Configure LDAP Authentication
You can configure all REST services in the Confluent Platform to authenticate
against LDAP using the centralized authentication service provided by the Metadata
Service (MDS). MDS performs basic username/password authentication for REST services
by authenticating with the LDAP server configured on brokers in the MDS cluster.
You must configure LDAP credentials that perform authentication on behalf of
the login user on all brokers in the MDS cluster. Because these brokers can
be behind a firewall, this architecture enables you to avoid the requirement to
have LDAP access from user-facing components outside the firewall.
Many of the LDAP authentication configuration options in MDS are
the same as those used by the LDAP Authorizer; however, when used in the context of MDS,
you must use the prefix ldap.
rather than ldap.authorizer.
for these
attributes. The following configuration attributes (described in
detail in Configuring the LDAP Authorizer)
are also used for authentication:
ldap.user.search.base
ldap.user.object.class
ldap.user.search.filter
ldap.user.search.scope
ldap.user.name.attribute
ldap.user.name.attribute.pattern
LDAP search filters do not use regex. Instead, LDAP search filters support
'substring'
searches (which are not the same as wildcards)–not Regular
Expressions, which run on the LDAP server side rather than Confluent Platform. Examples of
valid substring LDAP search filters are: '(uid=abc*)'
, and
'(mail=`john@*.com')`)'
.
When specifying memberOf
and distinguishedName
, you must specify the full
DN (distinguished name) of the objects. For details about how to specify
the full DN when setting LDAP search filters while using Active Directory, refer
to Active Directory: LDAP Syntax Filters.
You can also use LDAP attributes used to configure authorization to create LDAP
context for authentication.
Be aware that nested LDAP groups are not supported.
Important
The user ID specified in group role bindings is case-specific, and must match
the case specified in the AD record. Also note that when logging in as a super user,
the login ID is also case-specific and must match the case specified for the user
ID in role bindings.
For more details, see Configuring the LDAP Authorizer.
This configuration includes standard Java naming service provider options as
well as JNDI options prefixed with ldap.
(see LDAP Naming Service Provider for the
Java Naming and Directory Interface (JNDI)).
LDAP Authentication Using Simple Bind
The recommended authentication method for LDAP performs a simple bind
using the password provided by the user. The following privileges are required to
do so:
- You must configure LDAP credentials for performing LDAP searches to acquire the DN
of the login user on brokers in the MDS cluster. For brokers using LDAP group-based authorization,
the same credentials used by the Authorizer can also be used during authentication.
This credential must be able to access all users connecting to Confluent services.
- You must enable LDAP Simple bind using a login user’s DN and password for all users connecting
to Confluent services.
MDS authenticates using its LDAP credential to perform a search to acquire a
user’s DN. After the DN is known, the broker performs a simple LDAP bind using the DN and
login password. Authentication succeeds if the bind succeeds.
If LDAP credentials are not configured for brokers in the MDS cluster,
then an anonymous search is used to determine a user’s DN. This authentication
option may prove useful during development and testing, but is not secure for
production use. Therefore, you must disable anonymous search and configure LDAP
credentials on the broker when connecting to production-level LDAP servers.
LDAP Authentication Using Password Search
If simple bind using username/password is disabled on your LDAP server for users
of Confluent Platform, then you can configure password search using
ldap.user.password.attribute
(required). To do so, you must configure brokers
in the MDS cluster with credentials to retrieve the password (typically encrypted)
of different LDAP users.
ldap.user.password.attribute
This attribute contains the password in a user entry obtained using an LDAP search
for simple username/password authentication. By default, authentication is
performed using simple binding with the provided credentials. Use this attribute
in deployments where simple binding is disabled for some users.
- Type: string
- Default: “”
- Importance: low
The MDS broker uses its LDAP credentials to perform an LDAP
search to retrieve the password of the login user. If the password from LDAP
is encrypted, then the same encryption is applied to the password provided
during login. The passwords are compared and if they match, authentication
succeeds. Supported out-of-the-box password encryption methods are MD5 and CRYPT.