LDAP
Overview
Ldap is an identity and access management platform. Learn more in the official Ldap documentation.
The DataHub integration for Ldap covers identity entities such as users, groups, and memberships. Depending on module capabilities, it can also capture features such as lineage, usage, profiling, ownership, tags, and stateful deletion detection.
Concept Mapping
While the specific concept mapping is still pending, this shows the generic concept mapping in DataHub.
| Source Concept | DataHub Concept | Notes |
|---|---|---|
| Ownership and collaboration principals | CorpUser, CorpGroup | Emitted by modules that support ownership and identity metadata. |
Module ldap
Important Capabilities
| Capability | Status | Notes |
|---|---|---|
| Detect Deleted Entities | ✅ | Enabled by default via stateful ingestion. |
Overview
The ldap module ingests metadata from Ldap into DataHub. It is intended for production ingestion workflows and module-specific capabilities are documented below.
Prerequisites
Before running ingestion, ensure network connectivity to the source, valid authentication credentials, and read permissions for metadata APIs required by this module.
Install the Plugin
pip install 'acryl-datahub[ldap]'
Starter Recipe
Check out the following recipe to get started with ingestion! See below for full configuration options.
For general pointers on writing and running a recipe, see our main recipe guide.
source:
type: "ldap"
config:
# Coordinates
ldap_server: ldap://localhost
# Credentials
ldap_user: "cn=admin,dc=example,dc=org"
ldap_password: "admin"
# Options
base_dn: "dc=example,dc=org"
# TLS Security - Certificate verification is enabled by default
# Set to false only for testing with self-signed certificates
# tls_verify: true
sink:
# sink configs
Config Details
- Options
- Schema
Note that a . is used to denote nested fields in the YAML recipe.
| Field | Description |
|---|---|
base_dn ✅ string | LDAP DN. |
ldap_password ✅ string(password) | LDAP password. |
ldap_server ✅ string | LDAP server URL. |
ldap_user ✅ string | LDAP user. |
drop_missing_first_last_name boolean | If set to true, any users without first and last names will be dropped. Default: True |
filter string | LDAP extractor filter. Default: (objectClass=*) |
group_attrs_map object | Default: {} |
manager_filter_enabled boolean | Use LDAP extractor filter to search managers. Default: True |
manager_pagination_enabled boolean | [deprecated] Use pagination_enabled Default: True |
page_size integer | Size of each page to fetch when extracting metadata. Default: 20 |
pagination_enabled boolean | Use pagination while do search query (enabled by default). Default: True |
platform_instance One of string, null | The instance of the platform that all assets produced by this recipe belong to. This should be unique within the platform. See https://docs.datahub.com/docs/platform-instances/ for more details. Default: None |
tls_verify boolean | Verify server TLS certificates for LDAPS connections. Disabling in production exposes connections to Man-in-the-Middle attacks (CWE-295). Default: True |
use_email_as_username boolean | Use email for users' usernames instead of username (disabled by default). If enabled, the user and group urn would be having email as the id part of the urn. Default: False |
user_attrs_map object | Default: {} |
env string | The environment that all assets produced by this connector belong to Default: PROD |
attrs_list One of array, null | Retrieved attributes list Default: None |
attrs_list.string string | |
custom_props_list One of array, null | A list of custom attributes to extract from the LDAP provider. Default: None |
custom_props_list.string string | |
stateful_ingestion One of StatefulStaleMetadataRemovalConfig, null | Default: None |
stateful_ingestion.enabled boolean | Whether or not to enable stateful ingest. Default: True if a pipeline_name is set and either a datahub-rest sink or datahub_api is specified, otherwise False Default: False |
stateful_ingestion.fail_safe_threshold number | Prevents large amount of soft deletes & the state from committing from accidental changes to the source configuration if the relative change percent in entities compared to the previous state is above the 'fail_safe_threshold'. Default: 75.0 |
stateful_ingestion.remove_stale_metadata boolean | Soft-deletes the entities present in the last successful run but missing in the current run with stateful_ingestion enabled. Default: True |
The JSONSchema for this configuration is inlined below.
