Sign in Subscribe
Concepts

Integrating LDAP with Open Policy Agent for Centralized Access Control

Andrios Robert

1 min read

This is the heart of integrating LDAP with Open Policy Agent (OPA). LDAP holds the directory of users, groups, and credentials. OPA enforces fine-grained rules for who can do what. When combined, they create a centralized, flexible access control system that adapts without code changes.

Why integrate LDAP with OPA
LDAP stores information in a structured way. It can authenticate millions of users and manage their attributes. OPA uses Rego, its declarative language, to evaluate policies at runtime. Together they remove hard‑coded authorization logic from applications. You can update rules in OPA without redeploying services, while LDAP remains the trusted source of identity.

Core integration flow

  1. User sends a request to your service.
  2. Service checks LDAP to authenticate and retrieve user attributes.
  3. Service sends these attributes and the requested action to OPA.
  4. OPA evaluates policies and returns allow or deny.

This decouples authentication from authorization. LDAP proves identity. OPA decides permissions.

Key benefits

  • Centralized control: Policies are defined in one place.
  • Dynamic changes: Update rules in OPA without touching the codebase.
  • Scalability: LDAP handles authentication load, OPA scales horizontally.
  • Auditability: Every decision can be logged for compliance.

Best practices

  • Normalize attribute names between LDAP and OPA.
  • Limit LDAP queries; cache results when possible.
  • Keep OPA policies small and clear.
  • Use HTTPS and secure bindings for LDAP connections.
  • Test policy changes in a staging environment before deploying.

Example: mapping LDAP groups to OPA roles

package authz

default allow = false

allow {
 input.method == "POST"
 input.path == ["admin", "create"]
 "Admins" in input.ldap.groups
}

Here, OPA checks if the authenticated user from LDAP belongs to the "Admins" group before allowing the action.

Tooling and deployment
OPA runs as a sidecar, daemon, or library. LDAP can be Microsoft Active Directory, OpenLDAP, or cloud-based. The integration is direct using APIs or middleware. Use JSON Web Tokens (JWT) with LDAP claims to make policy evaluation fast.

LDAP and OPA together give you fast, consistent, and secure access control backed by a live directory. The decision‑making logic is transparent, editable, and testable.

See LDAP with OPA in action. Deploy a live demo in minutes at hoop.dev and experience real-time policy decisions without touching production.