Solved: LDAP resource and policy configuration Authenticat...

markruscitto · 03-19-2019 07:56 AM

Hi,

I'm having trouble with the apigee ldap resources and policies, specifically the authentication config. They are flexible but the examples are scarce. I think its related to how the login domain and userid are specified but I can't seem to get it right.

I tested the credentials and developed the query successfully using desktop tools.

I tried defining the resource:a couple of different ways this being the most recent, I omitted the connection pool and the host info I only left the parts of the config that I'm not sure about, the admin config.

<LdapResource name="ldap_AD_QA"> <Connection>
  <Admin>
    <DN>uid=GBTS-Q-APITAMWS,domain=mycompany,ou=CTS,ou=people,dc=mycompanyqa,dc=com</DN>
    <Password>mypassword</Password>
  </Admin>
</LdapResource>

I thought I would be able to specify the credentials in the resource definition only, as they are service account credentials and common to every query..

When I test the use of this resource in an ldap policy that looks like this:

<Ldap name="LDAP-GetGroups">
  <DisplayName>LDAP-GetGroups</DisplayName>
  <LdapResource>ldap_AD_QA</LdapResource>
  <Search>
    <BaseDN>dc=mycompanyqa,dc=com</BaseDN>
    <SearchQuery>(&(objectClass=user)(mail={emailAddress}))</SearchQuery>
    <Attributes>
      <Attribute>memberOf</Attribute>
      <Attribute>uid</Attribute>
    </Attributes>
    <Scope>subtree</Scope>
  </Search>
</Ldap>

this is the error:

"errorMessage": "Internal Server Error : Ldap search exception occurred 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1\u0000.",

I went ahead and added the Authentication xml config to the ldap policy in the flow I'm using

<Authentication>
  <SearchQuery>uid=mycompany/GBTS-Q-APITAMWS</SearchQuery>
  <Password ref="mypassword"/>
  <Scope>subtree</Scope>
  <BaseDN>ou=CTS,ou=people,dc=mycompanyqa,dc=com</BaseDN>
</Authentication>

After this change a similar error is received:

Unauthorized : Ldap search exception occurred 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1\u0000.",yContext error, data 52e, v1db1\u0000.",

To add additional background this is the second ldap resource we are creating I created a different one that goes against a different repository with no issues. This one is using windows AD and is giving me the problems above.

If its possible,I'd prefer to keep the credentials in the resource definition and out of the ldap policy I was able to do this with the first one.

Any help or guidance would be greatly appreciated.

Thanks.

Mark

dchiesa1

Hi Mark,
I feel your pain. I agree that there is a dearth of examples to follow.

You probably want to either authenticate or query. You can do both - that's also allowed.

A Query looks like this:

<Ldap name="LDAP-Query-2">
  <LdapResource>ldap1</LdapResource>
  <Search>
    <BaseDN>cn=users,cn=accounts,dc=demo1,dc=example,dc=org</BaseDN>
    <!-- <BaseDN>cn=users,cn=accounts,dc=example,dc=com</BaseDN> -->
    <Scope>subtree</Scope>
    <SearchQuery>uid={request.formparam.username}</SearchQuery>
    <!-- following are the attributes on the user we want to retrieve -->
    <Attributes>
      <Attribute>uid</Attribute>
      <Attribute>homeDirectory</Attribute>
      <Attribute>loginShell</Attribute>
      <Attribute>initials</Attribute>
      <Attribute>mail</Attribute>
      <Attribute>ipaUniqueID</Attribute>
    </Attributes>
  </Search>
</Ldap>

Maybe you could try simplifying the query to eliminate the objectClass=user clause. I haven't used the Ldap policy very much, but .. . . it might be superfluous to include that if you have an email as a primary identifier in the query. (how many entities have that email and are not a user?) You may be able to get the same effect by extending your BaseDN to include a CN that indicates users, if that applies to your LDAP. It usually does.

