diff --git a/pkg/kapis/oauth/handler.go b/pkg/kapis/oauth/handler.go
index 1307e25861..71d72ff4e6 100644
--- a/pkg/kapis/oauth/handler.go
+++ b/pkg/kapis/oauth/handler.go
@@ -52,6 +52,7 @@ import (
 )
 
 const (
+	ldapProvider          = "LDAPIdentityProvider"
 	KindTokenReview       = "TokenReview"
 	grantTypePassword     = "password"
 	grantTypeRefreshToken = "refresh_token"
@@ -688,3 +689,33 @@ func (h *handler) userinfo(req *restful.Request, response *restful.Response) {
 	}
 	response.WriteEntity(result)
 }
+
+func (h *handler) ldapLogin(req *restful.Request, response *restful.Response) {
+	username, _ := req.BodyParameter("username")
+	password, _ := req.BodyParameter("password")
+
+	authenticated, providerName, err := h.passwordAuthenticator.Authenticate(req.Request.Context(), username, password)
+	if err != nil {
+		api.HandleBadRequest(response, req, err)
+		return
+	}
+
+	if providerName != ldapProvider {
+		err = errors.New("username or password is not correct")
+		api.HandleBadRequest(response, req, err)
+		return
+	}
+
+	t, err := h.issueTokenTo(authenticated)
+	if err != nil {
+		api.HandleInternalError(response, req, err)
+		return
+	}
+
+	requestInfo, _ := request.RequestInfoFrom(req.Request.Context())
+	if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Ldap, providerName, requestInfo.SourceIP, requestInfo.UserAgent, nil); err != nil {
+		klog.Errorf("Failed to record successful login for user %s, error: %v", authenticated.GetName(), err)
+	}
+
+	_ = response.WriteEntity(t)
+}
diff --git a/pkg/kapis/oauth/register.go b/pkg/kapis/oauth/register.go
index f03fe3bad5..8991532b17 100644
--- a/pkg/kapis/oauth/register.go
+++ b/pkg/kapis/oauth/register.go
@@ -158,6 +158,14 @@ func AddToContainer(c *restful.Container, im im.IdentityManagementInterface,
 		Returns(http.StatusOK, http.StatusText(http.StatusOK), "").
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AuthenticationTag}))
 
+	ws.Route(ws.POST("/login-ldap").
+		Doc("Login with ldap user").
+		Param(ws.FormParameter("username", "The username of the relevant user in ldap")).
+		Param(ws.FormParameter("password", "The password of the relevant user in ldap")).
+		To(handler.ldapLogin).
+		Returns(http.StatusOK, http.StatusText(http.StatusOK), oauth.Token{}).
+		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AuthenticationTag}))
+
 	c.Add(ws)
 
 	// legacy auth API
diff --git a/staging/src/kubesphere.io/api/iam/v1alpha2/types.go b/staging/src/kubesphere.io/api/iam/v1alpha2/types.go
index 520a77b831..f300eaf845 100644
--- a/staging/src/kubesphere.io/api/iam/v1alpha2/types.go
+++ b/staging/src/kubesphere.io/api/iam/v1alpha2/types.go
@@ -356,6 +356,7 @@ const (
 	BasicAuth LoginType = "Basic"
 	OAuth     LoginType = "OAuth"
 	Token     LoginType = "Token"
+	Ldap      LoginType = "Ldap"
 )
 
 // +kubebuilder:object:root=true