The following sections illustrate how to use an LDAP policy.
Adding LDAP Resource
In order to use the LDAP Policy, as a first step, create the LDAP Resource to configure the LDAP Server connection details.
Perform the following actions to create an LDAP Resource:
- In the API Dashboard, click the Administration Options For API Manager (Admin) prompt.
- Click the LDAP Resource Tab.
- Add an LDAP Resource using the Add button.
Configure the properties as described in the LDAP Resource section. This can then be used while configuring the LDAP Policy as below.
Configuring based on the LDAP Policy Types
Add the LDAP policy by selecting the LDAP option in the Security tab.
LDAP Policy basically has three configurable Policy types which represent different functionalities:
Authentication: User Name and Password Authentication
Search and Authenticate: Digital Number (DN) Attribute Authentication
Search: Searching LDAP
The following sections discuss each one in detail.
Authentication (User Name and Password Authentication)
This provides authentication against an LDAP provider. The policy passes username and password from the request to LDAP for authentication.
Provide the property values following the descriptions in the LDAP section.
Search and Authenticate (DN Attribute Authentication)
If a username is in the request, whereas the user needs to be authenticated with a DN attribute other than username (for example, email), include a Search Query to get the user email associated with the password. The LDAP policy uses the email address to query the LDAP provider for the corresponding user name, which is then used for authentication.
Search (Searching LDAP)
By identifying the user with metadata in the request or response, this element can be used to retrieve additional DN attributes for the user from LDAP. For example, if the request contains the user email, and the LDAP defines a "mail" attribute for storing user email addresses, the query searches LDAP for an email matching the email in the request, and the policy retrieves additional DN attributes for the user with the Attributes element.
Additional Attributes
These are the attributes that need to be retrieved. Use one or more attributes to identify the DN metadata to be retrieved for the user. At least one attribute is required. For example, after the Search Query identifies the user, the policy can then retrieve DN attributes for the user such as address, phone number, and the user's title.
Attribute values are the DN attribute names defined in the LDAP.
After retrieving the attribute values from LDAP, these values will be stored in the context variables as below.
The flexible format of this variable—the index in particular—accounts for multiple attributes, as well as attributes with multiple values. An 'index' is a number that starts at '0'.
For example, to retrieve the third address attribute in the search results, use the following:
If an attribute had multiple values (for example, if a user has multiple email addresses), the second email address from the results can be retrieved in the following manner:
Using a custom LDAP provider
A default LDAP provider is already configured to interact with the LDAP Policy.However, a custom LDAP provider is being used, the provider needs to be enabled to support the LDAP Policy by performing the following actions:
In the LDAP provider class, implement the LDAPConnectionProvider interface.
- Create a Jar with the implementation classes and add it to the server.conf file under <java.classpath> section. This will add the jar to the class path.
- In the <LDAP Connector Class> of the policy configuration, add the fully qualified class name of the custom LDAP provider.