Nav

LDAP Security Manager

This page describes the configuration and runtime application instructions for the LDAP Security Manager policy. The LDAP Security Manager policy establishes the necessary configuration details for an Open LDAP or Active Directory LDAP that you have set up for your enterprise.

To enforce an LDAP Security Manager policy, you also need to create and apply an HTTP Basic Authentication policy, which prompts the agent to enforce credentialed access using the configuration established in your LDAP policy.

Prerequisites

This document assumes that you are an API Versions Owner for the API version that you want to manage, or that you are a member of the Organization Administrators role.

Configuring an LDAP Security Manager

Configure the LDAP Security Manager to connect to your LDAP or Active Directory. All fields are required. Enter literal string values or secure property placeholders as shown. 

Field Description Supports Property Placeholders? Secure Value?*

LDAP Server URL

The URL of your LDAP server, including the port number.

check

LDAP User DN

The name of the user or user group with access to the LDAP.

check

LDAP User Password

The password for the user or user group

check

check

LDAP Search Base

The starting point for the search in the directory tree.

check

LDAP Search Filter

The criteria for the filter for the Active Directory or the OpenLDAP model, as shown in the examples below.

check

  • A secure value is a value that, once entered, is not visible or retrievable after the policy creates.

Example Configuration for an Active Directory Security Manager

Field Example Literal String Value Example Secure Property Placeholder

LDAP Server URL

ldap://174.19.33.17:389/

${ldap.server.url}

LDAP Server User DN

CN=Administrator,CN=Users,DC=my-company,DC=com

${ldap.user.dn}

LDAP User Password

somePassword

${ldap.password}

LDAP Search Base

CN=Users,DC=my-company,DC=com

${ldap.search.base}

LDAP Search Filter

(sAMAccountName={0})

${ldap.search.filter}

Note that the search filter string given above is particular to Active Directory applications.

Example Configuration for an OpenLDAP Security Manager

Field Example Literal String Value Example Secure Property Placeholder

LDAP Server URL

ldaps://my-company-ldap.cloudhub.io:1010/

${ldap.server.url}

LDAP Server User DN

cn=Manager,dc=my-company,dc=com

${ldap.user.dn}

LDAP User Password

somePassword

${ldap.password}

LDAP Search Base

ou=people,dc=my-company,dc=com

${ldap.search.base}

LDAP Search Filter

(uid={0})

${ldap.search.filter}

Note: Search filter string given above is particular to OpenLDAP applications.

If you use secure property placeholders when you configure an LDAP policy, specify the values for the placeholders as system variables, either in the command line or in your API Gateway’s wrapper.conf file.

For example:


               
            
1
2
3
4
5
6
# OpenLDAP properties definitions
wrapper.java.additional.7=-Dldap.password=<password here>
wrapper.java.additional.8=-Dldap.user.dn=cn=Manager,dc=my-company,dc=com
wrapper.java.additional.9=-Dldap.search.base=ou=people,dc=my-company,dc=com
wrapper.java.additional.10=-Dldap.search.filter=(uid={0})
wrapper.java.additional.11=-Dldap.server.url=ldaps://my-company-ldap.cloudhub.io:1010/

Applying Your LDAP Security Manager and Basic Auth Policies

Follow the steps below to apply these policies to your endpoint at runtime.

  1. Navigate to the API version details page for the API version to which you want to apply the policy.

  2. Click the Policies tab to open it.

  3. Apply the LDAP Security Manager policy and configure it to connect to your LDAP.

  4. Apply the HTTP Basic Authentication policy to enforce your security manager policy.

  5. Verify that the security policy is now in effect – the endpoint of your API should now require authentication.

Note that you can apply LDAP Security Manager policy and enforce it with HTTP Basic Authentication policy even if your target service version or endpoint already has a security manager configured. The security management enforced by the API Manager overrides any other security manager policies you have applied.

Unapplying an LDAP Security Manager and Basic Auth Policies

To unapply the HTTP Basic Authentication backed by an LDAP Security Manager from your service version or endpoints, unapply the policies one at a time.

  1. Unapply the HTTP Basic Authentication policy.

  2. Unapply the LDAP Security Manager policy.

  3. Hit the endpoint to confirm that your API no longer requires authentication.