LDAP authentication and trusted domain enabled

13 views
Skip to first unread message

psofia...@gmail.com

unread,
Feb 17, 2026, 3:26:35 AM (7 days ago) Feb 17
to Druid User
Hello. I have a druid cluster in kubernetes which has LDAP authentication and authorisation enabled. 
This authentication method is used for both external (e.g. user authentication) as for internal communications (e.g. inter druid service communication).
I noticed that our LDAP servers are being "hammered" every hour or so, so i wanted to change a bit the authentication methods.
Use LDAP for external communication and trusted domain for druid internal communication.

LDAP config is working fine, but when i enable trusted domain and change the escalator to use this one i started to see the following exceptions on all services when trying to access the coordinator.

26-02-16T13:05:50,894 DEBUG [qtp710867897-116] arg.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator
User not found:
2026-02-16T13:05:58,192 ERROR [CoordinatorPolling BasicAuthorizerCacheManagerExercition.db.cache.CoordinatorPolling BasicAuth role map for authorizer [ldapauth]: (exceptionType=com.fasterxml.jackson.core.JsonParseException, exceptionMessage=Input does not start with Smile format header (first b
at [Source: (byte[])"<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Unauthorized</title>
</head>
<body><h2>HTTP ERROR 481 Unauthorized</h2>
<table>
<tr><th>URI:</th><td>/druid-ext/basic-security/authorization/db/ldapauth/cachedSerializedUserMap</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
<tr><th>SERVLET:</th><td>default</td></tr>
</table>
</body>
</html>
*; line: -1, column: 0], class=org.apache.druid.security.basic.authorization.db.cache.CoordinatorPolling BasicAuthorizerCacheManager)
com.fasterxml.jackson.core.JsonParseException: Input does not start with Smile format header (first byte = 0x3c) and parser has REQUIRE_HEADER enabled: can not parse

These are the configs that i have

druid.auth.authenticatorChain=["trustedDomain", "LdapAuthenticator"]

#LDAP authenticator
druid.auth.authenticator.LdapAuthenticator.type-basic
druid.auth
druid.auth.authenticator.LdapAuthenticator.credentialsValidator.type=ldap
druid.auth.authenticator. LdapAuthenticator.credentialsValidator.url=LDAP_URL
druid.auth.authenticator.LdapAuthenticator.credentialsValidator.bindUser=BIND_USER
druid.auth.authenticator.LdapAuthenticator.credentialsValidator.bindPassword=LDAP_BIND_PASSWORD
druid.auth.authenticator. LdapAuthenticator.credentialsValidator.baseDn=BASE_DN
druid.auth.authenticator.LdapAuthenticator.credentialsValidator.userSearch=
druid.auth.authenticator.LdapAuthenticator.credentialsValidator.userAttribute=uid
druid.auth.authenticator.LdapAuthenticator.authorizerName=ldapauth
druid.auth.authenticator. LdapAuthenticator.credentialsValidator.credentialMaxDuration=14400

#Trusted Domain
druid.auth.authenticator.trustedDomain.type=trustedDomain
druid.auth.authenticator.trustedDomain.domain=DOMAIN
druid.auth.authenticator.trustedDomain.identity druid_system
druid.auth.authenticator.trustedDomain.authorizerName=ldapauth
druid.auth.authenticator.trustedDomain.useForwardedHeaders=true

druid.escalator.type=trustedDomain
druid.escalator.internalClientUsername=druid_system
druid.escalator.authorizerName=ldapauth

druid.auth.authorizers=["ldapauth"]
druid.auth.authorizer.ldapauth.type=basic
druid.auth.authorizer. ldapauth.initialAdminUser=BIND_USER
druid.auth.authorizer. ldapauth.initialAdminRole-admin
druid.auth.authorizer. Idapauth.roleProvider.type=ldap

I'm still not sure if the configs are completely right. Any suggestions?
Thanks
Paula

ahmed boughedda

unread,
Feb 17, 2026, 3:33:41 AM (7 days ago) Feb 17
to druid...@googlegroups.com
well done great job

--
You received this message because you are subscribed to the Google Groups "Druid User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/druid-user/5ea278f5-92bb-4246-9cb3-a8a2613981f1n%40googlegroups.com.


--
__________________
Ahmed Boughedda
Consultant formateur
& Assistant à projet BI

psofia...@gmail.com

unread,
Feb 17, 2026, 9:07:38 AM (7 days ago) Feb 17
to Druid User
ah, not really because is not working :) 
Reply all
Reply to author
Forward
0 new messages