Yours is pretty close to that. If you cannot get the query to work, I would examine the LdapResource. You said you're pretty sure about the parts you did not show - the Connection etc. Can you verify that it's working properly? I have got this to work:

<LdapResource name="ldap1">
  <Connection>
    <Hosts>
      <Host>myldap.example.org</Host>
    </Hosts>
    <SSLEnabled>false</SSLEnabled>
    <Version>3</Version>
    <Authentication>simple</Authentication>
    <ConnectionProvider>jndi</ConnectionProvider>
  </Connection>
  <ConnectPool enabled="true">
    <Timeout>30000</Timeout>
    <Maxsize>50</Maxsize>
    <Prefsize>30</Prefsize>
    <Initsize></Initsize>
    <Protocol></Protocol>
  </ConnectPool>
  <Admin>
    <DN>cn=admin,dc=example,dc=com</DN>
    <Password>Secret123</Password>
  </Admin>
</LdapResource>

I'm not sure about the DN you used. I would check the Mgmt server system.log to see if there are any LDAP connection errors in the log. If so, then you'll need to try different DNs there, and maybe a different provider (use jndi rather than unboundid? or vice versa) to see if you can get the connection to work. Verify host connectivity, and so on.

This isn't much help. Maybe just a few suggestions. Let me know if I can offer anything else.

EDIT - If you want to step back and just make sure _something_ is working, there is a free LDAP service called "zflexldap" which you can use to try to troubleshoot connectivity. Here's the resource I used for zflex.

<LdapResource name="zflex">
  <Connection>
    <Hosts>
      <Host>www.zflexldap.com</Host>
    </Hosts>
    <SSLEnabled>false</SSLEnabled>
    <Version>3</Version>
    <Authentication>simple</Authentication>
    <ConnectionProvider>jndi</ConnectionProvider>
  </Connection>
  <ConnectPool enabled="true">
    <Timeout>30000</Timeout>
    <Maxsize>50</Maxsize>
    <Prefsize>30</Prefsize>
    <Initsize></Initsize>
    <Protocol></Protocol>
  </ConnectPool>
  <Admin>
    <DN>cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com</DN>
    <Password>zflexpass</Password>
  </Admin>
</LdapResource>

You can then authenticate like this:

<Ldap name="LDAP-Authenticate-1">
    <LdapResource>zflex</LdapResource>
    <Authentication><br>      <!-- username example: 'guest3' -->
      <!-- password for guest3: 'guest3password' -->
      <SearchQuery>uid={request.formparam.username}</SearchQuery> 
        <Password ref="request.formparam.password"/>
        <Scope>subtree</Scope>
        <BaseDN>ou=users,ou=guests,dc=zflexsoftware,dc=com</BaseDN>
    </Authentication>
</Ldap>

Or query using the analogous...

Last I tried this, it worked. So maybe you can use it to troubleshoot your issues.

View solution in original post

dchiesa1

Hi Mark,
I feel your pain. I agree that there is a dearth of examples to follow.

You probably want to either authenticate or query. You can do both - that's also allowed.

A Query looks like this:

<Ldap name="LDAP-Query-2">
  <LdapResource>ldap1</LdapResource>
  <Search>
    <BaseDN>cn=users,cn=accounts,dc=demo1,dc=example,dc=org</BaseDN>
    <!-- <BaseDN>cn=users,cn=accounts,dc=example,dc=com</BaseDN> -->
    <Scope>subtree</Scope>
    <SearchQuery>uid={request.formparam.username}</SearchQuery>
    <!-- following are the attributes on the user we want to retrieve -->
    <Attributes>
      <Attribute>uid</Attribute>
      <Attribute>homeDirectory</Attribute>
      <Attribute>loginShell</Attribute>
      <Attribute>initials</Attribute>
      <Attribute>mail</Attribute>
      <Attribute>ipaUniqueID</Attribute>
    </Attributes>
  </Search>
</Ldap>

Maybe you could try simplifying the query to eliminate the objectClass=user clause. I haven't used the Ldap policy very much, but .. . . it might be superfluous to include that if you have an email as a primary identifier in the query. (how many entities have that email and are not a user?) You may be able to get the same effect by extending your BaseDN to include a CN that indicates users, if that applies to your LDAP. It usually does.

