Apigee Edge Integration with LDAP for External Aut...

Report Inappropriate Content · 06-07-2016 01:29 PM

Hi,

I have integrated LDAP as an External Authentication on-premise Apigee Edge platform version 4.16.01. Sysadmin configuration completed and every thing is fine. Followd steps given in ApigeeEdgePrivateCloud-ExtAuthConfig.pdf

Problem Statement: Valid users on LDAP are not able to login Apigee Edge. Getting error: An internal error occurred. Please contact our support team, or try logging in again.

When i add those user on a org using edge-ui --> Admin-->Users with a role, user still not able to login.

BUT, when i add same user using a create user API call - {{MGMTSVR}}/v1/users with body as

<User> <FirstName>ABC</FirstName> <LastName>XYZ</LastName> <Password>***</Password> <EmailId>hello@hello.com</EmailId> </User>

User then able to authenticate with eamil address and LDAP password and get in to system.

Please advise whats wrong. Main purpose of LDAP integration is not to do manual work of user creation, i can add them using edge-ui in specific orgs... and they should be able to login using thier ldap passwords.

mschreuder

Hi @Pravin,

Currently it is not possible to have only external LDAP for Apigee Private Cloud. You need to provision users into Apigee Edge and associate Apigee roles with those users.

The reason is because of the Apigee role based authorization model. If you were using an external LDAP exclusively, you would need to build the same role model into your external LDAP and keep it updated as new versions of Apigee Edge are released and build a tight integration between your external LDAP and the Apigee authentication and authorization functionality.

It is also important that the external LDAP contains the same email address that is used when adding users to Apigee Edge because it is the email address that is the key.

You need to make sure the configuration value:

externalized.authentication.user.store.user.email.attribute

is configured with the field in your external LDAP that contains the email address.

If this has answered your question, please click the Accept link or alternatively let us know how we can further help on this one.

Report Inappropriate Content

Hi @mschreuder,

My question was more related to Apigee Edge, installed on premises. Trying to configure external LDAP on my on-premises Apigee Edge.

I have following configuration in my management-server.properties along with other external LDAP properties. It works fine if a user added to apigee using api.

# user.attribute is used to authenticate and email.attribute is used for RBAC, # In case of using email id for both, both of this attribute will be same conf_security_externalized.authentication.user.store.user.attribute=mail conf_security_externalized.authentication.user.store.user.email.attribute=mail

To me it looks like a bug.

mschreuder

Hi @Pravin

My bad, we call on-premises as Private Cloud, but it means the same thing. External LDAP is only available in on-premises (Private Cloud). I should have clarified that term in my original response.

The main point is that when configuring and using an external LDAP, you do still need to also provision customers to Apigee and the reason why that is needed is because of the role based authorization. Apigee needs to maintain the mapping that "user1" has role "orgadmin" and "user 2" has "role business user" and so on.

It is the way that the current external LDAP implementation works.

The reason why there are two configs is to provide flexibility. It means you can use something other than email address as a userid. For example if the primary user reference into your external LDAP is a username rather than an email address, or maybe is some other email than the one you want to use for your Apigee user. Some customers like to have a difference between them.

If you are using a different userid in your external LDAP than you have in Apigee then you need to have two separate configs. One that tells Apigee which attribute in the external LDAP needs to be searched to match the username that was entered:

conf_security_externalized.authentication.user.store.user.attribute

And a second one so Apigee can get the email address that the user is registered in Apigee with. That can be stored in a different attribute in your external LDAP, and you tell Apigee which attribute that is with the second config value:

conf_security_externalized.authentication.user.store.user.email.attribute

It seems in your scenario they might be pointing to the same attribute in your external LDAP but that is not true in every case.

Report Inappropriate Content

Hi @mschreuder

Thanks for clarification. Thank you very much for details explanation. It clarified all details of external ldap configuration.

On role base authorization:

I understand the that the authentication will happen against external LDAP where as authorization will happen against the Apigee edge internal ldap. So now question is, How do I provision user's role to Apigee Edge, through edge-ui? if yes and when I provision user's role through Edge-ui it is not working. User with valid ldap credentials (also provisioned role in a org) is not able to login on edge, Not sure why. 😞

mschreuder

hi @Pravin, I have one thought on that that. The UI has its own user as well that gets set up when you first install Apigee. There is UI configuration that stores an encrypted username/password for that UI user. In order for UI to work when you have external LDAP you need to make sure that the UI user is also provisioned in the external LDAP, because all logins, even for Apigee sysadmin users, will be being routed to your external LDAP for authentication.

This user is also known typically as your Apigee sysadmin user. You need to make sure that you set the password in your external LDAP for that user the same as you set when you installed Apigee.

If your external LDAP policy prevents you from setting the password, I know some have auto-generated password for example, then it's a little bit more complicated because you need to follow a few more steps to update the UI configuration with the new password from your external LDAP instead.

These steps are described in a special document for configuring external LDAP.

It may well be best to get some interactive help from an Apigee support engineer, they will be able to take a detailed look at what is happening in your installation. If you would like to do that, please log into your support portal and raise a ticket there and one of the team will be able to help you directly.

Report Inappropriate Content

I have followed few more steps to configure sysadmins. Reconfigured all edge components. Still having the issue, going to create a case on support portal.

Steps followed to configure sysadmin:

Editing the Edge sysadmin username store for Apigee utility scripts

1. Edit the silent config file that you used to install the Edge UI to set the following property to change the value of ADMIN_EMAIL to the username you will be using for your sysadmin user in your external LDAP: APIGEE_EMAIL=newUser

2. Use the apigee-setup utility to reset the username on all Edge component from the config file: > /opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile You must run this command on all Edge component on all Edge nodes, including: Management Server, Router, Message Processor, Qpid, Postgres.

Thank you

satyendrasrivas

@Pravin

Have you resolved the below issue? I am also facing similar issue when trying to provision user using Edge UI after configuring external LDAP.

====

How do I provision user's role to Apigee Edge, through edge-ui? if yes and when I provision user's role through Edge-ui it is not working. User with valid ldap credentials (also provisioned role in a org) is not able to login on edge, Not sure why. 😞

====

Apigee Edge Integration with LDAP for External Auth, for organization users (Admins)