LDAP Security Manager
The LDAP Security Manager policy establishes the configuration details for an Open LDAP or Active Directory LDAP that you have set up for your enterprise. To enforce an LDAP Security Manager policy, you also need to create and apply an HTTP Basic Authentication policy, which prompts the agent to enforce credentialed access using the configuration established in your LDAP policy.
Prerequisites
This document assumes that you are an API Versions Owner for the API version that you want to manage, or that you are a member of the Organization Administrators role.
Configuring an LDAP Security Manager
Configure the LDAP Security Manager to connect to your LDAP or Active Directory. All fields are required. These literal string values support property placeholders. Enter the password as a secure value, which is a value that, once entered, is not visible or retrievable.
-
LDAP Server URL
The URL of your LDAP server, including the port number.
-
LDAP User DN
The name of the user or user group with access to the LDAP.
-
LDAP User Password
The password for the user or user group
-
LDAP Search Base
The starting point for the search in the directory tree.
-
LDAP Search Filter
The criteria for the filter for the Active Directory or the OpenLDAP model, as shown in the examples below.
Example Configuration for an Active Directory Security Manager
| Field | Example Literal String Value | Example Secure Property Placeholder |
|---|---|---|
LDAP Server URL |
|
|
LDAP Server User DN |
|
|
LDAP User Password |
|
|
LDAP Search Base |
|
|
LDAP Search Filter |
|
|
Note that the search filter string given above is particular to Active Directory applications.
Example Configuration for an OpenLDAP Security Manager
| Field | Example Literal String Value | Example Secure Property Placeholder |
|---|---|---|
LDAP Server URL |
|
|
LDAP Server User DN |
|
|
LDAP User Password |
|
|
LDAP Search Base |
|
|
LDAP Search Filter |
|
|
Note: Search filter string given above is particular to OpenLDAP applications.
If you use secure property placeholders when you configure an LDAP policy, specify the values for the placeholders as system variables, either in the command line or in your Mule Runtime or API Gateway Runtime wrapper.conf file.
For example:
# OpenLDAP properties definitions
wrapper.java.additional.7=-Dldap.password=<password here>
wrapper.java.additional.8=-Dldap.user.dn=cn=Manager,dc=my-company,dc=com
wrapper.java.additional.9=-Dldap.search.base=ou=people,dc=my-company,dc=com
wrapper.java.additional.10=-Dldap.search.filter=(uid={0})
wrapper.java.additional.11=-Dldap.server.url=ldaps://my-company-ldap.cloudhub.io:1010/Applying Your LDAP Security Manager and Basic Auth Policies
Follow the steps below to apply these policies to your endpoint at runtime.
-
Navigate to API Manager and click an API version to which you want to apply the policy.
-
Click the Policies tab to open it.
-
Apply the LDAP Security Manager policy and configure it to connect to your LDAP.
-
Apply the HTTP Basic Authentication policy to enforce your security manager policy.
-
Verify that the security policy is now in effect – the endpoint of your API should now require authentication.
Note that you can apply LDAP Security Manager policy and enforce it with HTTP Basic Authentication policy even if your target service version or endpoint already has a security manager configured. The security management enforced by the API Manager overrides any other security manager policies you have applied.
Unapplying an LDAP Security Manager and Basic Auth Policies
To unapply the HTTP Basic Authentication backed by an LDAP Security Manager from your service version or endpoints, unapply the policies one at a time.
-
Unapply the HTTP Basic Authentication policy.
-
Unapply the LDAP Security Manager policy.
-
Hit the endpoint to confirm that your API no longer requires authentication.