Yours is pretty close to that. If you cannot get the query to work, I would examine the LdapResource. You said you're pretty sure about the parts you did not show - the Connection etc. Can you verify that it's working properly? I have got this to work:

<LdapResource name="ldap1">
  <Connection>
    <Hosts>
      <Host>myldap.example.org</Host>
    </Hosts>
    <SSLEnabled>false</SSLEnabled>
    <Version>3</Version>
    <Authentication>simple</Authentication>
    <ConnectionProvider>jndi</ConnectionProvider>
  </Connection>
  <ConnectPool enabled="true">
    <Timeout>30000</Timeout>
    <Maxsize>50</Maxsize>
    <Prefsize>30</Prefsize>
    <Initsize></Initsize>
    <Protocol></Protocol>
  </ConnectPool>
  <Admin>
    <DN>cn=admin,dc=example,dc=com</DN>
    <Password>Secret123</Password>
  </Admin>
</LdapResource>

I'm not sure about the DN you used. I would check the Mgmt server system.log to see if there are any LDAP connection errors in the log. If so, then you'll need to try different DNs there, and maybe a different provider (use jndi rather than unboundid? or vice versa) to see if you can get the connection to work. Verify host connectivity, and so on.

This isn't much help. Maybe just a few suggestions. Let me know if I can offer anything else.

EDIT - If you want to step back and just make sure _something_ is working, there is a free LDAP service called "zflexldap" which you can use to try to troubleshoot connectivity. Here's the resource I used for zflex.

<LdapResource name="zflex">
  <Connection>
    <Hosts>
      <Host>www.zflexldap.com</Host>
    </Hosts>
    <SSLEnabled>false</SSLEnabled>
    <Version>3</Version>
    <Authentication>simple</Authentication>
    <ConnectionProvider>jndi</ConnectionProvider>
  </Connection>
  <ConnectPool enabled="true">
    <Timeout>30000</Timeout>
    <Maxsize>50</Maxsize>
    <Prefsize>30</Prefsize>
    <Initsize></Initsize>
    <Protocol></Protocol>
  </ConnectPool>
  <Admin>
    <DN>cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com</DN>
    <Password>zflexpass</Password>
  </Admin>
</LdapResource>

You can then authenticate like this:

<Ldap name="LDAP-Authenticate-1">
    <LdapResource>zflex</LdapResource>
    <Authentication><br>      <!-- username example: 'guest3' -->
      <!-- password for guest3: 'guest3password' -->
      <SearchQuery>uid={request.formparam.username}</SearchQuery> 
        <Password ref="request.formparam.password"/>
        <Scope>subtree</Scope>
        <BaseDN>ou=users,ou=guests,dc=zflexsoftware,dc=com</BaseDN>
    </Authentication>
</Ldap>

Or query using the analogous...

Last I tried this, it worked. So maybe you can use it to troubleshoot your issues.

markruscitto

Dino thanks for your help! It took some time but I implemented your suggestion to simplify the query and reviewed the resource creation and changed it between these two things I ws able to get it to work. I've placed the final working versions below:

resource: <LdapResource name="ldap_AD_QA"> <Connection> <Hosts> <Host port="636">adssl.mycompany.com</Host> </Hosts> <SSLEnabled>true</SSLEnabled> <Version>3</Version> <Authentication>simple</Authentication> <ConnectionProvider>unboundid</ConnectionProvider> <ServerSetType>round robin</ServerSetType> </Connection> <ConnectPool enabled="true"> <Timeout>10000</Timeout> <Maxsize>50</Maxsize> <Prefsize>30</Prefsize> <Initsize>5</Initsize>-->ADDED <Protocol>ssl</Protocol>--->ADDED </ConnectPool> <Admin> <DN>CN=GBTS-myuser,OU=CTS,OU=People,DC=mycompany,DC=com</DN> <Password>mypassword</Password> </Admin> </LdapResource> policy: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Ldap async="false" continueOnError="false" enabled="true" name="LDAP-GetGroups"> <DisplayName>LDAP-GetGroups</DisplayName> <LdapResource>ldap_AD_QA</LdapResource> <Search> <BaseDN>dc=mycompany,dc=com</BaseDN> <SearchQuery>(mail={emailAddress})</SearchQuery> <Attributes> <Attribute>memberOf</Attribute> <Attribute>uid</Attribute> </Attributes> <Scope>subtree</Scope> </Search> </Ldap>

dchiesa1

Excellent ! Glad I could help.

LDAP resource and policy configuration Authentication errors