Configure Kafka LDAP authentication for Kafka clients

Learn how to configure Kafka clients for LDAP authentication.

You can enable Kafka to use LDAP credentials for client to broker authentication. Client configuration is done by adding the required properties to the client's client.properties file.

Set the SASL mechanism to PLAIN.
Add the following property to the client.properties file.
```
sasl.mechanism=PLAIN
```
Configure the security protocol.
You can either use SASL_SSL or SASL_PLAINTEXT. Which security protocol you use will depend on whether or not SSL encryption is enabled on the broker. Add one of the following properties to the client.properties file.
- If encryption is enabled, use SASL_SSL:
```
security.protocol=SASL_SSL
```
- If encryption is not enabled, use SASL_PLAINTEXT:
```
security.protocol=SASL_PLAINTEXT
```
note
In a public network Cloudera recommends that you use SASL_SSL as LDAP credentials can become exposed.
Configure the JAAS.
You have two options when configuring the JAAS:
1. Embed the required properties in the client.properties file with the sasl.jaas.config property.
```
sasl.jaas.config= \ 
org.apache.kafka.common.security.plain.PlainLoginModule required \
    username="[***LDAP USERNAME***]" \
    password="[***LDAP PASSWORD***]";
```
  Replace [LDAP_USERNAME] and [LDAP_PASSWORD] with a valid LDAP username and password.
2. Use a separate JAAS config file:
  1. Add a KafkaClient entry with a login module item to your JAAS configuration file.
    Example configuration:
    KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="[***LDAP USERNAME***]" password="[***LDAP PASSWORD***]"; };
    Replace [LDAP_USERNAME] and [LDAP_PASSWORD] with a valid LDAP username and password.
  2. Pass the location of your JAAS configuration file as a JVM parameter through a command line interface
    export KAFKA_OPTS="-Djava.security.auth.login.config=[***PATH TO JAAS.CONF***]"
    Replace [***PATH TO JAAS.CONF***] with the location of the JAAS configuration file you created.

LDAP authentication is configured for the client.