Kong Gateway provides the ability to bind authentication for Kong Manager admins to an organization’s service directory.
LDAP authentication for Kong Manager is enabled and configured entirely through kong.conf, and uses the LDAP Authentication Advanced and Session plugins in the background.
You do not need to manually enable either plugin.
Create the Kong Gateway container and enable RBAC with LDAP auth. In this example, we can use the quickstart.
Replace any values with your own as needed. At minimum, At minimum, replace all values marked with YOUR- with literal values from your service directory:
This enables RBAC, sets ldap-auth-advanced as the authentication method, and configures your service directory.
For more information about the values, see the RBAC reference.
Enable RBAC and LDAP auth for Kong Manager by updating your kong.conf file with the following configuration.
Replace any values with your own as needed.
At minimum, set a session secret in admin_gui_session_conf and replace all values marked with YOUR- with literal values from your service directory:
This enables RBAC, sets ldap-auth-advanced as the authentication method, and configures your service directory.
For more information about the values, see the RBAC reference.
Once this is done, restart the Kong Gateway container to apply the change:
When authenticating Kong Manager with LDAP, the Session plugin is used to persist the authorization state.
This plugin (configured with admin_gui_session_conf) requires a secret and is configured securely by default.
For enhanced security, we recommend setting a few extra session parameters:
secret: Set this to a string value. A randomly generated secret will be used if unspecified.
cookie_secure: Defaults to false. We recommend setting this value to true when using HTTPS.
cookie_same_site: Consider upgrading this value to Strict when using the same domain for the Admin API and Kong Manager.
If using different domains for the Admin API and Kong Manager, cookie_same_site must be set to Lax.
Using Kong’s LDAP Auth Advanced plugin, you can map service directory groups to Kong roles for authentication and authorization.
Here’s how service directory mapping works in Kong Gateway:
Roles are created in Kong Gateway using the Admin API or Kong Manager.
Groups are created and roles are associated with the groups.
When users log in to Kong Manager, they get permissions based on the groups they belong to.
When using LDAP service directory mapping, roles assigned to admins are managed by the service directory.
The mapping removes the task of manually managing access in Kong Gateway, because it makes the directory the system of record.
If an admin’s group changes in the directory, their Kong admin account’s associated role also changes in Kong Gateway the next time they log in to Kong Manager.
Don’t assign or unassign admin roles in Kong Gateway manually, as any changes will be overwritten by the directory during the next login.
The following examples show you how to set up LDAP authenticated group mapping for Kong Manager, then create admins in Kong Manager and map them to service directory groups.
Alternatively, you could also choose one of the following workflows:
Start Kong Gateway with RBAC turned off, map a group to the Super Admin role, and then create an admin to correspond to a user belonging to that group.
This approach ensures that the Super Admin’s privileges are entirely tied to the directory group, whereas bootstrapping a Super Admin only uses the directory for authentication.
Create all admin accounts for matching directory users first and ensure that their existing groups map to appropriate roles before enforcing RBAC.
Define roles with permissions in Kong Gateway using RBAC.
You must manually define which Kong roles correspond to each of the service directory’s groups using either of the following:
In Kong Manager’s directory mapping section. Find it under Teams > Groups tab.
With the Admin API’s directory mapping endpoints.
Kong Gateway will not write to the service directory.
For example, a Kong Gateway admin can’t create users or groups in the directory.
You must create users and groups independently in the service directory before mapping them to Kong Gateway.
Using service directory mapping, groups are mapped to roles.
When a user logs in, they are identified with their admin username and authenticated with the matching user credentials in the service directory.
The groups in the service directory are then automatically matched to the associated roles that the organization has defined.
To map a service directory user to a Kong Gateway admin, map the admin’s username or custom ID to the DN value corresponding to the attribute configured in admin_gui_auth_conf.
If you already have admins in Kong Manager with assigned roles and want to use LDAP group mapping instead, remove all of their roles first.
The service directory will serve as the system of record for user privileges.
For example, let’s assume that:
LDAP config on Kong side:
consumer_by is set to username
group_member_attribute is UID
Service directory user: UID=example-user
In this case, you would match the Kong admin’s username attribute to the UID in the service directory, which is example-user.
We recommend pairing the bootstrapped Super Admin with a directory user as the first Super Admin. Using our example values, that would look like this:
After creating this admin, map the super-admin role to a group that example-user is in on the LDAP directory side,
then delete the super-admin role from the example-user admin on the Kong Gateway side.
The group you pick needs to have “super” privileges in your service directory, otherwise as other admins log in with a generic group, they will also become Super Admins.
Important: If you delete the Super Admin role from your only admin, and have not yet mapped the Super Admin role to a group that admin belongs to,
then you won’t be able to log in to Kong Manager.
See Admins for more information on creating admins in Kong Manager.