Kong · Schema
LdapAuthAdvancedPluginConfig
API GatewayAI GatewayAI ConnectivityAgent GatewayEvent GatewayMCP RegistryService MeshLLMKafkaKonnectOpen Source
Properties
| Name | Type | Description |
|---|---|---|
| config | object | |
| name | object | |
| protocols | array | A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins th |
| route | object | If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used. |
| service | object | If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/LdapAuthAdvancedPluginConfig",
"title": "LdapAuthAdvancedPluginConfig",
"x-speakeasy-entity": "PluginLdapAuthAdvanced",
"properties": {
"config": {
"type": "object",
"properties": {
"anonymous": {
"description": "An optional string (consumer UUID or username) value to use as an \u201canonymous\u201d consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.",
"type": "string",
"default": ""
},
"attribute": {
"description": "Attribute to be used to search the user; e.g., \"cn\".",
"type": "string"
},
"base_dn": {
"description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.",
"type": "string"
},
"bind_dn": {
"description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.",
"type": "string",
"x-referenceable": true
},
"cache_ttl": {
"description": "Cache expiry time in seconds.",
"type": "number",
"default": 60
},
"consumer_by": {
"description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.",
"type": "array",
"items": {
"enum": [
"custom_id",
"username"
],
"type": "string"
},
"default": [
"custom_id",
"username"
]
},
"consumer_optional": {
"description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.",
"type": "boolean",
"default": false
},
"group_base_dn": {
"description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.",
"type": "string"
},
"group_member_attribute": {
"description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.",
"type": "string",
"default": "memberOf"
},
"group_name_attribute": {
"description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.",
"type": "string"
},
"groups_required": {
"description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.",
"type": "array",
"items": {
"type": "string"
}
},
"header_type": {
"description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.",
"type": "string",
"default": "ldap"
},
"hide_credentials": {
"description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.",
"type": "boolean",
"default": true
},
"keepalive": {
"description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.",
"type": "number",
"default": 60000
},
"ldap_host": {
"description": "Host on which the LDAP server is running.",
"type": "string"
},
"ldap_password": {
"description": "The password to the LDAP server.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"ldap_port": {
"description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.",
"type": "number",
"default": 389
},
"ldaps": {
"description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.",
"type": "boolean",
"default": false
},
"log_search_results": {
"description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.",
"type": "boolean",
"default": false
},
"realm": {
"description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.",
"type": "string"
},
"start_tls": {
"description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.",
"type": "boolean",
"default": false
},
"timeout": {
"description": "An optional timeout in milliseconds when waiting for connection with LDAP server.",
"type": "number",
"default": 10000
},
"verify_ldap_host": {
"description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.",
"type": "boolean",
"default": true
}
},
"required": [
"attribute",
"base_dn",
"ldap_host"
]
},
"name": {
"const": "ldap-auth-advanced"
},
"protocols": {
"description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.",
"type": "array",
"items": {
"enum": [
"grpc",
"grpcs",
"http",
"https",
"ws",
"wss"
],
"type": "string"
},
"format": "set",
"default": [
"grpc",
"grpcs",
"http",
"https",
"ws",
"wss"
]
},
"route": {
"description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.",
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
}
}
},
"service": {
"description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.",
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
}
}
}
},
"required": [
"config"
]
}