How to integrate Otel Solace Receiver with LDAP based Solace PubSub Event broker 10.4.121
Currently, we have enabled the Distributed Tracing in DEV environment and its all working fine . The authentication used in DEV is Internal Database.
However, the same configuration is not working in QA, as we are using LDAP based authentication in Solace Broker.
Below is the error observed in the Otel logs:
2024-09-24T11:04:24.569Z debug solacereceiver@v0.79.0/receiver.go:139 Encountered error while connecting messaging service {"kind": "receiver", "name": "solace/primary", "data_type": "traces", "error": "SASL PLAIN auth failed with code 0x2: "}
Could you please check and suggest on how to integrate Otel Solace receiver 0.79v with Solace Broker based on LDAP.
Best Answer
-
Hey @Dhanusri - the issue here is that your LDAP user is not associated to the newly created telemetry ACL and Client profiles, which is a requirement for the Solace receiver in the collector. The error you are receiving is mainly due to either:
- LDAP user is using the default acl and client profile (if you are using
Internalfor LDAP authorization) - LDAP
authorization groupis not configured with the telemetry acl and client profile, which again will fall back to the default acl and client profile
To fix this, lets break it down into the following authentication and authorization configuration that you will have to do.
I. Authentication
( I assume you already have this configured, but will list it anyways)
- Create a username pwd in your LDAP server
- Configure broker for LDAP authentication
- Make sure you pass the LDAP username/password in your collector configuration
II. Authorization
The telemetry user (used in your collector configuration) should belong to the telemetry acl and client profiles. This is where authorization comes in place. There are two ways you can do this
A. Internal
If you are using internal database for your client authorization, by default the broker will attempt to associate your LDAP user to the default acl and client profile if you dont explicitly create a user and associate it to the right profiles. This is not going to work with the receiver since we will need the receiver to belong to the telemetry profile. To do this:
- Create a username on your broker that matches the LDAP username
- Assign the telemetry profiles to that user
- Reconnect to the broker with your LDAP credentials
Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into its internal database for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).
B. Authorization group
If you use authorization groups for your LDAP:
- Configure your broker to use Authorization group
- Assign the telemetry acl and client profiles to the newly created authorization group
- Reconnect to the broker with your LDAP credentials
Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into the authorization groups for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).
Hopefully this helps!
1 - LDAP user is using the default acl and client profile (if you are using
Answers
-
Hey @Dhanusri - the issue here is that your LDAP user is not associated to the newly created telemetry ACL and Client profiles, which is a requirement for the Solace receiver in the collector. The error you are receiving is mainly due to either:
- LDAP user is using the default acl and client profile (if you are using
Internalfor LDAP authorization) - LDAP
authorization groupis not configured with the telemetry acl and client profile, which again will fall back to the default acl and client profile
To fix this, lets break it down into the following authentication and authorization configuration that you will have to do.
I. Authentication
( I assume you already have this configured, but will list it anyways)
- Create a username pwd in your LDAP server
- Configure broker for LDAP authentication
- Make sure you pass the LDAP username/password in your collector configuration
II. Authorization
The telemetry user (used in your collector configuration) should belong to the telemetry acl and client profiles. This is where authorization comes in place. There are two ways you can do this
A. Internal
If you are using internal database for your client authorization, by default the broker will attempt to associate your LDAP user to the default acl and client profile if you dont explicitly create a user and associate it to the right profiles. This is not going to work with the receiver since we will need the receiver to belong to the telemetry profile. To do this:
- Create a username on your broker that matches the LDAP username
- Assign the telemetry profiles to that user
- Reconnect to the broker with your LDAP credentials
Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into its internal database for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).
B. Authorization group
If you use authorization groups for your LDAP:
- Configure your broker to use Authorization group
- Assign the telemetry acl and client profiles to the newly created authorization group
- Reconnect to the broker with your LDAP credentials
Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into the authorization groups for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).
Hopefully this helps!
1 - LDAP user is using the default acl and client profile (if you are using
