I have deployed a LDAP server and integrate it with Kafka using RBAC. When I try to login on control center with predefined users like Kafka, SR, C3 etc. defined under "dc=ldap,dc=example,dc-com". those are able to login but with custom users defined under "ou=users,dc=ldap,dc=example,dc=com" getting authentication error (invalid username and password).
Here is deployment used to deploy Kafka:
apiVersion: platform.confluent.io/v1beta1
kind: Kafka
metadata:
name: kafka
namespace: confluent
spec:
replicas: 3
image:
application: confluentinc/cp-server:7.4.0
init: confluentinc/confluent-init-container:2.6.0
dataVolumeCapacity: 10Gi
tls:
secretRef: tls-group1
listeners:
internal:
authentication:
type: ldap
jaasConfig:
secretRef: credential
tls:
enabled: true
external:
externalAccess:
type: nodePort
nodePort:
host: kafka.example.com
nodePortOffset: 30000
authentication:
type: ldap
jaasConfig:
secretRef: credential
tls:
enabled: true
authorization:
type: rbac
superUsers:
- User:kafka
services:
kafkaRest:
externalAccess:
type: nodePort
nodePort:
host: kafka.example.com
nodePortOffset: 30100
mds:
tls:
enabled: true
tokenKeyPair:
secretRef: mds-token
externalAccess:
type: nodePort
nodePort:
externalTrafficPolicy: Cluster
host: kafka.example.com
nodePortOffset: 30200
provider:
type: ldap
ldap:
address: ldap://ldap.confluent.svc.cluster.local:389
authentication:
type: simple
simple:
secretRef: credential
configurations:
groupNameAttribute: cn
groupObjectClass: group
groupMemberAttribute: member
groupMemberAttributePattern: CN=(.*),DC=ldap,DC=example,DC=com
groupSearchBase: dc=ldap,dc=example,dc=com
userNameAttribute: cn
userMemberOfAttributePattern: CN=(.*),DC=ldap,DC=example,DC=com
userObjectClass: organizationalRole
userSearchBase: dc=ldap,dc=example,dc=com
dependencies:
kafkaRest:
authentication:
type: bearer
bearer:
secretRef: mds-client
zookeeper:
endpoint: zookeeper.confluent.svc.cluster.local:2182
authentication:
type: digest
jaasConfig:
secretRef: credential
tls:
enabled: true
As per the above configuration only objects/users defined with "organizationalRole" object class and at "dc=ldap,dc=example,dc=com" this directory can only be able to authenticate on control center. I have custom users at "ou=users,dc=ldap,dc=example,dc=com" this directory with object class "inetOrgPerson". I want to change the configuration, so that these custom users can also be able to authenticate on control center.
I have tried to change the configuration of LDAP in kafka deployment file, userSearchBase:ou=users,dc=ldap,dc=example,dc=com & userObjectClass: inetOrgPerson. but with configuration Kafka pod didn't come up and showing authentication failed error.
As per me Kafka & MDS both are taking same LDAP configuration to authenticate. I tried to keep them separate by providing below given configuration to Kafka deployment.
identityProvider:
type: ldap
ldap:
address: ldap://ldap.confluent.svc.cluster.local:389
authentication:
type: simple
simple:
secretRef: credential
tls:
enabled: true
configurations:
groupNameAttribute: cn
groupObjectClass: group
groupMemberAttribute: member
groupMemberAttributePattern: CN=(.*),DC=ldap,DC=hcloneclick,DC=com
groupSearchBase: dc=ldap,dc=hcloneclick,dc=com
userNameAttribute: cn
userMemberOfAttributePattern: CN=(.*),DC=ldap,DC=hcloneclick,DC=com
userObjectClass: organizationalRole
userSearchBase: dc=ldap,dc=hcloneclick,dc=com
but this configuration is ignored because RBAC is enabled. For Kafka authentication, MDS LDAP configuration is automatically used because of RBAC.
