanager.algorithm

The algorithm used by the key manager factory for TLS connections. The default value is the key manager factory algorithm configured for the Java Virtual Machine.

  • Type: string
  • Default: SunX509
  • Importance: low
ldap.ssl.secure.random.implementation

The SecureRandom PRNG implementation to use for TLS cryptography operations.

  • Type: string
  • Default: null
  • Importance: low
ldap.ssl.trustmanager.algorithm

The algorithm used by trust manager factory for TLS connections. The default value is the trust manager factory algorithm configured for the Java Virtual Machine.

  • Type: string
  • Default: PKIX
  • Importance: low

SASL configuration for LDAP connection

ldap.sasl.mechanism

The SASL mechanism used for LDAP connections. The default value is DIGEST-MD5.

  • Type: string
  • Default: DIGEST-MD5
  • Importance: medium
ldap.sasl.realm

The realm used for DIGEST-MD5 authentication.

  • Type: string
  • Default: null
  • Importance: medium
ldap.sasl.qop

The quality of protection used for DIGEST-MD5 authentication. This is a comma-separated list of values that can be any of auth, auth-int, or auth-conf.

  • Type: string
  • Default: auth
  • Importance: medium
ldap.sasl.server.callback.handler.class

The fully qualified name of a SASL server callback handler class that implements the AuthenticateCallbackHandler interface.

  • Type: class
  • Default
ldap.sasl.jaas.config

JAAS login context parameters for SASL connections in the format used by JAAS configuration files. JAAS configuration file format is described in the JAAS Login Configuration File documentation. The format for the value is: loginModuleClass controlFlag (optionName=optionValue)*;.

  • Type: password
  • Default: null
  • Importance: medium
ldap.sasl.login.callback.handler.class

The fully qualified name of a SASL login callback handler class that implements the AuthenticateCallbackHandler interface.

  • Type: class
  • Default: null
  • Importance: medium
ldap.sasl.login.class

The fully qualified name of a class that implements the Login interface.

  • Type: class
  • Default: null
  • Importance: medium
ldap.sasl.kerberos.kinit.cmd

The Kerberos kinit command path.

  • Type: string
  • Default: /usr/bin/kinit
  • Importance: low
ldap.sasl.kerberos.min.time.before.relogin

The login thread sleep time between refresh attempts.

  • Type: long
  • Default: 60000
  • Importance: low
ldap.sasl.kerberos.ticket.renew.jitter

Percentage of random jitter added to the renewal time.

  • Type: double
  • Default: 0.05
  • Importance: low
ldap.sasl.kerberos.ticket.renew.window.factor

The duration that the login thread will sleep until the specified window factor of time from last refresh to ticket’s expiry has been reached, at which time it will try to renew the ticket.

  • Type: double
  • Default: 0.8
  • Importance: low