我的书签
添加书签
移除书签ldap-auth
This Plugin works with the Consumer object and the consumers of the API can authenticate with an LDAP server using .
This Plugin uses lua-resty-ldap for connecting with an LDAP server.
For Route:
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| base_dn | string | True | Base dn of the LDAP server. For example, ou=users,dc=example,dc=org. | |
| ldap_uri | string | True | URI of the LDAP server. | |
| use_tls | boolean | False | false | If set to true uses TLS. |
| tls_verify | boolean | False | false | Whether to verify the server certificate when use_tls is enabled; If set to true, you must set ssl_trusted_certificate in config.yaml, and make sure the host of ldap_uri matches the host in server certificate. |
| uid | string | False | cn | uid attribute. |
First, you have to create a Consumer and enable the ldap-auth Plugin on it:
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{"methods": ["GET"],"uri": "/hello","ldap-auth": {"base_dn": "ou=users,dc=example,dc=org","ldap_uri": "localhost:1389","uid": "cn"},"upstream": {"type": "roundrobin","nodes": {"127.0.0.1:1980": 1}}}'
After configuring the Plugin as mentioned above, clients can make requests with authorization to access the API:
curl -i -uuser01:password1 http://127.0.0.1:9080/hello
If an authorization header is missing or invalid, the request is denied:
curl -i http://127.0.0.1:9080/hello
HTTP/1.1 401 Unauthorized{"message":"Missing authorization in request"}
HTTP/1.1 401 Unauthorized{"message":"Invalid user authorization"}
curl -i -uuser01:passwordfalse http://127.0.0.1:9080/hello
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{"methods": ["GET"],"uri": "/hello","plugins": {},"upstream": {"type": "roundrobin","nodes": {"127.0.0.1:1980": 1}}'
