LDAP plugin spec

[shashiranjan84]

This ticket is to track LDAP Plugin(#329) implementation strategy.

So far I come up with following spec

• Plugin must parse the Authorization or Proxy-Authorization header to retrieve the encrypted signature
  ex. Authorization: ldap username:password
• It must look for user in cache, if present it must create sha1 digest using username and stored password and validate it against user sent signature
• If user missing in cache, it must be validated using either one of following strategies based on configuration
  • Bind authentication, authentication done directly by the LDAP server (seems like industry standard)
  • Password comparison, where the password supplied by the user is compared with the one stored in the repository
• Plugin must cache the credential to save future trip to ldap server for same user unless caching is disabled
• Must provide a path to invalidate an user from cache anytime
• Must support encrypted communication between Kong and #LDAP server

[shashiranjan84]

@ahmadnassri can you check with customer the use case for this plugin like how they generally use LDAP to authenticate user and what strategy they use to authenticate client (here Kong) connection to LDAP server?

[subnetmarco]

@shashiranjan84 do you confirm it's closed with #1133? If so, let's close this.

[shashiranjan84]

@thefosk Yes.