Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.

For the plain text auth method, the config looks like (taken from the documentation):

KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required
   username="admin"
   password="admin-secret"
   user_admin="admin-secret"
   user_alice="alice-secret";
};

I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?

I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.

Yes you can provide Kafka with a custom class that implements LoginModule and have the authentication logic you want in it.

Then update the JAAS file with your class name and make sure it's in the classpath.

You'll need to put some boilerplate code to get everything setup correctly but you can use PlainLoginModule, PlainSaslServerProvider, PlainSaslServerFactory and PlainSaslServer as examples.

Your LoginModule class should have the same logic as PlainLoginModule but instead initialize your Provider implementation (in the static block).

Your Provider class should have the same logic as PlainSaslServerProvider but instead reference your SaslServerFactory implementation.

Your SaslFactory class should again have the same logic as PlainSaslServerFactory but create an instance of your SaslServer implementation.

Finally your SaslServer class should implement the necessary LDAP logic in its evaluateResponse() method. Just be sure to set correctly set this.authorizationId as this will become the user principal and set complete to true (like PlainSaslServer.evaluateResponse() does)