Ldap Authenticate
Configuration required to perform authentication with an LDAP Server

Gateway Configuration:
External connections > LDAP Connections > Add a LDAP Connection

Enter configuration details for the LDAP connection.

Create an LDAP authentication repository entry which then can be used in HTTP Basic, Digest, and WS-Security username password filters for authentication.  
External connections > Authentication Repository Profiles > LDAP Repositories > Add a new Repository

Configure the repository as required:
In a filter that requires authentication against LDAP, simply select the repository named above.

Ldap Authorize
The following configuration can be used to authorize a request by retrieving role from LDAP and checking against roles allowed by service.

Gateway Configuration:
1. Use LDAP connection and repository setup as detailed in LDAP Authenticate above.
2. After Authentication with HTTP Basic, Digest or WS-Security username password filters send circuit to a “Retrieve Attribute from Directory Server” filter and then “Validate Message Attribute” filter. This combination can be used to check a role (group) for a user’s membership.
3. Repeat for each group that needs checking. e.g.

4. Example of a Retrieve from Directory Server for group “group1”

5. Example of a Validate Message Attribute for group “group1”
This filter returns success if the user is found to be a member of the role group1. The authorized user is forwarded to the next role check and finally to the user authorized policy which is shown as a shortcut in the circuit above. 

6. Similarly the "user not authorized" branch is a shortcut. This could be to a policy that eventually reflects an appropriate failure message back to the client.