LDAP Authentication Advanced

Configuration

configobjectrequired
Hide Child Parameters
anonymousstring

An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure 4xx. Note that this value must refer to the consumer id or username attribute, and not its custom_id.

Default:

>= 0 characters

attributestringrequired

Attribute to be used to search the user; e.g., “cn”.

base_dnstringrequired

Base DN as the starting point for the search; e.g., ‘dc=example,dc=com’.

bind_dnstring

The DN to bind to. Used to perform LDAP search of user. This bind_dn should have permissions to search for the user being authenticated.
This field is referenceable.

cache_ttlnumber

Cache expiry time in seconds.

Default:60

consumer_byarray[string]

Whether to authenticate consumers based on username, custom_id, or both.

Allowed values:custom_idusername

Default:custom_id, username

consumer_optionalboolean

Whether consumer mapping is optional. If consumer_optional=true, the plugin will not attempt to associate a consumer with the LDAP authenticated user.

Default:false

group_base_dnstring

Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.‘,dc=com’.

group_member_attributestring

Sets the attribute holding the members of the LDAP group. This field is case-sensitive.

Default:memberOf

group_name_attributestring

Sets the attribute holding the name of a group, typically called name (in Active Directory) or cn (in OpenLDAP). This field is case-insensitive.

groups_requiredarray[string]

The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both AND / OR cases. - When ["group1 group2"] are in the same array indices, both group1 AND group2 need to be present in the LDAP search result. - When ["group1", "group2"] are in different array indices, either group1 OR group2 need to be present in the LDAP search result.

header_typestring

An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: Authorization: ldap base64(username:password). If header_type is set to “basic”, then the Authorization header would be Authorization: basic base64(username:password). Note that header_type can take any string, not just 'ldap' and 'basic'.

Default:ldap

hide_credentialsboolean

An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.

Default:false

keepalivenumber

An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.

Default:60000

ldap_hoststringrequired

Host on which the LDAP server is running.

ldap_passwordstring

The password to the LDAP server.
This field is referenceable.
This field is encrypted.

ldap_portnumber

TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If ldaps is configured, you must use port 636.

Default:389

ldapsboolean

Set it to true to use ldaps, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When ldaps is configured, you must use port 636. If the ldap setting is enabled, ensure the start_tls setting is disabled.

Default:false

log_search_resultsboolean

Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.

Default:false

realmstring

When authentication fails the plugin sends WWW-Authenticate header with realm attribute value.

start_tlsboolean

Set it to true to issue StartTLS (Transport Layer Security) extended operation over ldap connection. If the start_tls setting is enabled, ensure the ldaps setting is disabled.

Default:false

timeoutnumber

An optional timeout in milliseconds when waiting for connection with LDAP server.

Default:10000

verify_ldap_hostboolean

Set to true to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the lua_ssl_trusted_certificate directive.

Default:false

protocolsarray[string]

A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.

Allowed values:grpcgrpcshttphttpswswss

Default:grpc, grpcs, http, https, ws, wss

routeobject

If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring
serviceobject

If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!