{
"$defs": {
"StatefulStaleMetadataRemovalConfig": {
"additionalProperties": false,
"description": "Base specialized config for Stateful Ingestion with stale metadata removal capability.",
"properties": {
"enabled": {
"default": false,
"description": "Whether or not to enable stateful ingest. Default: True if a pipeline_name is set and either a datahub-rest sink or `datahub_api` is specified, otherwise False",
"title": "Enabled",
"type": "boolean"
},
"remove_stale_metadata": {
"default": true,
"description": "Soft-deletes the entities present in the last successful run but missing in the current run with stateful_ingestion enabled.",
"title": "Remove Stale Metadata",
"type": "boolean"
},
"fail_safe_threshold": {
"default": 75.0,
"description": "Prevents large amount of soft deletes & the state from committing from accidental changes to the source configuration if the relative change percent in entities compared to the previous state is above the 'fail_safe_threshold'.",
"maximum": 100.0,
"minimum": 0.0,
"title": "Fail Safe Threshold",
"type": "number"
}
},
"title": "StatefulStaleMetadataRemovalConfig",
"type": "object"
}
},
"additionalProperties": false,
"description": "Config used by the LDAP Source.",
"properties": {
"env": {
"default": "PROD",
"description": "The environment that all assets produced by this connector belong to",
"title": "Env",
"type": "string"
},
"platform_instance": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"description": "The instance of the platform that all assets produced by this recipe belong to. This should be unique within the platform. See https://docs.datahub.com/docs/platform-instances/ for more details.",
"title": "Platform Instance"
},
"stateful_ingestion": {
"anyOf": [
{
"$ref": "#/$defs/StatefulStaleMetadataRemovalConfig"
},
{
"type": "null"
}
],
"default": null
},
"ldap_server": {
"description": "LDAP server URL.",
"title": "Ldap Server",
"type": "string"
},
"ldap_user": {
"description": "LDAP user.",
"title": "Ldap User",
"type": "string"
},
"ldap_password": {
"description": "LDAP password.",
"format": "password",
"title": "Ldap Password",
"type": "string",
"writeOnly": true
},
"base_dn": {
"description": "LDAP DN.",
"title": "Base Dn",
"type": "string"
},
"filter": {
"default": "(objectClass=*)",
"description": "LDAP extractor filter.",
"title": "Filter",
"type": "string"
},
"attrs_list": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"default": null,
"description": "Retrieved attributes list",
"title": "Attrs List"
},
"custom_props_list": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"default": null,
"description": "A list of custom attributes to extract from the LDAP provider.",
"title": "Custom Props List"
},
"drop_missing_first_last_name": {
"default": true,
"description": "If set to true, any users without first and last names will be dropped.",
"title": "Drop Missing First Last Name",
"type": "boolean"
},
"page_size": {
"default": 20,
"description": "Size of each page to fetch when extracting metadata.",
"title": "Page Size",
"type": "integer"
},
"manager_filter_enabled": {
"default": true,
"description": "Use LDAP extractor filter to search managers.",
"title": "Manager Filter Enabled",
"type": "boolean"
},
"manager_pagination_enabled": {
"default": true,
"description": "[deprecated] Use pagination_enabled ",
"title": "Manager Pagination Enabled",
"type": "boolean"
},
"pagination_enabled": {
"default": true,
"description": "Use pagination while do search query (enabled by default).",
"title": "Pagination Enabled",
"type": "boolean"
},
"use_email_as_username": {
"default": false,
"description": "Use email for users' usernames instead of username (disabled by default). If enabled, the user and group urn would be having email as the id part of the urn.",
"title": "Use Email As Username",
"type": "boolean"
},
"tls_verify": {
"default": true,
"description": "Verify server TLS certificates for LDAPS connections. Disabling in production exposes connections to Man-in-the-Middle attacks (CWE-295).",
"title": "Tls Verify",
"type": "boolean"
},
"user_attrs_map": {
"additionalProperties": true,
"default": {},
"title": "User Attrs Map",
"type": "object"
},
"group_attrs_map": {
"additionalProperties": true,
"default": {},
"title": "Group Attrs Map",
"type": "object"
}
},
"required": [
"ldap_server",
"ldap_user",
"ldap_password",
"base_dn"
],
"title": "LDAPSourceConfig",
"type": "object"
}
Capabilities
Use the Important Capabilities table above as the source of truth for supported features and whether additional configuration is required.
Limitations
Module behavior is constrained by source APIs, permissions, and metadata exposed by the platform. Refer to capability notes for unsupported or conditional features.
Troubleshooting
If ingestion fails, validate credentials, permissions, connectivity, and scope filters first. Then review ingestion logs for source-specific errors and adjust configuration accordingly.
Code Coordinates
- Class Name:
datahub.ingestion.source.ldap.LDAPSource - Browse on GitHub
If you've got any questions on configuring ingestion for LDAP, feel free to ping us on our Slack.
This page is auto-generated from the underlying source code. To make changes, please edit the relevant source files in the metadata-ingestion directory.
Tip: For quick typo fixes or documentation updates, you can click the ✏️ Edit icon directly in the GitHub UI to open a Pull Request. For larger changes and PR naming conventions, please refer to our Contributing Guide.