Can both LDAP and ACL plugins be enabled on route?

I’ve enabled both LDAP(Basic Auth) and ACL plugins on my route. While making the request, I’m sending the Authorization header. However, I still get the 403 error - “You cannot consume this service”.

With just LDAP, it is working
With ACL and key-auth, it is working
but with LDAP and ACL, its NOT working

Below is my consumer details. Please note the custom_id have been given the ‘dn’ of LDAP.

GET    /consumers/35087323-0a31-46f2-8556-77b335bbc6ef/acls

    {
        "total": 3,
        "data": [
            {
                "group": "test",
                "created_at": 1529579597610,
                "id": "e38fbd04-8561-4dcd-aaf1-9886d4200c74",
                "consumer_id": "35087323-0a31-46f2-8556-77b335bbc6ef"
            },
            {
                "group": "dev",
                "created_at": 1529572353282,
                "id": "e35b7e30-2187-47f2-bfa7-c9349e573a86",
                "consumer_id": "35087323-0a31-46f2-8556-77b335bbc6ef"
            },
            {
                "group": "dev-group",
                "created_at": 1529570247472,
                "id": "abe6af05-82a3-430e-b12c-eda51ec85b7d",
                "consumer_id": "35087323-0a31-46f2-8556-77b335bbc6ef"
            }
        ]
    }

GET /consumers/35087323-0a31-46f2-8556-77b335bbc6ef
{
    "custom_id": "cn=admin,dc=example,dc=org",
    "created_at": 1529568859691,
    "username": "admin",
    "id": "35087323-0a31-46f2-8556-77b335bbc6ef"
}

Hi,

Right now LDAP doesn’t offer functionaly such as:

  1. Mapping 3rd party LDAP credentials/identities to Kong Consumer
    OR
  2. Setting up credentials based on arbitrary LDAP attribute

For ACL you will need 1. Which means you need to have user in LDAP and matching consumer in Kong. Because currently ACL only associates with Kong Consumers.

Some of our EE plugins already do 1. and 2. and I have heard that people are working on adding that to LDAP too. We should also try to make ACL plugin more flexible with 3rd party providers such as LDAP and OpenID Connect (without having associated Kong consumer)