The following sections describe how to configure a primary Kafka cluster
to host the MDS:
Configure the LDAP identity provider
The basic LDAP configuration for MDS is described below. This configuration shows
the LDAP context to identify LDAP users and groups to the MDS. Be aware that
nested LDAP groups are not supported.
Be prepared to provide the following information, which you will need to specify
in your LDAP configuration:
- The host (LDAP server URL, for example,
LDAPSERVER.EXAMPLE.COM
), port
(for example, 389
), and any other security mechanisms (such as SSL)
- The full DN (distinguished name) of LDAP users
- If you have a complex LDAP directory tree, consider providing search filters
so that MDS can narrow down LDAP search results
Note
After configuring LDAP–but before configuring MDS–it is recommended that
you connect to and query your LDAP server to verify your LDAP connection
information. It is recommended that you use an LDAP tool to do this (for
example, JXplorer).
Note
If you enable LDAP authentication for Kafka clients by adding the LDAP callback
handler (not shown in this configuration):
- Specify
ldap.user.password.attribute
only if your LDAP server
does not support simple bind.
- If you define this property (
io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
),
LDAP will perform the user search and return the password back to Kafka and
Kafka will perform the password check.
- The LDAP server will return the user’s hashed password, so Kafka cannot
authenticate the user unless the user’s properties file also uses the
hashed password.
Add the following configuration for your identify provider (LDAP) to your Kafka properties file
(/etc/kafka/server.properties
). Any content in brackets (<>
) must be
customized for your environment.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 | ############################# Identity Provider Settings (LDAP) #############################
# Search groups for group-based authorization.
ldap.group.name.attribute=<sAMAccountName>
ldap.group.object.class=group
ldap.group.member.attribute=member
ldap.group.member.attribute.pattern=CN=(.*),DC=rbac,DC=confluent,DC=io
ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io
#Limit the scope of searches to subtrees off of base
ldap.user.search.scope=2
#Enable filters to limit search to only those groups needed
ldap.group.search.filter=(|(CN=<specific group>)(CN=<specific group>))
# Kafka authenticates to the directory service with the bind user.
ldap.java.naming.provider.url=ldap://<hostname>:389
ldap.java.naming.security.authentication=simple
ldap.java.naming.security.credentials=<password>
ldap.java.naming.security.principal=<mds-user-DN>
# Locate users. Make sure that these attributes and object classes match what is in your directory service.
ldap.user.name.attribute=<sAMAccountName>
ldap.user.object.class=user
ldap.user.search.base=<user-search-base-DN>
|
The following sections provide details about the baseline LDAP configuration
options for user and group-based authorization. For more details about LDAP configuration,
see Configure LDAP Group-Based Authorization for MDS, Configure LDAP Authentication, and Configuring the LDAP Authorizer.
ldap.group.name.attribute
Contains the name of the group in a group entry obtained using an LDAP search.
You can specify a regex pattern to extract the group name used in ACLs from this
attribute by configuring ldap.group.name.attribute.pattern
. The
<sAMAccountName>
is specific to Microsoft Active Directory and is the login
name used to support clients and servers running various versions of Windows OS.
Modify the value used if your LDAP configuration differs. The default for this
configuration option is cn
(common name).
ldap.group.object.class
Specifies the LDAP object class value that defines users in the directory service.
Specify group
to search groups for group-based authorization. Note that
group
has many applications, but is essentially a list of zero or more digital
identities.
ldap.group.member.attribute
The name of the attribute that contains the members of the group in a group
entry obtained using an LDAP search. The default is member
. You can specify
a regular expression (regex) pattern to extract the user principals from this
attribute by configuring ldap.group.member.attribute.pattern
.
ldap.group.member.attribute.pattern
A Java regular expression pattern that extracts the user principals of group
members from group member entries obtained from the LDAP attribute specified
using ldap.group.member.attribute
. By default the full value of the attribute
is used.
ldap.group.search.base
This attribute tells LDAP to limit the search base to group-based search using
the values specified. The default is ou=groups
.
ldap.group.search.scope
The LDAP search scope for group-based search. The value of 2
opens the search
to include all the subtrees off the specified base, which is often too vast a
space to search, and can result in timeouts. When specified, you also should specify
ldap.group.search.filter
. The default value is 1
.
ldap.group.search.filter
The LDAP search filter for group-based search. Enables filters to limit search
to only those groups needed. It is recommended that you list all the groups
that will be used for searching. This is typically required because the LDAP
trees in large organizations tend to be so large that trying to search it all
results in timeouts. For instance, after you add a scope of 2
in
ldap.group.search.scope
to search all subtrees, you need to narrow the groups
that are included in the search. You can include any number of groups in this
search filter.
The following sections provide details about the baseline LDAP configuration
options that Kafka uses to authenticate to the directory service with the bind user.
ldap.java.naming.provider.url
This option defines the URL to use for connections to the LDAP server. The
default hostname is localhost
; the default port is 389
. You must
specify this option for the MDS configuration.
ldap.java.naming.security.authentication
If password authentication is enabled on your LDAP server, you can configure
the user principal and password so that brokers can authenticate with the LDAP
server using simple authentication. If you do not want to authenticate with the
LDAP server, specify none
. The recommended value to get your MDS
configuration up and running is simple
, which is a PLAINTEXT authentication
protocol and provides no security. For production instances, you should specify
a more secure SASL method supported by your LDAP server (such as SASL_GSSAPI
).
ldap.java.naming.security.credentials
Specifies the security credentials (password) of the principal performing the LDAP
search.
ldap.java.naming.security.principal
Specifies the security principal, which is the distinguished name of the LDAP
user performing the LDAP search. In this configuration, specify the
MDS user using the DN (LDAP distinguished name, which is a sequence of relative
distinguished names (RDN) connected by commas).
The following sections provide details for the options used to locate users.
Make sure that these attributes and object classes match what is in your directory
service.
ldap.user.name.attribute
This attribute identifies the user principal in a user entry obtained using an
LDAP search. You can specify a regex pattern to extract the user
principal from this attribute by configuring ldap.user.name.attribute.pattern.
The <sAMAccountName>
is specific to Active Directory and is
the login name used to support clients and servers running various versions of
Windows OS. Modify this configuration if your LDAP configuration differs. The
default for this option is cn
(common name).
ldap.user.object.class
Specifies the LDAP object class value that defines users in the directory service.
Specify user
to search for user-based authorization.
ldap.user.search.base
Use to specify the LDAP search base for a user-based search. The default value
is ou=users
.