bzp2010 opened a new issue, #8958: URL: https://github.com/apache/apisix/issues/8958
# Background Currently APISIX has provided a simple LDAP authentication plugin that supports simple bind functions, but does not support, for example, user groups, for which users have a need. We can do this by introducing a new plugin to provide a platform to host these newly added and future needed features. # Benefits Users can use the new plug-in to bind identity groups to consumers, and colleagues can also use consumerless mode (i.e., authentication only). In the future, the plug-in can be extended to support more complex authentication models. # Goals Create a new plugin, called `ldap-auth-advanced`. ## Configuration design ### Route configuration Name | Type | Optional | Default | Description -- | -- | -- | -- | -- ldap_uri | string | no | | use_starttls | boolean | yes | false | use_ldaps | boolean | yes | false | ssl_verify | boolean | yes | true | timeout | integer | yes | 10000 | socket timeout time keepalive | boolean | yes | yes | Whether to enable connection pool keepalive_timeout | integer | yes | 60000 | Connection pool connection timeout time keepalive_pool_size | integer | yes | 5 | Connection pool size keepalive_pool_name | string | yes | <host>:<port> | Connection pool name ldap_debug | boolean | yes | false | Record search logs consumer_required | boolean | yes | true | Whether the consumer must attach it or not, the certification will fail. user_dn | string | no | | DN template for identifying users (cn=%s,ou=users,dc=example,dc=org) user_membership_attribute | string | no | memberOf | Add: Used to indicate which attribute in a user object indicates the group to which it belongs. For example memberOf. ### Consumer configuration Name | Type | Optional | Default | Description -- | -- | -- | -- | -- user_dn | string | yes | | User DN, mutually exclusive group_dn | string | yes | | Group DN, mutually exclusive ## Plugin logic 1. User access triggered route's access phase 2. The plugin uses `lua-resty-ldap` to connect to the LDAP server. (Connection reuseable) 3. Execute the binding according to the configuration. 4. Performs a search based on the user dn to fetch `user_membership_attribute` 5. Try to attach user dn or group dn to consumer (user dn > group dn) ### Tips - The plugin allows the use of route + consumer and pure route modes. - Consumer support for mapping individual users or individual groups. - The plugin runs in the access phase. - The plugin maintains its own connection pool (specified configuration). # Other I would like to hear your opinions and welcome comments. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
