question Re: CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains in Support Questions

CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

Uday483 — Mon, 29 Aug 2022 11:23:29 GMT

Hi Team,

We enabled LDAP authentication on Kafka cluster and added below LDAP DN template so that it allows all the users from its domain. We are trying to allow users present in other domain as well but couldn't find any templates. Can any one help to achieve this use-case.

Current setup(working): ldap.auth.user.dn.template = {0}@domain1.org.com

Required setup : ldap.auth.user.dn.template = {0}@domain1.org.com + {0}@domain2.org.com

We tried adding the other domain with comma & space separated but in vain.

CDP 7.1.7, Kafka 2.5

Thanks,

Uday

Re: CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

araujo — Mon, 29 Aug 2022 23:49:25 GMT

@Uday483 ,

Unfortunately the template option only works for a single domain with LDAP, I'm afraid.

One thing you can test is to set "ldap.auth.user.dn.template = {0}". With this, though, when the client authenticate they would have to specify the qualified user name rather then just the short name (e.g. alice@domain1.org.com, or bob@domain2.org.com). I haven't tested this before, so I'm not 100% sure it will work.

Can you use Kerberos authentication instead of LDAP? With Kerberos auth there should be no problems.

Cheers,

André

Re: CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

Uday483 — Fri, 02 Sep 2022 07:50:00 GMT

Hi André,

Kerberos is already enabled, we have few users who don't want to use Kerberos which is why we are exploring LDAP.

Thanks,

Uday

Re: CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

araujo — Fri, 02 Sep 2022 10:18:21 GMT

Ok. Did you try the ldap configuration I mentioned above?

Cheers

André

Re: CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

Uday483 — Fri, 02 Sep 2022 12:25:53 GMT

Hello André,

I am observing below error after updating LDAP User DN Template to {0}. Fun part is without mentioning any domain, previous domain user is still able to connect but new domain user connectivity fails.

22/09/02 08:20:02 WARN internals.AdminMetadataManager: [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
Error while executing topic command : org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
22/09/02 08:20:02 ERROR admin.TopicCommand$: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
at kafka.admin.TopicCommand$AdminClientTopicService.getTopics(TopicCommand.scala:333)
at kafka.admin.TopicCommand$AdminClientTopicService.describeTopic(TopicCommand.scala:288)
at kafka.admin.TopicCommand$.main(TopicCommand.scala:68)
at kafka.admin.TopicCommand.main(TopicCommand.scala)

Thanks,

Uday

Re: CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

araujo — Mon, 05 Sep 2022 01:15:48 GMT

@Uday483 ,

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

André

Re: CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

Uday483 — Mon, 05 Sep 2022 10:19:10 GMT

Hi André,

With or without domain in the configuration, its taking default domain.

If we provide multiple domains also its not authenticating new one.

Thanks,

Uday