Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP custom users not able to authenticate on control center #247

Open
rohithsinghhcl opened this issue Jun 7, 2023 · 1 comment
Open

LDAP custom users not able to authenticate on control center #247

rohithsinghhcl opened this issue Jun 7, 2023 · 1 comment

Comments

@rohithsinghhcl
Copy link

rohithsinghhcl commented Jun 7, 2023
edited
Loading

Hi all!!

I have deployed a LDAP server and integrate it with Kafka using RBAC. When I try to login on control center with predefined users like Kafka, SR, C3 etc. defined under "dc=ldap,dc=example,dc-com". those are able to login but with custom users defined under "ou=users,dc=ldap,dc=example,dc=com" getting authentication error (invalid username and password).

Here is deployment used to deploy Kafka:

apiVersion: platform.confluent.io/v1beta1
kind: Kafka
metadata:
  name: kafka
  namespace: confluent
spec:
  replicas: 3
  image:
    application: confluentinc/cp-server:7.4.0
    init: confluentinc/confluent-init-container:2.6.0
  dataVolumeCapacity: 10Gi
  tls:
    secretRef: tls-group1
  listeners:
    internal:
      authentication:
        type: ldap
        jaasConfig:
          secretRef: credential
      tls:
        enabled: true
    external:
      externalAccess:
        type: nodePort
        nodePort:
          host: kafka.example.com
          nodePortOffset: 30000
      authentication:
        type: ldap
        jaasConfig:
          secretRef: credential
      tls:
        enabled: true
  authorization:
    type: rbac
    superUsers:
    - User:kafka
  services:
    kafkaRest:
      externalAccess:
        type: nodePort
        nodePort:
          host: kafka.example.com
          nodePortOffset: 30100
    mds:
      tls:
        enabled: true
      tokenKeyPair:
        secretRef: mds-token
      externalAccess:
        type: nodePort
        nodePort:
          externalTrafficPolicy: Cluster
          host: kafka.example.com
          nodePortOffset: 30200
      provider:
        type: ldap
        ldap:
          address: ldap://ldap.confluent.svc.cluster.local:389
          authentication:
            type: simple
            simple:
              secretRef: credential
          configurations:
            groupNameAttribute: cn
            groupObjectClass: group
            groupMemberAttribute: member
            groupMemberAttributePattern: CN=(.*),DC=ldap,DC=example,DC=com
            groupSearchBase: dc=ldap,dc=example,dc=com
            userNameAttribute: cn
            userMemberOfAttributePattern: CN=(.*),DC=ldap,DC=example,DC=com
            userObjectClass: organizationalRole
            userSearchBase: dc=ldap,dc=example,dc=com
  dependencies:
    kafkaRest:
      authentication:
        type: bearer
        bearer:
          secretRef: mds-client
    zookeeper:
      endpoint: zookeeper.confluent.svc.cluster.local:2182
      authentication:
        type: digest
        jaasConfig:
          secretRef: credential
      tls:
        enabled: true

As per the above configuration only objects/users defined with "organizationalRole" object class and at "dc=ldap,dc=example,dc=com" this directory can only be able to authenticate on control center. I have custom users at "ou=users,dc=ldap,dc=example,dc=com" this directory with object class "inetOrgPerson". I want to change the configuration, so that these custom users can also be able to authenticate on control center.

I have tried to change the configuration of LDAP in kafka deployment file, userSearchBase:ou=users,dc=ldap,dc=example,dc=com & userObjectClass: inetOrgPerson. but with configuration Kafka pod didn't come up and showing authentication failed error.

As per me Kafka & MDS both are taking same LDAP configuration to authenticate. I tried to keep them separate by providing below given configuration to Kafka deployment.

identityProvider:
    type: ldap
    ldap:
      address: ldap://ldap.confluent.svc.cluster.local:389
      authentication:
        type: simple
        simple:
          secretRef: credential
      tls:
        enabled: true
      configurations:
        groupNameAttribute: cn
        groupObjectClass: group
        groupMemberAttribute: member
        groupMemberAttributePattern: CN=(.*),DC=ldap,DC=hcloneclick,DC=com
        groupSearchBase: dc=ldap,dc=hcloneclick,dc=com
        userNameAttribute: cn
        userMemberOfAttributePattern: CN=(.*),DC=ldap,DC=hcloneclick,DC=com
        userObjectClass: organizationalRole
        userSearchBase: dc=ldap,dc=hcloneclick,dc=com

but this configuration is ignored because RBAC is enabled. For Kafka authentication, MDS LDAP configuration is automatically used because of RBAC.
@pkleindl
Copy link

pkleindl commented Oct 9, 2024

I am not sure if you can use multiple values for "ldap.user.object.class", my guess would be you have to use something they have in common.
You could limit to both values in a "ldap.user.search.filter"

Another thing worth trying is:
ldap.user.search.scope=2

The LDAP search scope for a user-based search. Valid values are 0 (OBJECT), 1 (ONELEVEL), and 2 (SUBTREE).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pkleindl @rohithsinghhcl