Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

Explorer

Hi Team,

 

We enabled LDAP authentication on Kafka cluster and added below LDAP DN template so that it allows all the users from its domain. We are trying to allow users present in other domain as well but couldn't find any templates. Can any one help to achieve this use-case.

 

Current setup(working): ldap.auth.user.dn.template = {0}@domain1.org.com

Required setup : ldap.auth.user.dn.template = {0}@domain1.org.com + {0}@domain2.org.com

 

We tried adding the other domain with comma & space separated but in vain.

 

CDP 7.1.7, Kafka 2.5

 

Thanks,

Uday

1 ACCEPTED SOLUTION

Master Collaborator

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

6 REPLIES 6

Master Collaborator

@Uday483 ,

 

Unfortunately the template option only works for a single domain with LDAP, I'm afraid.

One thing you can test is to set "ldap.auth.user.dn.template = {0}". With this, though, when the client authenticate they would have to specify the qualified user name rather then just the short name (e.g. alice@domain1.org.com, or bob@domain2.org.com). I haven't tested this before, so I'm not 100% sure it will work.

 

Can you use Kerberos authentication instead of LDAP? With Kerberos auth there should be no problems.

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Explorer

Hi André,

 

Kerberos is already enabled, we have few users who don't want to use Kerberos which is why we are exploring LDAP.

 

Thanks,

Uday

Master Collaborator

Ok. Did you try the ldap configuration I mentioned above?

 

Cheers

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Explorer

Hello André,

 

I am observing below error after updating LDAP User DN Template to {0}. Fun part is without mentioning any domain, previous domain user is still able to connect but new domain user connectivity fails.

 

22/09/02 08:20:02 WARN internals.AdminMetadataManager: [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
Error while executing topic command : org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
22/09/02 08:20:02 ERROR admin.TopicCommand$: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
at kafka.admin.TopicCommand$AdminClientTopicService.getTopics(TopicCommand.scala:333)
at kafka.admin.TopicCommand$AdminClientTopicService.describeTopic(TopicCommand.scala:288)
at kafka.admin.TopicCommand$.main(TopicCommand.scala:68)
at kafka.admin.TopicCommand.main(TopicCommand.scala)

 

Thanks,

Uday

Master Collaborator

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Explorer

Hi André,

 

With or without domain in the configuration, its taking default domain. 

If we provide multiple domains also its not authenticating new one.

 

Thanks,

Uday

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.