LDAP integration for Apigee users

anvimalia · 05-30-2017 05:43 PM

Hi.. so i am trying to enable the external LDAP authentication in order to use LDAP accounts to sign into Apigee Edge

I followed steps from http://docs.apigee.com/private-cloud/latest/enabling-external-authentication

And got everything configured for DIRECT binding

When i test /opt/apigee/apigee-service/bin/apigee-all status

I get everything as OK including OpenLDAP

```+ apigee-service apigee-openldap status

apigee-service: apigee-openldap: OK```

But during the testing ldap auth for sign in.. it still doesn't work.. any idea what i am missing?

Thanks in advance

cmbrown

Hi Anvi,

Three things :

1) Did you add your Edge global system administrator credentials to the external LDAP. Remember that by default, the sysadmin credentials are stored in the Edge internal LDAP. Once you switch to the external LDAP, your sysadmin credentials will be authenticated there instead. Therefore, you must provision the credentials to the external system before enabling external authentication in Edge.

2)did you check these 2 setting in the config that they match what is set for your IDP:

<strong>conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName</strong>

<strong>conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName</strong>

3) Did you also follow these steps : http://docs.apigee.com/private-cloud/latest/additional-configuration-required-event-different-sysadm...

anvimalia

Hi @Christin Brown

Thanks for your reply..

The first step is the part i am kind of confused about .. can you help me where am i supposed to add these system admin credentials ? there are setup.sh files and some .properties file.. which would be the right one?

cmbrown

@anvi what number means is that you need to ensure you have added that same "user" that is your sysadmin for the Edge platform to your existing external ldap directory. So for example if in your config file you used sysadmin@corp.com with pw apigeerocks, you would need to ensure that same user with same credentials is provisioned in your Corp/external ldap directory.

anvimalia

Hi @Christin Brown

So i did a configuration with the DIRECT binding and i also get a 200 with the step for testing as well as described here

http://docs.apigee.com/private-cloud/latest/enabling-external-authentication#testingtheinstallation

I installed apigee with an existing LDAP user as the sysadmin.. and that login works fine.. but any other org user login doesnt work ... any idea what i am missing

cmbrown

@Anvi so in order to authenticate with external ldap it needs to be a valid ldap id/pw, to then get authorized to Edge you need to create the user in Edge and assign its role (user, orgadmin etc). The email address needs to match between the 2 ldap's. Make sense ?

satyendrasrivas

@Anvi We are also facing the issue when we are trying to login using userids configured in external ldap. we are able to login only with system account. Any non-system account login is failing.

Have you got the fix for this issue. If so, could you please share the same.

jghunt

Hi @Anvi, the best way to troubleshoot this type of problem is to use tcpdump to trace the LDAP calls make to your external LDAP to see if there is an error resulting from the authentication, assuming you are not using LDAPS then you can see the LDAP packets. Here is the tcpdump command:

tcpdump -s0 -i any port 10389 or port 389 --XXvvv -w /tmp/apigee-openldap.cap

Note the above assumes your external ldap listens on port 389, adjust as needed.

Check if you can make management API calls with your orgadmin user:

curl -v -u user@email.com http://<management>:8080/v1/o

If management calls are working, then there may be an issue with your UI setup. If management calls fail, likely there is a misconfiguration for the externalized ldap setup.

I would suggest filing a support ticket to Apigee Support for assistance in reviewing your setup. Be prepared to provide your /opt/apigee/customer/application/management-server.properties for us to review.