How to integrate Otel Solace Receiver with LDAP based Solace PubSub Event broker 10.4.121

Dhanusri
Dhanusri Member Posts: 15 ✭✭

Currently, we have enabled the Distributed Tracing in DEV environment and its all working fine . The authentication used in DEV is Internal Database.

However, the same configuration is not working in QA, as we are using LDAP based authentication in Solace Broker.

Below is the error observed in the Otel logs:

2024-09-24T11:04:24.569Z        debug   solacereceiver@v0.79.0/receiver.go:139  Encountered error while connecting messaging service    {"kind": "receiver", "name": "solace/primary", "data_type": "traces", "error": "SASL PLAIN auth failed with code 0x2: "}

Could you please check and suggest on how to integrate Otel Solace receiver 0.79v with Solace Broker based on LDAP.

Best Answer

  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 541 admin
    edited September 24 #2 Answer ✓

    Hey @Dhanusri - the issue here is that your LDAP user is not associated to the newly created telemetry ACL and Client profiles, which is a requirement for the Solace receiver in the collector. The error you are receiving is mainly due to either:

    1. LDAP user is using the default acl and client profile (if you are using Internal for LDAP authorization)
    2. LDAP authorization group is not configured with the telemetry acl and client profile, which again will fall back to the default acl and client profile

    To fix this, lets break it down into the following authentication and authorization configuration that you will have to do.

    I. Authentication

    ( I assume you already have this configured, but will list it anyways)

    1. Create a username pwd in your LDAP server
    2. Configure broker for LDAP authentication
    3. Make sure you pass the LDAP username/password in your collector configuration

    II. Authorization

    The telemetry user (used in your collector configuration) should belong to the telemetry acl and client profiles. This is where authorization comes in place. There are two ways you can do this

    A. Internal

    If you are using internal database for your client authorization, by default the broker will attempt to associate your LDAP user to the default acl and client profile if you dont explicitly create a user and associate it to the right profiles. This is not going to work with the receiver since we will need the receiver to belong to the telemetry profile. To do this:

    1. Create a username on your broker that matches the LDAP username
    2. Assign the telemetry profiles to that user
    3. Reconnect to the broker with your LDAP credentials

    Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into its internal database for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).

    B. Authorization group

    If you use authorization groups for your LDAP:

    1. Configure your broker to use Authorization group
    2. Assign the telemetry acl and client profiles to the newly created authorization group
    3. Reconnect to the broker with your LDAP credentials

    Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into the authorization groups for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).

    Hopefully this helps!

Answers

  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 541 admin
    edited September 24 #3 Answer ✓

    Hey @Dhanusri - the issue here is that your LDAP user is not associated to the newly created telemetry ACL and Client profiles, which is a requirement for the Solace receiver in the collector. The error you are receiving is mainly due to either:

    1. LDAP user is using the default acl and client profile (if you are using Internal for LDAP authorization)
    2. LDAP authorization group is not configured with the telemetry acl and client profile, which again will fall back to the default acl and client profile

    To fix this, lets break it down into the following authentication and authorization configuration that you will have to do.

    I. Authentication

    ( I assume you already have this configured, but will list it anyways)

    1. Create a username pwd in your LDAP server
    2. Configure broker for LDAP authentication
    3. Make sure you pass the LDAP username/password in your collector configuration

    II. Authorization

    The telemetry user (used in your collector configuration) should belong to the telemetry acl and client profiles. This is where authorization comes in place. There are two ways you can do this

    A. Internal

    If you are using internal database for your client authorization, by default the broker will attempt to associate your LDAP user to the default acl and client profile if you dont explicitly create a user and associate it to the right profiles. This is not going to work with the receiver since we will need the receiver to belong to the telemetry profile. To do this:

    1. Create a username on your broker that matches the LDAP username
    2. Assign the telemetry profiles to that user
    3. Reconnect to the broker with your LDAP credentials

    Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into its internal database for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).

    B. Authorization group

    If you use authorization groups for your LDAP:

    1. Configure your broker to use Authorization group
    2. Assign the telemetry acl and client profiles to the newly created authorization group
    3. Reconnect to the broker with your LDAP credentials

    Using this, the client with authenticate to the broker using the LDAP credentials, the broker will look into the authorization groups for authorization. If a match is found, it will assign the profiles associated with that user to the connection (in this case its the telemetry profiles).

    Hopefully this helps!

  • Dhanusri
    Dhanusri Member Posts: 15 ✭✭

    Hi @Tamimi,

    Thanks much for the response.

    Post assigning the #telemetry acl and client profile to the LDAP user, the Otel solace receiver is up and successfully connecting to the broker.