Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

CDP 7.1.7 Kafka LDAP setup, add multiple LDAP domains

Labels:
avatar
author-rank Uday483
Explorer

Created on ‎08-29-2022 04:21 AM - edited ‎08-29-2022 04:23 AM

Hi Team,

 

We enabled LDAP authentication on Kafka cluster and added below LDAP DN template so that it allows all the users from its domain. We are trying to allow users present in other domain as well but couldn't find any templates. Can any one help to achieve this use-case.

 

Current setup(working): ldap.auth.user.dn.template = {0}@domain1.org.com

Required setup : ldap.auth.user.dn.template = {0}@domain1.org.com + {0}@domain2.org.com

 

We tried adding the other domain with comma & space separated but in vain.

 

CDP 7.1.7, Kafka 2.5

 

Thanks,

Uday

3,894 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank araujo author-rank
Super Guru

Created ‎09-04-2022 06:15 PM

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

3,783 Views
0 Kudos
0
6 REPLIES 6

avatar
author-rank araujo author-rank
Super Guru

Created ‎08-29-2022 04:49 PM

@Uday483 ,

 

Unfortunately the template option only works for a single domain with LDAP, I'm afraid.

One thing you can test is to set "ldap.auth.user.dn.template = {0}". With this, though, when the client authenticate they would have to specify the qualified user name rather then just the short name (e.g. alice@domain1.org.com, or bob@domain2.org.com). I haven't tested this before, so I'm not 100% sure it will work.

 

Can you use Kerberos authentication instead of LDAP? With Kerberos auth there should be no problems.

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
3,871 Views
0 Kudos

avatar
author-rank Uday483
Explorer

Created ‎09-02-2022 12:50 AM

Hi André,

 

Kerberos is already enabled, we have few users who don't want to use Kerberos which is why we are exploring LDAP.

 

Thanks,

Uday

3,841 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎09-02-2022 03:18 AM

Ok. Did you try the ldap configuration I mentioned above?

 

Cheers

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
3,826 Views
0 Kudos

avatar
author-rank Uday483
Explorer

Created on ‎09-02-2022 05:25 AM - edited ‎09-02-2022 05:25 AM

Hello André,

 

I am observing below error after updating LDAP User DN Template to {0}. Fun part is without mentioning any domain, previous domain user is still able to connect but new domain user connectivity fails.

 

22/09/02 08:20:02 WARN internals.AdminMetadataManager: [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
Error while executing topic command : org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
22/09/02 08:20:02 ERROR admin.TopicCommand$: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password
at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
at kafka.admin.TopicCommand$AdminClientTopicService.getTopics(TopicCommand.scala:333)
at kafka.admin.TopicCommand$AdminClientTopicService.describeTopic(TopicCommand.scala:288)
at kafka.admin.TopicCommand$.main(TopicCommand.scala:68)
at kafka.admin.TopicCommand.main(TopicCommand.scala)

 

Thanks,

Uday

3,809 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎09-04-2022 06:15 PM

@Uday483 ,

 

The error above happens if you don't specify the domain during authentication, right?

If you do specify the domain, does it work?

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
3,784 Views
0 Kudos
0

avatar
author-rank Uday483
Explorer

Created ‎09-05-2022 03:19 AM

Hi André,

 

With or without domain in the configuration, its taking default domain. 

If we provide multiple domains also its not authenticating new one.

 

Thanks,

Uday

3,767 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements