Proposal: Advanced LDAP authentication plugin

[bzp2010]

Background

Currently APISIX has provided a simple LDAP authentication plugin that supports simple bind functions, but does not support, for example, user groups, for which users have a need. We can do this by introducing a new plugin to provide a platform to host these newly added and future needed features.

Benefits

Users can use the new plug-in to bind identity groups to consumers, and colleagues can also use consumerless mode (i.e., authentication only). In the future, the plug-in can be extended to support more complex authentication models.

Goals

Create a new plugin, called ldap-auth-advanced.

Configuration design

Route configuration

Name	Type	Optional	Default	Description
ldap_uri	string	no
use_starttls	boolean	yes	false
use_ldaps	boolean	yes	false
ssl_verify	boolean	yes	true
timeout	integer	yes	10000	socket timeout time
keepalive	boolean	yes	yes	Whether to enable connection pool
keepalive_timeout	integer	yes	60000	Connection pool connection timeout time
keepalive_pool_size	integer	yes	5	Connection pool size
keepalive_pool_name	string	yes	:	Connection pool name
ldap_debug	boolean	yes	false	Record search logs
consumer_required	boolean	yes	true	Whether the consumer must attach it or not, the certification will fail.
user_dn	string	no		DN template for identifying users (cn=%s,ou=users,dc=example,dc=org)
user_membership_attribute	string	no	memberOf	Add: Used to indicate which attribute in a user object indicates the group to which it belongs. For example memberOf.

Consumer configuration

Name	Type	Optional	Default	Description
user_dn	string	yes		User DN, mutually exclusive
group_dn	string	yes		Group DN, mutually exclusive

Plugin logic

1. User access triggered route's access phase
2. The plugin uses lua-resty-ldap to connect to the LDAP server. (Connection reuseable)
3. Execute the binding according to the configuration.
4. Performs a search based on the user dn to fetch user_membership_attribute
5. Try to attach user dn or group dn to consumer (user dn > group dn)

Tips

• The plugin allows the use of route + consumer and pure route modes.
• Consumer support for mapping individual users or individual groups.
• The plugin runs in the access phase.
• The plugin maintains its own connection pool (specified configuration).

Other

I would like to hear your opinions and welcome comments.

[Fabriceli]

Can add these features in the ldap-auth plugin, not create new plugin?

[bzp2010]

Can add these features in the ldap-auth plugin, not create new plugin?

Hi, @Fabriceli and @nic-chen.

It seems to me that the old plugin contains some non-standard naming, such as tls_verify, etc. (usually ssl_verify), and if new functionality is implemented based on it, some break change will have to be made, and I'm not sure how well people will accept such a change.

[Fabriceli]

Can we continue to use the old name, that will be more friendly for the users