4.2k

All integrations
LDAP Enrichment
Context sources

Enrich authorization with LDAP directory data

Automatically pull user attributes, group memberships, and organizational units from your LDAP directory into Cerbos policy evaluations, no application code changes required.

LDAP context

LDAP context

Automatically enrich authorization requests with user profiles, group memberships, and organizational units from your LDAP directory

Cached responses

Cached responses

Configurable TTLs cache enrichment results to balance data freshness against evaluation latency

Zero application code

Zero application code

Identity enrichment happens at the policy layer, your application code stays clean

How Cerbos works with LDAP

Authorization decisions are only as good as the data behind them. LDAP provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With LDAP as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization powered by your LDAP directory

LDAP directories remain the backbone of identity management in many organizations, especially those with on-premises infrastructure, legacy systems, or regulated environments. Cerbos identity enrichment connects directly to your LDAP directory, making user attributes, group memberships, and organizational unit data available in your authorization policies.

How it works

  1. Your application sends an authorization request to Cerbos with a user identifier (DN, uid, or sAMAccountName).
  2. Cerbos queries your LDAP directory for the user's attributes, group memberships, and organizational unit, including nested group resolution.
  3. Enriched data is available in your policies, write rules based on LDAP groups, organizational units, custom attributes, or any combination.
  4. Connections are pooled and results cached for reliable, low-latency performance.

Bridging legacy identity and modern authorization

Many organizations have decades of identity data in LDAP that they cannot easily migrate. Cerbos lets you build modern, fine-grained authorization policies on top of your existing directory without requiring a migration to a cloud identity provider.

Get started

LDAP identity enrichment is available as part of Cerbos enterprise. Talk to us to learn more about enriching your authorization decisions with LDAP directory data.

FAQ

How does LDAP enrichment work with Cerbos?

Cerbos queries your LDAP directory at evaluation time to fetch the user's attributes, group memberships, and organizational unit. This data is available as principal attributes in your policies, enabling rules based on any directory attribute.

How is this different from the LDAP authentication integration?

The authentication integration relies on your application to query LDAP and pass identity data to Cerbos. Identity enrichment is handled by Cerbos itself, it queries the directory directly at authorization time, so your application only needs to provide a user identifier.

Which LDAP directories does Cerbos support for enrichment?

Cerbos supports any LDAPv3-compatible directory, including Active Directory, OpenLDAP, 389 Directory Server, FreeIPA, and Oracle Internet Directory. Connections support LDAPS and StartTLS for encryption, and client certificate authentication for mutual TLS.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
AWS Cognito Enrichment
AWS CognitoPull Cognito custom attributes and groups into the PDP at decision time
Context sources
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers

Cerbos + LDAP

  • Authorization decisions enriched with real-time LDAP data
  • Context enrichment configured at the policy layer, not in application code
  • Identity attributes and business context combined in policies
  • Centrally managed authorization logic across the stack
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines