Limit LDAP integration to Authentication only

yb98

Hello,

I was wondering if it was possible for FusionAuth to provide LDAP authentication without giving FusionAuth read permissions to the directory? Ideally, a user would attempt to log in with their LDAP credentials into FusionAuth, and then FusionAuth would forward these credentials to LDAP for authentication. There would be no need to gain read access to the directory in this scenario.

It seems that the current LDAP authentication process will also pull the user data from LDAP and save them into FusionAuth, hence why read permissions for the directory are given to FusionAuth.

Thanks!

dan

You should be able to use the LDAP connector but when configuring at the tenant, set Migrate User to false.

That will ensure that the user data doesn't migrate to FusionAuth. I realize this doesn't address your desire to not grant FusionAuth read credentials. Feel free to file a feature request for that specific feature: https://github.com/fusionauth/fusionauth-issues/issues

Ideally, a user would attempt to log in with their LDAP credentials into FusionAuth, and then FusionAuth would forward these credentials to LDAP for authentication.

If this is a requirement, you could do this using a lightweight JSON API you write which talks to LDAP and a generic API connector: https://fusionauth.io/docs/v1/tech/connectors/generic-connector/