Support Questions

Find answers, ask questions, and share your expertise

CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

avatar
Explorer

Hi Team,

 

We enabled LDAP authentication on Kafka cluster and added below LDAP DN template so that it allows all the users from its domain. We are trying to allow users present in other domain as well but couldn't find any templates. Can any one help to achieve this use-case.

 

Current setup(working): ldap.auth.user.dn.template = {0}@domain1.org.com

Required setup : ldap.auth.user.dn.template = {0}@domain1.org.com + {0}@domain2.org.com

 

We tried adding the other domain with comma & space separated but in vain.

 

CDP 7.1.7, Kafka 2.5

 

Thanks,

Uday

1 ACCEPTED SOLUTION

avatar
Super Guru

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

6 REPLIES 6

avatar
Super Guru

@Uday483 ,

 

Unfortunately the template option only works for a single domain with LDAP, I'm afraid.

One thing you can test is to set "ldap.auth.user.dn.template = {0}". With this, though, when the client authenticate they would have to specify the qualified user name rather then just the short name (e.g. alice@domain1.org.com, or bob@domain2.org.com). I haven't tested this before, so I'm not 100% sure it will work.

 

Can you use Kerberos authentication instead of LDAP? With Kerberos auth there should be no problems.

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hi André,

 

Kerberos is already enabled, we have few users who don't want to use Kerberos which is why we are exploring LDAP.

 

Thanks,

Uday

avatar
Super Guru

Ok. Did you try the ldap configuration I mentioned above?

 

Cheers

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hello André,

 

I am observing below error after updating LDAP User DN Template to {0}. Fun part is without mentioning any domain, previous domain user is still able to connect but new domain user connectivity fails.

 

22/09/02 08:20:02 WARN internals.AdminMetadataManager: [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
Error while executing topic command : org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
22/09/02 08:20:02 ERROR admin.TopicCommand$: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
at kafka.admin.TopicCommand$AdminClientTopicService.getTopics(TopicCommand.scala:333)
at kafka.admin.TopicCommand$AdminClientTopicService.describeTopic(TopicCommand.scala:288)
at kafka.admin.TopicCommand$.main(TopicCommand.scala:68)
at kafka.admin.TopicCommand.main(TopicCommand.scala)

 

Thanks,

Uday

avatar
Super Guru

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hi André,

 

With or without domain in the configuration, its taking default domain. 

If we provide multiple domains also its not authenticating new one.

 

Thanks,

Uday