Cannot enable LDAP auth trace level logging #1313
Description
Issue submitter TODO list
- I've looked up my issue in FAQ
- I've searched for an already existing issues here
- I've tried running
main-labeled docker image and the issue still persists there - I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
Following the docs found https://ui.docs.kafbat.io/faq/authentication I'm trying to turn on trace level logging for debugging LDAP auth issues. However, it does not work. Nothing seems to be logged by the container for failed attempts.
Expected behavior
The stdout of the container should provide trace level logging.
Your installation details
- v1.3.0 (8b5494b)
- NA (Using Kubernetes deployment, see in additional context)
- See below
apiVersion: v1
data:
config.yaml: |-
kafka:
clusters:
- bootstrapServers: kafka-service-kafka-bootstrap:9092
name: kafka-service
properties:
security.protocol: SASL_PLAINTEXT
sasl.mechanism: SCRAM-SHA-512
sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin" password="somepassword";
readOnly: false
auth:
type: LDAP
spring:
ldap:
urls: ldap://dc.example.com:389
base: "ou=Employees,dc=example,dc=com"
admin-user: "cn=LDAP User,ou=Misc Users,dc=example,dc=com"
admin-password: "somepassword"
user-filter-search-base: "dc=example.com,dc=com"
user-filter-search-filter: "(objectClass=person)"
group-filter-search-base: "ou=KafkaUI Access Groups,ou=Custom Security Groups,dc=example,dc=com"
rbac:
roles:
- name: "Admins"
clusters:
- kafka-service
subjects:
- provider: ldap
type: group
value: "KafkaUI Admins"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- resource: acl
actions: [ view ]
webclient: {}
- NA
Steps to reproduce
Deploy the app with the provided Kubernetes deployment YAML and config.
Screenshots
Logs
Container stdout
_ _ ___ __ _ _ _ __ __ _
| | | |_ _| / _|___ _ _ /_\ _ __ __ _ __| |_ ___ | |/ /__ _ / _| |_____
| |_| || | | _/ _ | '_| / _ \| '_ / _` / _| ' \/ -_) | ' </ _` | _| / / _`|
\___/|___| |_| \___|_| /_/ \_| .__\__,_\__|_||_\___| |_|\_\__,_|_| |_\_\__,|
|_|
2025-09-04 20:02:53,348 INFO [main] i.k.u.KafkaUiApplication: Starting KafkaUiApplication v8b5494b using Java 21.0.6 with PID 1 (/api.jar started by kafkaui in /)
2025-09-04 20:02:53,350 DEBUG [main] i.k.u.KafkaUiApplication: Running with Spring Boot v3.5.3, Spring v6.2.8
2025-09-04 20:02:53,350 INFO [main] i.k.u.KafkaUiApplication: No active profile set, falling back to 1 default profile: "default"
2025-09-04 20:03:09,256 DEBUG [main] i.k.u.s.SerdesInitializer: Configuring serdes for cluster kafka-service
2025-09-04 20:03:11,537 INFO [main] o.s.b.a.e.w.EndpointLinksResolver: Exposing 3 endpoints beneath base path '/actuator'
2025-09-04 20:03:12,151 INFO [main] i.k.u.c.a.LdapSecurityConfig: Configuring LDAP authentication.
2025-09-04 20:03:14,643 INFO [main] o.s.b.w.e.n.NettyWebServer: Netty started on port 8080 (http)
2025-09-04 20:03:14,739 INFO [main] i.k.u.KafkaUiApplication: Started KafkaUiApplication in 25.593 seconds (process running for 28.893)
2025-09-04 20:03:15,656 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: kafka-service
2025-09-04 20:03:15,838 INFO [boundedElastic-1] o.a.k.c.a.AdminClientConfig: AdminClientConfig values:
auto.include.jmx.reporter = true
bootstrap.controllers = []
bootstrap.servers = [kafka-service-kafka-bootstrap:9092]
client.dns.lookup = use_all_dns_ips
client.id = kafbat-ui-admin-1757016195-1
connections.max.idle.ms = 300000
default.api.timeout.ms = 60000
enable.metrics.push = true
metadata.max.age.ms = 300000
metadata.recovery.strategy = none
metric.reporters = []
metrics.num.samples = 2
metrics.recording.level = INFO
metrics.sample.window.ms = 30000
receive.buffer.bytes = 65536
reconnect.backoff.max.ms = 1000
reconnect.backoff.ms = 50
request.timeout.ms = 30000
retries = 2147483647
retry.backoff.max.ms = 1000
retry.backoff.ms = 100
sasl.client.callback.handler.class = null
sasl.jaas.config = [hidden]
sasl.kerberos.kinit.cmd = /usr/bin/kinit
sasl.kerberos.min.time.before.relogin = 60000
sasl.kerberos.service.name = null
sasl.kerberos.ticket.renew.jitter = 0.05
sasl.kerberos.ticket.renew.window.factor = 0.8
sasl.login.callback.handler.class = null
sasl.login.class = null
sasl.login.connect.timeout.ms = null
sasl.login.read.timeout.ms = null
sasl.login.refresh.buffer.seconds = 300
sasl.login.refresh.min.period.seconds = 60
sasl.login.refresh.window.factor = 0.8
sasl.login.refresh.window.jitter = 0.05
sasl.login.retry.backoff.max.ms = 10000
