Cerbos authorization for LDAP directories
LDAP directories store user identities, group memberships, and organizational structure. Cerbos uses LDAP identity data to make fine-grained authorization decisions based on directory attributes, groups, and organizational units.
Directory attributes in policies
Use LDAP user attributes like department, title, and location as inputs to Cerbos authorization policies
Group-based access control
Reference LDAP group memberships and organizational units in policies for hierarchical access patterns
Any LDAPv3 directory
Works with Active Directory, OpenLDAP, FreeIPA, 389 DS, and any LDAPv3-compatible directory
How Cerbos works with LDAP
LDAP handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with LDAP
- Users authenticate against your LDAP directory, Your application binds to the directory and verifies the user's credentials. The user's DN, attributes, and group memberships are available after authentication.
- Extract identity from the directory, Resolve the user's group memberships, organizational unit, and any custom attributes from the directory entry.
- Send identity and resource context to Cerbos, Pass the user's LDAP attributes, groups, and organizational unit as principal attributes alongside the target resource and action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the LDAP identity data and resource context, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos use LDAP identity data?
Your application authenticates the user against your LDAP directory and extracts their attributes, group memberships, and organizational unit. These are passed to Cerbos as principal attributes, so your policies can reference LDAP groups, OUs, and any directory attribute.
Which LDAP directories work with Cerbos?
Cerbos works with any LDAPv3-compatible directory, including Active Directory, OpenLDAP, 389 Directory Server, FreeIPA, and Oracle Internet Directory. Your application handles LDAP authentication and passes the identity data to Cerbos.
Can I use LDAP group hierarchies in Cerbos policies?
Yes. Pass the user's group DNs or resolved group names to Cerbos as principal attributes. Policies can match on specific groups, group prefixes, or organizational units to model hierarchical access patterns.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + LDAP
- Cerbos extends LDAP roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.