How to configure rate-limiting on consumer

Questions
1

Hello,

I have created a consumer with username=XXX and custom.id=XXX and attached to him the rate-limit plug-in.
Then I have set the global LDAP authentication plugin name=“ldap-auth”. The ldap-auth plug-in works well having
“Authentication base64(username:password)” headers. But it seems that the “username=XXX” is not matched with the consumer XXX as rate-limits are not applied.

I have created the rate-limit plug-in with the following request:

curl -X POST http://localhost:8001/consumers/XXX/plugins
–data “name=rate-limiting”
–data “config.minute=2”
–data “config.policy=cluster”

When I send 3 requests on behalf of the user XXX, it does not prevent me from sending more requests.
On the other hand, when I set the rate-limit plug-in on route, it works.

How is the mapping of the API request to the consumer entity done?
I use docker image of the latest Kong version (2.6.0)

Update on troubleshooting:

I’ve used “key-auth” to match API request with the consumer. So i assume it is matched with the defined consumer, however no information headers are returned back to client, such as:

RateLimit-Limit: 6
RateLimit-Remaining: 4
RateLimit-Reset:

On the other hand, when I set rate-limiting plug-in on a route then I get these headers back and it works.

Update: I have cleared by Postgres DB of Kong and completely redone the following basic scenario

The result is the same. Only route rate-limiting plugin is applied.

Thanks for any hint or suggestions how to better troubleshoot it.

2

Actually, the referenced example above with httpbin API worked for me in the end.
So then I mounted into it my application and it worked as well.
But then I added the “ldap-auth” plug-in and I got to the problem that I described here.

Isn’t it a bug? I didn’t read anywhere that it cannot be used together.

3

Hi bel81,

from what you describe, it seems that you have

LDAP auth → Global
Keyauth → on Route
rate limiting → Consumer

Did you use keyauth and LDAP at the same time? So when you authenticate, you need to pass in apiKey and Authorization basic header. Is that right?

4

Hi fomm,

yes, i was using LDAP auth with Key auth and rate limiting at the same time.
I’ve tried LDAP auth globally and also on a route only.

I am actually using Authorization LDAP base64(username:password) header.
I’ve tried also to configure Key auth’s key as “Authorization” storing the “LDAP base64(username:password)” on the consumers/USERID/key-auth directly but having LDAP auth plug-in anywhere causes that the rate-limiting is not properly evaluated for the consumer.

5

I think that is because LDAP auth plugin does NOT have consumer mapping.

When you are using multiple authentication plugins in AND method, the last plugin executed sets the credential.

Because LDAP auth plugin has a lower priority(1002) than key auth (1003), LDAP auth plugin will be used for consumer mapping but it does not have this function.

You can verify that by using basic auth and LDAP auth plugin. See if you can get the header.

#################################################

I just tested it and basic auth + LDAP auth works as I expected.

6

Thanks for you time and the answer.

What I see as a problem is that I will have to provision users’ credentials in to Kong DB in order to be able to use rate-limits per client/consumer. Then the LDAP plugin is useless. One authentication is enough.