Skip to content

LDAP AD RBAC #1085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
4 tasks done
AlexSSP opened this issue May 21, 2025 · 0 comments
Open
4 tasks done

LDAP AD RBAC #1085

AlexSSP opened this issue May 21, 2025 · 0 comments
Labels
area/rbac Related to Role Based Access Control feature status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress type/bug Something isn't working

Comments

@AlexSSP
Copy link

AlexSSP commented May 21, 2025
edited
Loading

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running main-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Hello!
I try to use RBAC with LDAP provider

Expected behavior

No response

Your installation details

My kafka-ui:
kafbat/kafka-ui:v1.2.0

auth:
  type: LDAP
spring:
  ldap:
    urls: ldap://192.168.1.16:389
    base: "cn={0},DC=gulliver-ul,DC=local"
    admin-user: "CN=ldap,OU=Service Accounts,OU=Users,OU=ULN,OU=Gulliver,OU=GC,DC=gulliver-ul,DC=local"
    admin-password: "password"
    user-filter-search-base: "DC=gulliver-ul,DC=local"
    user-filter-search-filter: "(&(objectCategory=user)(sAMAccountName={0})(|(memberof=CN=kafka_users,OU=Groups,OU=ULN,OU=Gulliver,OU=GC,DC=gulliver-ul,DC=local)))"
    group-filter-search-base: "DC=gulliver-ul,DC=local"
oauth2:
  ldap:
    activeDirectory: false
    aсtiveDirectory:
      domain: gulliver-ul.local
kafka:
  clusters:
  - bootstrapServers: kafka:9092
    kafkaConnect:
    - address: http://kafka.local:8083
      name: kafka-connect
    name: kafka
    properties: {}
    readOnly: false
    schemaRegistry: http://kafka.local:8081
rbac:
  roles:
    - name: "kafka_users"
      clusters:
        - kafka
      subjects:
        - provider: ldap
          type: group
          value: "kafka_users"

      permissions:
        - resource: applicationconfig
          actions: all

        - resource: clusterconfig
          actions: all

        - resource: topic
          value: ".*"
          actions: all

        - resource: consumer
          value: ".*"
          actions: all

        - resource: schema
          value: ".*"
          actions: all

        - resource: connect
          value: ".*"
          actions: all

        - resource: ksql
          actions: all

        - resource: acl
          actions: [ view ]

webclient: {}

Steps to reproduce

But I can not login. Without RBAC I can login successfully

Screenshots

No response

Logs

 17:01:46,212 DEBUG [reactor-http-epoll-4] r.n.h.s.HttpServerOperations: [38e74c98, L:/172.19.0.5:8080 - R:/10.0.102.30:64687] New http connection, requesting read
2025-05-21 17:01:46,212 DEBUG [reactor-http-epoll-4] r.n.t.TransportConfig: [38e74c98, L:/172.19.0.5:8080 - R:/10.0.102.30:64687] Initialized pipeline DefaultChannelPipeline{(reactor.left.httpCodec = io.netty.handler.codec.http.HttpServerCodec), (reactor.left.httpTrafficHandler = reactor.netty.http.server.HttpTrafficHandler), (reactor.right.reactiveBridge = reactor.netty.channel.ChannelOperationsHandler)}
2025-05-21 17:01:46,218 DEBUG [reactor-http-epoll-4] r.n.h.s.HttpServerOperations: [38e74c98, L:/172.19.0.5:8080 - R:/10.0.102.30:64687] Increasing pending responses count: 1
2025-05-21 17:01:46,219 DEBUG [reactor-http-epoll-4] r.n.h.s.HttpServer: [38e74c98-1, L:/172.19.0.5:8080 - R:/10.0.102.30:64687] Handler is being applied: org.springframework.http.server.reactive.ReactorHttpHandlerAdapter@4455ec2e
2025-05-21 17:01:46,229 DEBUG [reactor-http-epoll-4] o.s.w.s.a.HttpWebHandlerAdapter: [38e74c98-1] HTTP POST "/login"
2025-05-21 17:01:46,249 DEBUG [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2025-05-21 17:01:46,251 DEBUG [reactor-http-epoll-4] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Checking match of request : '/login'; against '/login'
2025-05-21 17:01:46,251 DEBUG [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: matched
2025-05-21 17:01:46,252 DEBUG [reactor-http-epoll-4] r.n.c.FluxReceive: [38e74c98-1, L:/172.19.0.5:8080 - R:/10.0.102.30:64687] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2025-05-21 17:01:46,253 DEBUG [reactor-http-epoll-4] o.s.h.c.FormHttpMessageReader: [38e74c98-1] Read form fields [username, password] (content masked)
2025-05-21 17:01:46,283 DEBUG [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Failed to bind with any user DNs [cn=a.arapov,DC=gulliver-ul,DC=local]
2025-05-21 17:01:46,290 DEBUG [boundedElastic-1] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://192.168.1.16:389'
2025-05-21 17:01:46,312 DEBUG [boundedElastic-1] o.s.s.l.SpringSecurityLdapTemplate: Found DN: CN=Арапов Алексей Анатольевич,OU=Users,OU=Outlaw,DC=gulliver-ul,DC=local
2025-05-21 17:01:46,314 DEBUG [boundedElastic-1] o.s.s.l.s.FilterBasedLdapUserSearch: Found user 'a.arapov', with FilterBasedLdapUserSearch [searchFilter=(&(objectCategory=user)(sAMAccountName={0})(|(memberof=CN=kafka_users,OU=Groups,OU=ULN,OU=Gulliver,OU=GC,DC=gulliver-ul,DC=local))); searchBase=DC=gulliver-ul,DC=local; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ]
2025-05-21 17:01:46,321 DEBUG [boundedElastic-1] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://192.168.1.16:389'
2025-05-21 17:01:46,322 DEBUG [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Bound CN=Арапов Алексей Анатольевич,OU=Users,OU=Outlaw,DC=gulliver-ul,DC=local
2025-05-21 17:01:46,324 DEBUG [boundedElastic-1] o.s.l.c.LdapTemplate: The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2025-05-21 17:01:46,333 DEBUG [boundedElastic-1] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://192.168.1.16:389'
2025-05-21 17:01:46,333 DEBUG [boundedElastic-1] o.s.l.c.LdapTemplate: Executing search with base [DC=gulliver-ul,DC=local] and filter [(member=CN=Арапов Алексей Анатольевич,OU=Users,OU=Outlaw,DC=gulliver-ul,DC=local)]
2025-05-21 17:01:46,383 DEBUG [boundedElastic-1] o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler: [38e74c98-1] Resolved [PartialResultException: Unprocessed Continuation Reference(s)] for HTTP POST /login
2025-05-21 17:01:46,384 ERROR [boundedElastic-1] o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler: [38e74c98-1]  500 Server Error for HTTP POST "/login"

2025-05-21 17:01:46,324 DEBUG [boundedElastic-1] o.s.l.c.LdapTemplate: The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true

Additional context

No response
@AlexSSP AlexSSP added type/bug Something isn't working status/triage Issues pending maintainers triage labels May 21, 2025
@kapybro kapybro bot added area/rbac Related to Role Based Access Control feature status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels May 21, 2025
@AlexSSP AlexSSP changed the title LDAP RBAC LDAP AD RBAC May 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rbac Related to Role Based Access Control feature status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlexSSP