You are browsing unreleased documentation.
Looking for the plugin's configuration parameters? You can find them in the LDAP Authentication configuration reference doc.
Add LDAP Bind Authentication to a route with username and password protection. The plugin
checks for valid credentials in the Proxy-Authorization
and Authorization
headers,
in that order.
This plugin is the open-source version of the LDAP Authentication Advanced plugin, which is available with an Enterprise subscription. Advanced functionality includes:
- LDAP searches for group and consumer mapping
- Ability to authenticate based on username or custom ID
- The ability to bind to an enterprise LDAP directory with a password
- The ability to authenticate/authorize using a group base DN and specific group member or group name attributes
Usage
To authenticate a user, the client must set credentials in either the
Proxy-Authorization
or Authorization
header in the following format:
credentials := [ldap | LDAP] base64(username:password)
The Authorization header would look something like:
Authorization: ldap dGxibGVzc2luZzpLMG5nU3RyMG5n
The plugin validates the user against the LDAP server and caches the
credentials for future requests for the duration specified in
config.cache_ttl
.
You can set the header type ldap
to any string (such as basic
) using
config.header_type
.
Upstream Headers
When a client has been authenticated, the plugin appends some headers to the request before proxying it to the upstream service, so that you can identify the consumer in your code:
-
X-Consumer-ID
: The ID of the consumer in Kong. -
X-Consumer-Custom-ID
: Thecustom_id
of the consumer (if set). -
X-Consumer-Username
: Theusername
of the consumer (if set). -
X-Credential-Identifier
: The identifier of the credential (only if the consumer is not theanonymous
consumer). -
X-Anonymous-Consumer
: Is set totrue
if authentication fails, and theanonymous
consumer is set instead.
You can use this information on your side to implement additional logic.
You can use the X-Consumer-ID
value to query the Kong Admin API and retrieve
more information about the consumer.
Using Service Directory Mapping on the CLI
When using only RBAC Token authorization, Service Directory Mapping to Kong Roles does not take effect. If you need to use CLI access with your Service Directory mapping, you can use the same authentication mechanism that Kong Manager uses to secure browser sessions.
Authenticate User Session
Retrieve a secure cookie session with the authorized LDAP user credentials:
$ curl -c /tmp/cookie http://localhost:8001/auth \
-H 'Kong-Admin-User: <LDAP_USERNAME>' \
--user <LDAP_USERNAME>:<LDAP_PASSWORD>
Now the cookie is stored at /tmp/cookie
and can be read for future requests:
$ curl -c /tmp/cookie -b /tmp/cookie http://localhost:8001/consumers \
-H 'Kong-Admin-User: <LDAP_USERNAME>'
Because Kong Manager is a browser application, if any HTTP responses see the Set-Cookie
header, then it will automatically attach it to future requests. This is why it is helpful to use cURL’s cookie engine or HTTPie sessions. If storing the session is not desired, then the Set-Cookie
header value can be copied directly from the /auth
response and used with subsequent requests.