Limit LDAP integration to Authentication only
-
Hello,
I was wondering if it was possible for FusionAuth to provide LDAP authentication without giving FusionAuth read permissions to the directory? Ideally, a user would attempt to log in with their LDAP credentials into FusionAuth, and then FusionAuth would forward these credentials to LDAP for authentication. There would be no need to gain read access to the directory in this scenario.
It seems that the current LDAP authentication process will also pull the user data from LDAP and save them into FusionAuth, hence why read permissions for the directory are given to FusionAuth.
Thanks!
-
You should be able to use the LDAP connector but when configuring at the tenant, set
Migrate User
to false.That will ensure that the user data doesn't migrate to FusionAuth. I realize this doesn't address your desire to not grant FusionAuth read credentials. Feel free to file a feature request for that specific feature: https://github.com/fusionauth/fusionauth-issues/issues
Ideally, a user would attempt to log in with their LDAP credentials into FusionAuth, and then FusionAuth would forward these credentials to LDAP for authentication.
If this is a requirement, you could do this using a lightweight JSON API you write which talks to LDAP and a generic API connector: https://fusionauth.io/docs/v1/tech/connectors/generic-connector/