sasl.login.retry.backoff.ms = 100
sasl.mechanism = SCRAM-SHA-512
sasl.oauthbearer.clock.skew.seconds = 30
sasl.oauthbearer.expected.audience = null
sasl.oauthbearer.expected.issuer = null
sasl.oauthbearer.header.urlencode = false
sasl.oauthbearer.jwks.endpoint.refresh.ms = 3600000
sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms = 10000
sasl.oauthbearer.jwks.endpoint.retry.backoff.ms = 100
sasl.oauthbearer.jwks.endpoint.url = null
sasl.oauthbearer.scope.claim.name = scope
sasl.oauthbearer.sub.claim.name = sub
sasl.oauthbearer.token.endpoint.url = null
security.protocol = SASL_PLAINTEXT
security.providers = null
send.buffer.bytes = 131072
socket.connection.setup.timeout.max.ms = 30000
socket.connection.setup.timeout.ms = 10000
ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
ssl.endpoint.identification.algorithm = https
ssl.engine.factory.class = null
ssl.key.password = null
ssl.keymanager.algorithm = SunX509
ssl.keystore.certificate.chain = null
ssl.keystore.key = null
ssl.keystore.location = null
ssl.keystore.password = null
ssl.keystore.type = JKS
ssl.protocol = TLSv1.3
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.certificates = null
ssl.truststore.location = null
ssl.truststore.password = null
ssl.truststore.type = JKS
2025-09-04 20:03:16,238 INFO [boundedElastic-1] o.a.k.c.s.a.AbstractLogin: Successfully logged in.
2025-09-04 20:03:16,348 INFO [boundedElastic-1] o.a.k.c.u.AppInfoParser: Kafka version: 7.9.0-ccs
2025-09-04 20:03:16,348 INFO [boundedElastic-1] o.a.k.c.u.AppInfoParser: Kafka commitId: ebe6df624d6bc758
2025-09-04 20:03:16,348 INFO [boundedElastic-1] o.a.k.c.u.AppInfoParser: Kafka startTimeMs: 1757016196347
2025-09-04 20:03:20,543 DEBUG [parallel-1] i.k.u.s.ReactiveAdminClient: Error checking if security enabled
org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=3, connectionId=10.42.157.29:9092-10.42.157.38:49924-4, session=org.apache.kafka.network.Session@7c18264e, listenerName=ListenerName(UI-9092), securityProtocol=SASL_PLAINTEXT, buffer=null, envelope=None) is not authorized.
2025-09-04 20:03:21,348 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: kafka-service
2025-09-04 20:03:44,737 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: kafka-service
2025-09-04 20:03:44,755 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: kafka-service
2025-09-04 20:04:14,737 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: kafka-service
2025-09-04 20:04:14,747 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: kafka-service
2025-09-04 20:04:44,737 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: kafka-service
2025-09-04 20:04:44,747 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: kafka-service
2025-09-04 20:05:14,737 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: kafka-service
2025-09-04 20:05:14,746 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: kafka-service
2025-09-04 20:05:44,737 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: kafka-service
2025-09-04 20:05:44,746 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: kafka-service
2025-09-04 20:06:14,737 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: kafka-service
2025-09-04 20:06:14,746 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: kafka-service
Additional context
Deployment YAML
apiVersion: apps/v1
kind: Deployment
metadata:
name: kafka-ui
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: kafka-ui
app.kubernetes.io/name: kafka-ui
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/instance: kafka-ui
app.kubernetes.io/name: kafka-ui
spec:
containers:
- env:
- name: LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_LDAP_USERDETAILS
value: TRACE
- name: SPRING_CONFIG_ADDITIONAL-LOCATION
value: /etc/kafkaui/config.yaml
image: kafbat/kafka-ui:8b5494b
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: http
scheme: HTTP
initialDelaySeconds: 45
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
name: kafka-ui-pod
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /actuator/health
port: http
scheme: HTTP
initialDelaySeconds: 45
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 250m
memory: 200Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/kafkaui/config.yaml
name: config
subPath: config.yaml
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: kafka-ui
serviceAccountName: kafka-ui
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
name: kafka-ui-configmap
name: config