lDAP-auth plugin


#1

I have successfully enabled LDAP-auth plugin for one of the upstream URLs. I’ve tested the service and it works perfectly fine and authenticates incoming users with their username and password.

However, I would like to have a list of groups the user have access too. Based on those user groups I would like to make a decision about whether a user should be allowed to login or denied login.

Using Kong’s LDAP plugin is there a way to access the user’s group?


#2

Upon initial inspection does not seem like it does, but hey its open source and I am sure they would not mind a PR that offers filtering on user groups to add extra authorization to the plugins logic as long as its flexible and a non-breaking change.

LDAP source here:

Looks like this has come up in the past too:


#3

Thanks for reply.
For the current project I already have ldap service. I worked on extending internal ldap service to make calls to kong admin api.

So the architecture is every request that comes in from client first hits internal LDAP service. The ldap service calls kong-admin api. Kong admin api is used to create a consumer, create groups in ACL (groups that user has from ldap), add those groups to consumer and generate JWT token. The ldap service returns JWT token and expiration time as a response.

If client has Valid JWT it will makes calls to Kong-proxying API else it will call to Ldap service for token. Client can also call ldap service for refresh token depends on the time it expires. At a given time ldap service only provides a single token.

Is there anything I can improve here in terms of security?


#4

I have enabled the kong ‘ldap-auth’ plugin and now Kong proxy is restricting the http headers

I have an upstream URL which needs certain Http Headrs to get the response, have created the Kong proxy for this URL and this used to work fine, after I enabled the LDAP plugin. the plugin is some how restricting/ suppressing /purging the Http headers and its failing to get the response after the LDAP authentication.


#5

please let me know If need to enable some parameter to allow all the http headers