Nav

LDAP Security Manager (Jul 2017)

The LDAP Security Manager policy establishes the configuration details for an Open LDAP or Active Directory LDAP that you have set up for your enterprise. To enforce an LDAP Security Manager policy, you also need to create and apply an HTTP Basic Authentication policy, which prompts the agent to enforce credentialed access using the configuration established in your LDAP policy.

Prerequisites

This document assumes that you are an API Versions Owner for the API version that you want to manage, or that you are a member of the Organization Administrators role.

Configuring an LDAP Security Manager

Configure the LDAP Security Manager to connect to your LDAP or Active Directory. All fields are required. These literal string values support property placeholders. Enter the password as a secure value, which is a value that, once entered, is not visible or retrievable.

  • LDAP Server URL

    The URL of your LDAP server, including the port number.

  • LDAP User DN

    The name of the user or user group with access to the LDAP.

  • LDAP User Password

    The password for the user or user group

  • LDAP Search Base

    The starting point for the search in the directory tree.

  • LDAP Search Filter

    The criteria for the filter for the Active Directory or the OpenLDAP model, as shown in the examples below.

Example Configuration for an Active Directory Security Manager

Field Example Literal String Value Example Secure Property Placeholder

LDAP Server URL

ldap://174.19.33.17:389/

${ldap.server.url}

LDAP Server User DN

CN=Administrator,CN=Users,DC=my-company,DC=com

${ldap.user.dn}

LDAP User Password

somePassword

${ldap.password}

LDAP Search Base

CN=Users,DC=my-company,DC=com

${ldap.search.base}

LDAP Search Filter

(sAMAccountName={0})

${ldap.search.filter}

Note that the search filter string given above is particular to Active Directory applications.

Example Configuration for an OpenLDAP Security Manager

Field Example Literal String Value Example Secure Property Placeholder

LDAP Server URL

ldaps://my-company-ldap.cloudhub.io:1010/

${ldap.server.url}

LDAP Server User DN

cn=Manager,dc=my-company,dc=com

${ldap.user.dn}

LDAP User Password

somePassword

${ldap.password}

LDAP Search Base

ou=people,dc=my-company,dc=com

${ldap.search.base}

LDAP Search Filter

(uid={0})

${ldap.search.filter}

Note: Search filter string given above is particular to OpenLDAP applications.

If you use secure property placeholders when you configure an LDAP policy, specify the values for the placeholders as system variables, either in the command line or in your Mule Runtime or API Gateway Runtime wrapper.conf file.

For example:


          
       
1
2
3
4
5
6
# OpenLDAP properties definitions
wrapper.java.additional.7=-Dldap.password=<password here>
wrapper.java.additional.8=-Dldap.user.dn=cn=Manager,dc=my-company,dc=com
wrapper.java.additional.9=-Dldap.search.base=ou=people,dc=my-company,dc=com
wrapper.java.additional.10=-Dldap.search.filter=(uid={0})
wrapper.java.additional.11=-Dldap.server.url=ldaps://my-company-ldap.cloudhub.io:1010/

Applying Your LDAP Security Manager and Basic Auth Policies

Follow the steps below to apply these policies to your endpoint at runtime.

  1. Navigate to API Manager and click an API version (Jul 2017) or instance (Nov 2017) to which you want to apply the policy.

  2. Click the Policies tab to open it.

  3. Apply the LDAP Security Manager policy and configure it to connect to your LDAP.

  4. Apply the HTTP Basic Authentication policy to enforce your security manager policy.

  5. Verify that the security policy is now in effect – the endpoint of your API should now require authentication.

Note that you can apply LDAP Security Manager policy and enforce it with HTTP Basic Authentication policy even if your target service version or endpoint already has a security manager configured. The security management enforced by the API Manager overrides any other security manager policies you have applied.

Unapplying an LDAP Security Manager and Basic Auth Policies

To unapply the HTTP Basic Authentication backed by an LDAP Security Manager from your service version or endpoints, unapply the policies one at a time.

  1. Unapply the HTTP Basic Authentication policy.

  2. Unapply the LDAP Security Manager policy.

  3. Hit the endpoint to confirm that your API no longer requires authentication.