Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.
Solved Go to solution

CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

Labels:
Uday483
Explorer

Created on ‎08-29-2022 04:21 AM - edited ‎08-29-2022 04:23 AM

Hi Team,

 

We enabled LDAP authentication on Kafka cluster and added below LDAP DN template so that it allows all the users from its domain. We are trying to allow users present in other domain as well but couldn't find any templates. Can any one help to achieve this use-case.

 

Current setup(working): ldap.auth.user.dn.template = {0}@domain1.org.com

Required setup : ldap.auth.user.dn.template = {0}@domain1.org.com + {0}@domain2.org.com

 

We tried adding the other domain with comma & space separated but in vain.

 

CDP 7.1.7, Kafka 2.5

 

Thanks,

Uday

1,534 Views
0 Kudos
1 ACCEPTED SOLUTION

araujo
Master Collaborator

Created ‎09-04-2022 06:15 PM

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

1,423 Views
0 Kudos
6 REPLIES 6

araujo
Master Collaborator

Created ‎08-29-2022 04:49 PM

@Uday483 ,

 

Unfortunately the template option only works for a single domain with LDAP, I'm afraid.

One thing you can test is to set "ldap.auth.user.dn.template = {0}". With this, though, when the client authenticate they would have to specify the qualified user name rather then just the short name (e.g. alice@domain1.org.com, or bob@domain2.org.com). I haven't tested this before, so I'm not 100% sure it will work.

 

Can you use Kerberos authentication instead of LDAP? With Kerberos auth there should be no problems.

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,511 Views
0 Kudos

Uday483
Explorer

Created ‎09-02-2022 12:50 AM

Hi André,

 

Kerberos is already enabled, we have few users who don't want to use Kerberos which is why we are exploring LDAP.

 

Thanks,

Uday

1,481 Views
0 Kudos

araujo
Master Collaborator

Created ‎09-02-2022 03:18 AM

Ok. Did you try the ldap configuration I mentioned above?

 

Cheers

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,466 Views
0 Kudos

Uday483
Explorer

Created on ‎09-02-2022 05:25 AM - edited ‎09-02-2022 05:25 AM

Hello André,

 

I am observing below error after updating LDAP User DN Template to {0}. Fun part is without mentioning any domain, previous domain user is still able to connect but new domain user connectivity fails.

 

22/09/02 08:20:02 WARN internals.AdminMetadataManager: [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
Error while executing topic command : org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
22/09/02 08:20:02 ERROR admin.TopicCommand$: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
at kafka.admin.TopicCommand$AdminClientTopicService.getTopics(TopicCommand.scala:333)
at kafka.admin.TopicCommand$AdminClientTopicService.describeTopic(TopicCommand.scala:288)
at kafka.admin.TopicCommand$.main(TopicCommand.scala:68)
at kafka.admin.TopicCommand.main(TopicCommand.scala)

 

Thanks,

Uday

1,449 Views
0 Kudos

araujo
Master Collaborator

Created ‎09-04-2022 06:15 PM

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,424 Views
0 Kudos

Uday483
Explorer

Created ‎09-05-2022 03:19 AM

Hi André,

 

With or without domain in the configuration, its taking default domain. 

If we provide multiple domains also its not authenticating new one.

 

Thanks,

Uday

1,407 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements