How LDAP policy works

oyamatakuro
Participant IV

I have two questions on the LDAP policy in Edge for Private Cloud v4.17.01

It works when I issue api request with the username and password in the header by curl. Of course it fails when I specify the wrong username or password.

But when I issue the api request with no entities of username and password in the header, it looks like that the authenticaion succeeds and the api successfully continues.

Question1. Why does not the ldap authetication fail even if no username and password are given?

My configuration of LDAP policy is as follows.

<Authentication>  
  <UserName ref="request.header.username"/>  
  <Password ref="request.header.password"/> 
  <Scope>subtree</Scope>  
  <BaseDN/>  
</Authentication>

Question2. Cannot we use apigee edge organization users in the LDAP policy?

Alhough I tested the LDAP policy with some edge ui credentials instead of apigee system admin DN and ldap password, the authentication failed.
I guess the edge ui password and ldap password is not exactly the same or I specified the wrong DN for the organization users in the api request header.

Thanks,

2 3 1,105
3 REPLIES 3

Hi @Takuro Oyama Is there any solution for the above issue, I am also facing same issue like without passing the credentials (Username & Password) in the request, getting successful response. If I pass wrong credentials, getting 401 unauthorized, Can you share your solution?

Using onprem apigee V4.18.01.00, LDAP Policy and using organisation LDAP/AD Server. @Anil Sagar / @Dino Could you please look into the issue?

Configuration LDAP Policy as below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<Ldap async="false" continueOnError="false" enabled="true" name="LDAP"> <DisplayName>LDAP</DisplayName>

<LdapResource>myLdap</LdapResource>

<Authentication> <UserName ref="request.header.username"/> <Password ref="request.header.password"/>

<Scope>subtree</Scope>

<BaseDN>dc=abc,dc=com</BaseDN>

</Authentication>

</Ldap>

LDAP Resource:

<LdapResource name='myLdap'> <Connection> <Hosts> <Host>ldap.host.com</Host> </Hosts> <SSLEnabled>false</SSLEnabled> <Version>3</Version> <Authentication>simple</Authentication> <ConnectionProvider>unboundid</ConnectionProvider> <ServerSetType>round robin</ServerSetType> </Connection> <ConnectPool enabled='true'> <Timeout>50000</Timeout> <Maxsize>50</Maxsize> <Prefsize>30</Prefsize> <Initsize></Initsize> <Protocol></Protocol> </ConnectPool> <Admin> <DN>dc=abc,dc=com</DN> <Password>secret</Password> </Admin> </LdapResource>

see my reply below?

Wowie, this is an old question. I'm sorry it has languished for so long.

For those who are asking, I'm assuming you've read the documentation.

You can use the policy to Search or to Authenticate. Search means: find attribtues associated to a particular LDAP query. When performing a query, typically the query is based on uid, but it doesn't have to be.

<Ldap name="LDAP-Query">
  <LdapResource>myldapresource</LdapResource>
  <Search>
    <BaseDN>cn=users,cn=accounts,dc=demo1,dc=dinochiesa,dc=org</BaseDN>
    <Scope>subtree</Scope>
    <SearchQuery>uid={request.formparam.username}</SearchQuery>
    <!-- these are all attributes on the user from LDAP -->
    <Attributes>
      <Attribute>uid</Attribute>
      <Attribute>homeDirectory</Attribute>
      <Attribute>loginShell</Attribute>
      <Attribute>initials</Attribute>
      <Attribute>mail</Attribute>
      <Attribute>ipaUniqueID</Attribute>
    </Attributes>
  </Search>
</Ldap>

When Authenticating, you need to have the username and password.

<Ldap name="LDAP-Authenticate">
    <LdapResource>myldapresource</LdapResource>
    <Authentication>
      <SearchQuery>uid={request.formparam.username}</SearchQuery>
        <Password ref="request.formparam.password"/>
        <Scope>subtree</Scope>
        <BaseDN>cn=users,cn=accounts,dc=demo1,dc=dinochiesa,dc=org</BaseDN>
    </Authentication>
</Ldap>

You can optionally do the search and authentication in the same policy:

<Ldap name="LDAP-Authenticate-and-Query">
  <LdapResource>myldapresource</LdapResource>
  <Authentication>
    <SearchQuery>uid={request.formparam.username}</SearchQuery>
    <Password ref="request.formparam.password"/>
    <Scope>subtree</Scope>
    <BaseDN>cn=users,cn=accounts,dc=demo1,dc=dinochiesa,dc=org</BaseDN>
  </Authentication>
  <Search>
    <BaseDN>cn=users,cn=accounts,dc=demo1,dc=dinochiesa,dc=org</BaseDN>
    <Scope>subtree</Scope>
    <SearchQuery>uid={request.formparam.username}</SearchQuery>
    <!-- these are all attributes on the user from LDAP -->
    <Attributes>
      <Attribute>uid</Attribute>
      <Attribute>homeDirectory</Attribute>
      <Attribute>loginShell</Attribute>
      <Attribute>initials</Attribute>
      <Attribute>mail</Attribute>
      <Attribute>ipaUniqueID</Attribute>
    </Attributes>
  </Search>
</Ldap>

The way to determine the result of the policy is to examine the context variable. The name fo the context variable depends on the name of the policy you use. so, like this:

ldap.LDAP-POLICY-NAME.execution.success

So you could imagine something like this:

<Step> 
  <Name>LDAP-Authenticate</Name>
</Step>
<Step>
  <Condition>NOT (ldap.LDAP-Authenticate.execution.success = true)</Condition>
  <Name>RaiseFault-AuthenticationFailed</Name>
</Step>

It is possible that passing no credentials results in no error generated by the policy. In which case, I suggest something like this:

<Step>
  <Condition>(request.formparam.username = null) or (request.formparam.password = null)</Condition>
  <Name>RaiseFault-AuthenticationFailed</Name>
</Step>
<Step> 
  <Name>LDAP-Authenticate</Name>
</Step>
<Step>
  <Condition>NOT (ldap.LDAP-Authenticate.execution.success = true)</Condition>
  <Name>RaiseFault-AuthenticationFailed</Name>
</Step>