How-to

Use LDAP for authorization

Applies to: .NET SDK Last updated: 2026-06-11

Pattern

Implement IAuthorizationProvider with a class that queries LDAP at each authorization decision:

public sealed class LdapAuthorizationProvider : IAuthorizationProvider
{
    private readonly string _ldapUrl;
    private readonly string _bindDn;
    private readonly string _bindPassword;

    public LdapAuthorizationProvider(string ldapUrl, string bindDn, string bindPassword)
    {
        _ldapUrl = ldapUrl;
        _bindDn = bindDn;
        _bindPassword = bindPassword;
    }

    public async Task<PolicyDecision> AuthorizeAsync(
        string sender, string destination, string direction,
        string? effectiveSender = null, string? effectiveDestination = null,
        string? sessionId = null, string? protectionHash = null,
        string[]? multiPartyChain = null)
    {
        // 1. Connect to LDAP
        // 2. Query for the sender's group memberships
        // 3. Decide based on group → permission mapping in your directory
        // 4. Return PolicyDecision(...)
    }

    // ReloadAsync, NotifyPolicyChangedAsync, PolicyChanged, IsInBootstrapMode
}

Register the provider

var client = new Client();
client.UseAuthorizationProvider(new LdapAuthorizationProvider(
    ldapUrl:      "ldap://directory.example.com",
    bindDn:       "cn=hexaeight,ou=services,dc=example,dc=com",
    bindPassword: Environment.GetEnvironmentVariable("LDAP_PASSWORD")!));

Caching decisions

Live LDAP lookups on every message add latency. The reference implementation will include short-lived in-memory caching (60 seconds by default) with optional invalidation on the LDAP change-notification stream.

See also