ACL and LDAP not working together

#1

Can I use ACL and LDAP plugin together.
Steps that followed -

  1. Added Service and Route
  2. Added consumer with consumerid user1 with group gr1
  3. Setup ldap that host user with userid user1
  4. Added ldap plugin to service
  5. Tested with ldap auth - it works
  6. Added ACL to restrict access to gr1
  7. Tested with step # 5 - does not work with message {“message”:“You cannot consume this service”}
  8. Disabled ACL step # 5 works again

Please clarify if there is some potential restriction on usage of LDAP and ACL plugins together

0 Likes

#2

Did you follow some documentation when setting this up? if so a link please? I have actually no idea whether this is supported.

ACL typically works on consumers with Kong, but LDAP relies on remote authentication.

0 Likes

#3

Did not follow any link but my own use case where wanted to use LDAP as credential providor and ACL to do access control with API gateway

0 Likes

#4

@Prashant_Shandilya the ldap auth plugin only has consumer mapping in the Enterprise edition with LDAP Auth Advanced Plugin via the config.consumer_by property. With the LDAP plugin, you can only bind to an anonymous consumer. There is future support for LDAP<->ACL planned via authenticated_groups context (https://github.com/Kong/kong/pull/4013), but for now the community edition lacks this support.

1 Like

#5

Hi, it seems like Kong EE also lacks this feature, see this related question:
KongEE OpenID Connect Plugin - ACL plugin ignores groups returned in Access Token

0 Likes

#6

This feature is very much required and since external authentication and autherization matix implementation are standard use cases. If this basic is not supported, its would be very difficult to adopt Kong.

What is the plan to include pull requests mentioned in previous comments ?

0 Likes