Skip to main content
Version: 2.12




ldap-auth is an authentication plugin that can works with consumer. Add Ldap Authentication to a service or route.

The consumer then authenticate against the Ldap server using Basic authentication.

For more information on Basic authentication, refer to Wiki for more information.

This authentication plugin use lualdap plugin to connect against the ldap server


For consumer side:

user_dnstringrequiredthe user dn of the ladp client (example: cn=user01,ou=users,dc=example,dc=org)

For route side:

base_dnstringrequiredthe base dn of the ldap server (example : ou=users,dc=example,dc=org)
ldap_uristringrequiredthe uri of the ldap server
use_tlsbooleanoptionaltrueBoolean flag indicating if Transport Layer Security (TLS) should be used.
uidstringoptionalcnthe uid attribute

How To Enable#

1. set a consumer and config the value of the ldap-auth option#

curl -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "username": "foo",    "plugins": {        "ldap-auth": {            "user_dn": "cn=user01,ou=users,dc=example,dc=org"        }    }}'

2. add a Route or add a Service, and enable the ldap-auth plugin#

curl -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "methods": ["GET"],    "uri": "/hello",    "plugins": {        "ldap-auth": {            "base_dn": "ou=users,dc=example,dc=org",            "ldap_uri": "localhost:1389",            "uid": "cn"        },    },    "upstream": {        "type": "roundrobin",        "nodes": {            "": 1        }    }}'

Test Plugin#

  • missing Authorization header
$ curl -i 401 Unauthorized...{"message":"Missing authorization in request"}
  • user is not exists:
$ curl -i -uuser:password1 401 Unauthorized...{"message":"Invalid user key in authorization"}
  • password is invalid:
$ curl -i -uuser01:passwordfalse 401 Unauthorized...{"message":"Password is error"}
  • success:
$ curl -i -uuser01:password1 200 OK...hello, world

Disable Plugin#

When you want to disable the ldap-auth plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

$ curl -X PUT -d value='{    "methods": ["GET"],    "uri": "/hello",    "plugins": {},    "upstream": {        "type": "roundrobin",        "nodes": {            "": 1        }    }}'