ACL and LDAP not working together

Can I use ACL and LDAP plugin together.
Steps that followed -

  1. Added Service and Route
  2. Added consumer with consumerid user1 with group gr1
  3. Setup ldap that host user with userid user1
  4. Added ldap plugin to service
  5. Tested with ldap auth - it works
  6. Added ACL to restrict access to gr1
  7. Tested with step # 5 - does not work with message {“message”:“You cannot consume this service”}
  8. Disabled ACL step # 5 works again

Please clarify if there is some potential restriction on usage of LDAP and ACL plugins together

Did you follow some documentation when setting this up? if so a link please? I have actually no idea whether this is supported.

ACL typically works on consumers with Kong, but LDAP relies on remote authentication.

Did not follow any link but my own use case where wanted to use LDAP as credential providor and ACL to do access control with API gateway

@Prashant_Shandilya the ldap auth plugin only has consumer mapping in the Enterprise edition with LDAP Auth Advanced Plugin via the config.consumer_by property. With the LDAP plugin, you can only bind to an anonymous consumer. There is future support for LDAP<->ACL planned via authenticated_groups context (https://github.com/Kong/kong/pull/4013), but for now the community edition lacks this support.

1 Like

Hi, it seems like Kong EE also lacks this feature, see this related question:
KongEE OpenID Connect Plugin - ACL plugin ignores groups returned in Access Token

This feature is very much required and since external authentication and autherization matix implementation are standard use cases. If this basic is not supported, its would be very difficult to adopt Kong.

What is the plan to include pull requests mentioned in previous comments ?

Kong EE does not lack the support that @Prashant_Shandilya originally is referring to, where a service/ route is mapped by the LDAP Auth Advanced plugin to a Consumer who is part of an ACL group.

But it does currently lacks the authenticated_groups context PR 4013 that I mentioned, which is for when you do not even need a Kong Consumer. I cannot comment with any certainty on how soon 4013 will be available for usage with the LDAP Auth Advanced plugin, but I do know that it is planned for this year sometime.