Is your feature request related to a problem? Please describe.

As Phoenix is increasingly adopted in enterprise environments for self-hosted LLM observability, integration with existing Identity Providers (IdP) becomes critical.

Currently, for self-hosted instances, managing access via basic auth or individual user creation is not scalable for larger teams. Many organizations still rely on LDAP / Active Directory as their source of truth for user management and cannot easily adopt OIDC/OAuth2 for internal tools due to legacy infrastructure constraints.

Without native LDAP support, we are unable to:

Centralize user lifecycle management (disable a user in AD, they lose access to Phoenix).

Automate role assignment based on existing corporate groups (RBAC).

Describe the solution you'd like

I would like to request native support for LDAP (Lightweight Directory Access Protocol) for both Authentication (AuthN) and Authorization (AuthZ).

1. Authentication

Users should be able to log in to the Phoenix UI using their standard directory credentials.

2. Authorization (Group Mapping)

Phoenix should allow mapping LDAP Groups to Phoenix roles (e.g., Admin, Editor, Viewer).

Proposed Configuration via Environment Variables

Ideally, this would be configured via PHOENIX_* environment variables or a config yaml.

Example configuration logic (Python ldap3 or python-ldap style):

Connection Settings

PHOENIX_AUTH_METHOD=LDAP
PHOENIX_LDAP_SERVER_URI=ldaps://ldap.example.com:636
PHOENIX_LDAP_BIND_DN=cn=readonly,ou=users,dc=example,dc=com
PHOENIX_LDAP_BIND_PASSWORD=secret

User Search Settings

PHOENIX_LDAP_USER_SEARCH_BASE=ou=users,dc=example,dc=com
PHOENIX_LDAP_USER_SEARCH_FILTER=(uid={0})
PHOENIX_LDAP_UID_FIELD=uid
PHOENIX_LDAP_EMAIL_FIELD=mail

Group Authorization Settings

PHOENIX_LDAP_GROUP_SEARCH_BASE=ou=groups,dc=example,dc=com
PHOENIX_LDAP_GROUP_SEARCH_FILTER=(member={0})

Role Mapping (JSON string or similar format)

PHOENIX_LDAP_ROLE_MAPPING='{
"cn=phoenix-admins,ou=groups,dc=example,dc=com": "admin",
"cn=data-scientists,ou=groups,dc=example,dc=com": "editor",
"cn=engineers,ou=groups,dc=example,dc=com": "viewer"
}'

Describe alternatives you've considered

1. Reverse Proxy with Auth Headers:
   We have considered running Phoenix behind an Nginx/Apache reverse proxy that handles the LDAP handshake and passes the user context via headers (X-Remote-User). However, this requires significant infrastructure overhead and does not natively handle the Group-to-Role mapping within Phoenix easily without additional middleware.

2. OIDC:
   While OIDC is a modern standard, our specific on-prem environment strictly uses Active Directory LDAP and does not have an OIDC provider bridge available for internal tooling.

Additional context

Library suggestion: If Phoenix is Python-based, ldap3 is a pure-python, strictly RFC-compliant library that is generally easier to maintain than python-ldap (which requires C compilation).

Compliance: This feature is often a requirement for SOC2 compliance in enterprise self-hosted environments.