MDS configuration

[Ashwin Kollambalath]

Hi All,

Any help is appreciated.

We are trying to setup RBAC with CONFLUENT 5.5. First step is to setup MDS. I would like to see if there are more documentation available for MDS setup. I have followed what is available in the conflent site.

Connection to LDAP is working. But i can see below in the logs. 

ERROR Ignoring member in LDAP GROUPS groupname that doesn't match pattern: CN=cnName,OU=Tier1,OU=account,OU=names,DC=us,DC=ad,DC=test,DC=com (io.confluent.security.auth.provider.ldap.LdapGroupManager) 

Also when i try "CONFLUENT LOGIN" with id which is configured as SUPER.USER. I am getting below error. 

Error: 401 Unauthorized: { "servlet":"default", "message":"Unauthorized", "url":"/security/1.0/authenticate", "status":"401" }  

Server. properties configuration

############################# Confluent Authorizer Settings  #############################

authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer

confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT

#super.users=<User:admin;User:mds>

super.users=User:admin;User:mds;User:CN=xxx,OU=xxx,OU=usersAndGroups,DC=us,DC=ad,DC=xxx,DC=com;Group:CN=xxx,OU=Organization Groups,OU=xxx,OU=Groups,OU=usersAndGroups,DC=us,DC=ad,DC=xxx,DC=com;

############################# Identity Provider Settings(LDAP) #############################

ldap.search.mode=GROUPS

ldap.group.search.base=OU=Groups,OU=usersAndGroups,DC=us,DC=ad,DC=xxx,DC=COM

#ldap.group.search.base=CN=xxx,OU=Organization Groups,OU=xxx,OU=Groups,OU=usersAndGroups,DC=us,DC=ad,DC=xxx,DC=com

ldap.group.object.class=group

ldap.group.name.attribute=CN

ldap.group.member.attribute=member

#ldap.group.member.attribute.pattern=CN=(.*),OU=(.*),OU=usersAndGroups,DC=us,DC=ad,DC=xxx,DC=COM

ldap.group.member.attribute.pattern=CN=(.*),OU=(.*),OU=usersAndGroups,DC=us,DC=ad,DC=xxx,DC=com

#ldap.search.mode=USERS

#ldap.user.search.base=DC=us,DC=ad,DC=xxx,DC=COM

#ldap.user.object.class=user

#ldap.user.name.attribute=CN

#ldap.user.memberof.attribute=memberOf

#ldap.user.memberof.attribute.pattern=CN=(.*),CN=Users,.*

#for connection to LDAP

ldap.java.naming.provider.url=ldap://xxxxxx:xxx

ldap.java.naming.security.authentication=simple

ldap.java.naming.security.credentials=xxxxx

ldap.java.naming.security.principal=CN=xxxx,OU=xxxx,OU=usersAndGroups,DC=us,DC=ad,DC=xxx,DC=com

############################# MDS Server Settings #############################

confluent.metadata.server.advertised.listeners=http://xxxx:8090

confluent.metadata.server.listeners=http://xxxx:8090

confluent.metadata.server.authentication.method=BEARER

# Enable all authenticated users to connect to the HTTP service.

confluent.metadata.server.authentication.roles=**

############################# MDS Token Service Settings #############################

#advertised.listeners=<advertised.listeners>,RBAC://localhost:9092

confluent.metadata.server.token.key.path=/msapps/confluent-5.5.0/cert/tokenKeypair.pem

listener.name.rbac.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler

listener.name.rbac.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler

listener.name.rbac.oauthbearer.sasl.jaas.config= \

    org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \

    publicKeyPath="/msapps/confluent-5.5.0/cert/public.pem";

listener.name.rbac.sasl.enabled.mechanisms=OAUTHBEARER

#### Configure SASL_SSL if SSL encryption is enabled, otherwise configure SASL_PLAINTEXT#####

listener.security.protocol.map=SASL_SSL:SASL_SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,RBAC:SASL_PLAINTEXT