Solved: authentication failed with LDAP Policy

devmego99 · 09-28-2021 02:38 AM

i am using Ldap policy with search query to get data from Ldap server
(the data i need is number of remaining failed attempts to login )

i am using custom ldap provider with this example (i downloaded source code from docs) "com.custom.ldap.ExternalLdapConProvicer"

--------------------------------------------------
<Ldap async="false" continueOnError="false" enabled="true" name="LDAP-1">
<DisplayName>LDAP-1</DisplayName>

<LdapConnectorClass>com.custom.ldap.ExternalLdapConProvicer</LdapConnectorClass>
<LdapResource>ldap1</LdapResource>
<Search>
<BaseDN>CN= ,CN= ,DC= ,DC= </BaseDN>
<SearchQuery>username={the.username}</SearchQuery>
<Attributes>
<Attribute>address</Attribute>
<Attribute>phone</Attribute>
<Attribute>title</Attribute>
</Attributes>
<Scope>subtree</Scope>
</Search>
</Ldap>

@dchiesa1

dchiesa1

i see.

Maybe you could write a custom LDAP provider, and within the logic of that provider, perform the inquiry on the user account, and obtain the information about remaining attempts. Unfortunately I am not clear on the interface for the custom LDAP provider that is described here. Just looking at the text there, I don't see how you could return that information via your custom provider. And I don't see the javadocs for the custom LDAP provider. There is no description for how the interface is expected to work, whether you can return additional information, and so on.

The other option is for you to connect to LDAP via some other mechanism; not via the LDAP policy and a custom provider, but via a microservice that you build and run outside of Apigee. And then you could connect to that service from Apigee with a ServiceCallout.

View solution in original post

dchiesa1

ok. I don't see a question there.

Usually you don't need a custom External LDAP Provider. What problem are you trying to solve?

Maybe you're trying to retrieve from your LDAP server the number of remaining attempts, and... then...maybe you want to reject an authentication if the user exceeds that number of attempts? I would think the LDAP server does that automatically. Does it not?

devmego99

yes , LDAP server does that automatically but i can not know how to return number of remaining attempts using ldap policy.
and when i use the ldap policy in the question ,the response is authentication failed?
please tell me steps to walk through to return number of remaining attempts with success of authentication

dchiesa1

i see.

Maybe you could write a custom LDAP provider, and within the logic of that provider, perform the inquiry on the user account, and obtain the information about remaining attempts. Unfortunately I am not clear on the interface for the custom LDAP provider that is described here. Just looking at the text there, I don't see how you could return that information via your custom provider. And I don't see the javadocs for the custom LDAP provider. There is no description for how the interface is expected to work, whether you can return additional information, and so on.

The other option is for you to connect to LDAP via some other mechanism; not via the LDAP policy and a custom provider, but via a microservice that you build and run outside of Apigee. And then you could connect to that service from Apigee with a ServiceCallout.