Skip to content

feat(auth): add LDAP / Active Directory authentication support#3148

Open
crivetimihai wants to merge 2 commits intomainfrom
ldap
Open

feat(auth): add LDAP / Active Directory authentication support#3148
crivetimihai wants to merge 2 commits intomainfrom
ldap

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Feb 24, 2026

Note: This PR was re-created from #2966 due to repository maintenance. Your code and branch are intact. @crivetimihai please verify everything looks good.

Summary

  • Implement LDAP simple bind authentication with two-step flow (service account search + user bind) and JWT session token issuance
  • Add auto-provisioning of gateway users from LDAP directory entries with configurable group-to-role mapping
  • Add periodic background directory sync importing users and groups (as teams) with optional orphan removal
  • Provide Docker Compose infrastructure (OpenLDAP + phpLDAPadmin) and Makefile targets for local LDAP development/testing
  • Security hardening: StartTLS before bind (AUTO_BIND_TLS_BEFORE_BIND), account lockout integration, auth provider isolation (prevents LDAP takeover of local accounts), role refresh on every login, admin-only status endpoint with sanitized error messages

New files

File Description
mcpgateway/services/ldap_service.py Core LDAP service: authenticate, search, sync, user provisioning
mcpgateway/routers/ldap_auth.py REST API: /auth/ldap/login, /auth/ldap/status, /auth/ldap/sync
docker-compose.ldap.yml Compose overlay enabling LDAP with preconfigured env vars
infra/ldap/seed.ldif Demo data: 5 users + 4 groups
tests/unit/mcpgateway/services/test_ldap_service.py 47 service tests
tests/unit/mcpgateway/routers/test_ldap_auth.py 23 router tests

Modified files

File Change
mcpgateway/config.py 29 LDAP settings (URI, bind DN, TLS, sync, role mappings, etc.)
mcpgateway/schemas.py LdapLoginRequest, LdapSyncResponse, LdapStatusResponse
mcpgateway/main.py Router registration + background sync loop in lifespan
docker-compose.yml OpenLDAP + phpLDAPadmin services under ldap profile
pyproject.toml ldap3>=2.9.1 optional dependency ([ldap] extra)
.env.example Documented LDAP configuration section
Makefile compose-ldap, compose-ldap-seed, compose-ldap-down, compose-ldap-clean

Test plan

  • 70 LDAP unit tests pass (service + router)
  • Full unit test suite (11855 tests) passes with zero regressions
  • Manual: make compose-ldap && make compose-ldap-seed then test login via /auth/ldap/login
  • Manual: Verify POST /auth/ldap/sync imports users/groups as teams
  • Manual: Verify StartTLS configuration with LDAP_START_TLS=true

Closes #284

@crivetimihai
feat(auth): add LDAP / Active Directory authentication support
cc2ef4e 
Implement LDAP bind authentication, directory sync, and Docker
infrastructure for local development/testing with OpenLDAP.

- LDAP simple bind login (service account search + user bind)
- Auto-provisioning of gateway users from LDAP entries
- LDAP group-to-role mapping with configurable role_mappings
- Periodic background directory sync (users + groups → teams)
- Orphan user removal on sync (opt-in via LDAP_SYNC_DELETE_ORPHANS)
- Docker Compose profile with OpenLDAP + phpLDAPadmin + seed data
- Makefile targets: compose-ldap, compose-ldap-seed, compose-ldap-down, compose-ldap-clean
- 29 configuration settings via environment variables
- Security hardening: StartTLS before bind, account lockout,
  auth provider isolation, role refresh on login, admin-only status endpoint
- 70 unit tests (service + router)

Closes #284

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix: add *.ldif to MANIFEST.in for sdist completeness
81666c2 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai added this to the Release 1.1.0 milestone Feb 24, 2026
@crivetimihai crivetimihai added enhancement New feature or request experimental Experimental features, test proposed MCP Specification changes COULD P3: Nice-to-have features with minimal impact if left out; included if time permits labels Feb 24, 2026
@crivetimihai crivetimihai mentioned this pull request Feb 24, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

COULD P3: Nice-to-have features with minimal impact if left out; included if time permits enhancement New feature or request experimental Experimental features, test proposed MCP Specification changes

Projects

None yet

Milestone

Release 1.0.0-RC3

Development

Successfully merging this pull request may close these issues.

[FEATURE][AUTH]: LDAP / Active Directory integration

1 participant

@crivetimihai