stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/authority/ldap-plugin-with-claims-enrichment-and-client-provisioning.md

4.2 KiB
Raw Blame History

LDAP Plugin with Claims Enrichment and Client Provisioning

Module

Authority

Status

IMPLEMENTED

Description

Full LDAP identity provider plugin with claims enrichment (mapping LDAP attributes to OAuth claims), client provisioning (auto-creating OAuth clients from LDAP entries), capability probing, credential store, and messaging-backed claims cache.

Implementation Details

  • LDAP Plugin Entry Point: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapIdentityProviderPlugin.cs -- implements IAuthorityIdentityProviderPlugin; authenticates users against LDAP directories.
  • Plugin Registrar: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginRegistrar.cs -- registers LDAP plugin services in the DI container.
  • Plugin Options: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapPluginOptions.cs -- configuration: LDAP server URL, base DN, search filters, attribute mappings, TLS settings.
  • Claims Enrichment: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Claims/LdapClaimsEnricher.cs -- maps LDAP attributes (group memberships, department, title) to OAuth2 claims.
  • Claims Cache: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Claims/ILdapClaimsCache.cs, InMemoryLdapClaimsCache.cs, MessagingLdapClaimsCache.cs -- caches enriched claims with in-memory and messaging-backed (distributed) implementations.
  • Client Provisioning: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapClientProvisioningStore.cs -- auto-creates OAuth2 clients from LDAP entries (service accounts).
  • Capability Probe: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapCapabilityProbe.cs -- probes LDAP server capabilities (supported controls, extensions, schema).
  • Capability Snapshot Cache: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapCapabilitySnapshotCache.cs -- caches capability probe results to avoid repeated probes.
  • DN Helper: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/ClientProvisioning/LdapDistinguishedNameHelper.cs -- parses and manipulates LDAP distinguished names.
  • Connection Factory: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Connections/DirectoryServicesLdapConnectionFactory.cs (implements ILdapConnectionFactory) -- creates LDAP connections with TLS.
  • Credential Store: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Credentials/LdapCredentialStore.cs -- manages LDAP bind credentials.
  • Security: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Security/LdapSecretResolver.cs -- resolves LDAP secrets from secure storage.
  • Metrics: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/Monitoring/LdapMetrics.cs -- OpenTelemetry metrics for LDAP operations (bind latency, search duration, error rates).
  • Tests: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap.Tests/ -- comprehensive tests across Claims/, ClientProvisioning/, Credentials/, Resilience/, Security/, Snapshots/ subdirectories.

E2E Test Plan

  • Configure the LDAP plugin with a test LDAP server and authenticate a user; verify the token contains enriched claims from LDAP attributes (e.g., groups, department)
  • Verify claims caching: authenticate the same user twice and verify the second call uses cached claims from InMemoryLdapClaimsCache
  • Verify client provisioning: configure auto-provisioning from an LDAP OU and verify an OAuth2 client is created for each service account entry
  • Run LdapCapabilityProbe against the LDAP server and verify it reports supported controls and extensions
  • Verify DN helper: parse a complex distinguished name (e.g., CN=John Doe,OU=Users,DC=example,DC=com) and verify each component is extracted correctly
  • Verify LDAP connection TLS: configure TLS and verify DirectoryServicesLdapConnectionFactory establishes a secure connection
  • Simulate an LDAP server failure and verify the plugin returns an authentication error without leaking internal details
  • Verify LdapMetrics records bind latency and search duration via OpenTelemetry