You are browsing documentation for an outdated plugin version.
Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The LDAP Authentication plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
, ws
, wss
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
name or plugin
string requiredThe name of the plugin, in this case
ldap-auth
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
service.name or service.id
stringThe name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
route.name or route.id
stringThe name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
enabled
boolean default:true
Whether this plugin will be applied.
-
config
record required-
ldap_host
string requiredHost on which the LDAP server is running.
-
ldap_port
integer required default:389
between:0
65535
TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If
ldaps
is configured, you must use port 636.
-
ldaps
boolean required default:false
Set to
true
to connect using the LDAPS protocol (LDAP over TLS). Whenldaps
is configured, you must use port 636. If theldap
setting is enabled, ensure thestart_tls
setting is disabled.
-
start_tls
boolean required default:false
Set it to
true
to issue StartTLS (Transport Layer Security) extended operation overldap
connection. If thestart_tls
setting is enabled, ensure theldaps
setting is disabled.
-
verify_ldap_host
boolean required default:false
Set to
true
to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by thelua_ssl_trusted_certificate
directive.
-
base_dn
string requiredBase DN as the starting point for the search; e.g., “dc=example,dc=com”.
-
attribute
string requiredAttribute to be used to search the user; e.g., “cn”.
-
cache_ttl
number required default:60
Cache expiry time in seconds.
-
hide_credentials
boolean required default:false
An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.
-
timeout
number default:10000
An optional timeout in milliseconds when waiting for connection with LDAP server.
-
keepalive
number default:60000
An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.
-
anonymous
stringAn optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure
4xx
. Note that this value must refer to the consumerid
orusername
attribute, and not itscustom_id
.
-
header_type
string default:ldap
An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this:
Authorization: ldap base64(username:password)
. Ifheader_type
is set to “basic”, then the Authorization header would beAuthorization: basic base64(username:password)
. Note thatheader_type
can take any string, not just"ldap"
and"basic"
.
-