Home / Kong Plugin Hub
Edit
Report

LDAP Authentication

Overview Examples Configuration reference Changelog

Configuration

configobjectrequired
Hide Child Parameters
anonymousstring

An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure 4xx.

attributestringrequired

Attribute to be used to search the user; e.g. cn

base_dnstringrequired

Base DN as the starting point for the search; e.g., dc=example,dc=com

cache_ttlnumber

Cache expiry time in seconds.

Default:60

header_typestring

An optional string to use as part of the Authorization header

Default:ldap

hide_credentialsboolean

An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.

Default:false

keepalivenumber

An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.

Default:60000

ldap_hoststringrequired

A string representing a host name, such as example.com.

ldap_portinteger

An integer representing a port number between 0 and 65535, inclusive.

Default:389

>= 0<= 65535

ldapsboolean

Set to true to connect using the LDAPS protocol (LDAP over TLS). When ldaps is configured, you must use port 636. If the ldap setting is enabled, ensure the start_tls setting is disabled.

Default:false

realmstring

When authentication fails the plugin sends WWW-Authenticate header with realm attribute value.

start_tlsboolean

Set it to true to issue StartTLS (Transport Layer Security) extended operation over ldap connection. If the start_tls setting is enabled, ensure the ldaps setting is disabled.

Default:false

timeoutnumber

An optional timeout in milliseconds when waiting for connection with LDAP server.

Default:10000

verify_ldap_hostboolean

Set to true to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the lua_ssl_trusted_certificate directive.

Default:false

protocolsarray[string]

A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.

Allowed values:grpcgrpcshttphttpswswss

Default:grpc, grpcs, http, https, ws, wss

routeobject

If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring
serviceobject

If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring

Did this doc help?

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support