# LDAP Plugin with Claims Enrichment and Client Provisioning

## Module
Authority

## Status
IMPLEMENTED

## Description
Full LDAP identity provider plugin with claims enrichment (mapping LDAP attributes to OAuth claims), client provisioning (auto-creating OAuth clients from LDAP entries), capability probing, credential store, and messaging-backed claims cache.

## Implementation Details
- **LDAP Plugin Entry Point**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapIdentityProviderPlugin.cs` -- implements `IAuthorityIdentityProviderPlugin`; authenticates users against LDAP directories.
- **Plugin Registrar**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginRegistrar.cs` -- registers LDAP plugin services in the DI container.
- **Plugin Options**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginOptions.cs` -- configuration: LDAP server URL, base DN, search filters, attribute mappings, TLS settings.
- **Claims Enrichment**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Claims/LdapClaimsEnricher.cs` -- maps LDAP attributes (group memberships, department, title) to OAuth2 claims.
- **Claims Cache**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Claims/ILdapClaimsCache.cs`, `InMemoryLdapClaimsCache.cs`, `MessagingLdapClaimsCache.cs` -- caches enriched claims with in-memory and messaging-backed (distributed) implementations.
- **Client Provisioning**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapClientProvisioningStore.cs` -- auto-creates OAuth2 clients from LDAP entries (service accounts).
- **Capability Probe**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapCapabilityProbe.cs` -- probes LDAP server capabilities (supported controls, extensions, schema).
- **Capability Snapshot Cache**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapCapabilitySnapshotCache.cs` -- caches capability probe results to avoid repeated probes.
- **DN Helper**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapDistinguishedNameHelper.cs` -- parses and manipulates LDAP distinguished names.
- **Connection Factory**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Connections/DirectoryServicesLdapConnectionFactory.cs` (implements `ILdapConnectionFactory`) -- creates LDAP connections with TLS.
- **Credential Store**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Credentials/LdapCredentialStore.cs` -- manages LDAP bind credentials.
- **Security**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Security/LdapSecretResolver.cs` -- resolves LDAP secrets from secure storage.
- **Metrics**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Monitoring/LdapMetrics.cs` -- OpenTelemetry metrics for LDAP operations (bind latency, search duration, error rates).
- **Tests**: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/` -- comprehensive tests across Claims/, ClientProvisioning/, Credentials/, Resilience/, Security/, Snapshots/ subdirectories.

## E2E Test Plan
- [ ] Configure the LDAP plugin with a test LDAP server and authenticate a user; verify the token contains enriched claims from LDAP attributes (e.g., `groups`, `department`)
- [ ] Verify claims caching: authenticate the same user twice and verify the second call uses cached claims from `InMemoryLdapClaimsCache`
- [ ] Verify client provisioning: configure auto-provisioning from an LDAP OU and verify an OAuth2 client is created for each service account entry
- [ ] Run `LdapCapabilityProbe` against the LDAP server and verify it reports supported controls and extensions
- [ ] Verify DN helper: parse a complex distinguished name (e.g., `CN=John Doe,OU=Users,DC=example,DC=com`) and verify each component is extracted correctly
- [ ] Verify LDAP connection TLS: configure TLS and verify `DirectoryServicesLdapConnectionFactory` establishes a secure connection
- [ ] Simulate an LDAP server failure and verify the plugin returns an authentication error without leaking internal details
- [ ] Verify `LdapMetrics` records bind latency and search duration via OpenTelemetry