How-to
Use LDAP for authorization
Pattern
Implement IAuthorizationProvider with a class that queries LDAP at each authorization decision:
public sealed class LdapAuthorizationProvider : IAuthorizationProvider
{
private readonly string _ldapUrl;
private readonly string _bindDn;
private readonly string _bindPassword;
public LdapAuthorizationProvider(string ldapUrl, string bindDn, string bindPassword)
{
_ldapUrl = ldapUrl;
_bindDn = bindDn;
_bindPassword = bindPassword;
}
public async Task<PolicyDecision> AuthorizeAsync(
string sender, string destination, string direction,
string? effectiveSender = null, string? effectiveDestination = null,
string? sessionId = null, string? protectionHash = null,
string[]? multiPartyChain = null)
{
// 1. Connect to LDAP
// 2. Query for the sender's group memberships
// 3. Decide based on group → permission mapping in your directory
// 4. Return PolicyDecision(...)
}
// ReloadAsync, NotifyPolicyChangedAsync, PolicyChanged, IsInBootstrapMode
} Register the provider
var client = new Client();
client.UseAuthorizationProvider(new LdapAuthorizationProvider(
ldapUrl: "ldap://directory.example.com",
bindDn: "cn=hexaeight,ou=services,dc=example,dc=com",
bindPassword: Environment.GetEnvironmentVariable("LDAP_PASSWORD")!)); Caching decisions
Live LDAP lookups on every message add latency. The reference implementation will include short-lived in-memory caching (60 seconds by default) with optional invalidation on the LDAP change-notification stream.
See also
- The authorization model Concept
- Use OAuth for authorization How-to