LDAP Authentication Plugin Group

I am trying to get the LDAP plugin to authenticate a user if they are a member of a group.

The following ldap query will list the members of the group
ldapsearch -x -b ‘cn=mygroupname,ou=Group,ou=everyone,dc=ic,dc=ac,dc=uk’ -h unixldap.cc.ic.ac.uk memberUid

This returns a list of all members of the group.
Based on my experiments I believe the ldap plugin takes it’s configured attribute, and the username and prepends it to the query. e.g. if my username is rob and attribute is memberUid then the query will be equivalent to:
ldapsearch -x -b ‘memberUid=Rob,cn=mygroupname,ou=Group,ou=everyone,dc=ic,dc=ac,dc=uk’ -h unixldap.cc.ic.ac.uk memberUid

But this is giving me No Such Object when I run it.

I don’t know much about LDAP but this seems to tell me that the LDAP group is an object, but the members of the group are not objects. I am scratching my head as to how I can configure the LDAP plugin so that it will only authenticate against group members.
Is this possible?


I did a bit more research. It seems line 66 here:

local who = conf.attribute … “=” … given_username … “,” … conf.base_dn

confirms my suspicion that the plugin just pre-pends the attribute and username to a search.
So unless there is a way to query ldap in this form then I will need another method.

I have created a docker login container which will receive a LDAP username and password, configure kong ACL’s and emit a JWT token that can be used for access. It is here if anyone is intrested. https://github.com/rmetcalf9/kong_ldap_login_endpoint