This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

What is the difference between Custom LDAP Provider and External Authentication

Posted on 03-25-2020 06:06 AM
sanketjahagirda
New Member
Reply posted on --/--/---- --:-- AM

I would like to use LDAP managed from a different location for authorization purpose of incoming requests to Apigee. I was going through LDAP related documentation and I found below 2 references.

1. https://docs.apigee.com/private-cloud/v4.18.01/enabling-external-authentication

2. https://docs.apigee.com/api-platform/reference/policies/ldap-policy - Custom LDAP Provider section

I am trying to understand the difference between two. From what I understand so far, external authentication wont help in this case and I have to write provider class on my own, create a resource using provider class and then use that resource in LDAP policy to search and authenticate. Can anyone help me understanding it?

0 4 107
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
deniska
New Member
Reply posted on --/--/---- --:-- AM

1. First one is about logging-in to your Apigee UI Canvas via external LDAP (Okta, AD etc.)

2. Second is actually runtime policy that can query specific LDAP resource and give you some info (authentication, query some data on LDAP tree etc.)

Incoming request from your POV is incoming API call to your policy? What's your final goal you need?

-D

0 Likes

Posted on --/--/---- --:-- AM
sanketjahagirda
New Member
In response to deniska
Reply posted on --/--/---- --:-- AM

Thanks for your reply Denis.

1. Its now clear to me.

2. I would like to read incoming request(example:identifier/consumerKey) parameter, using that I would like to go to the LDAP, fetch allowed services, validate few other attributes and then allow it to go further to backend

0 Likes

Posted on --/--/---- --:-- AM
deniska
New Member
In response to sanketjahagirda
Reply posted on --/--/---- --:-- AM

OK, so our policy can either provide an authentication mechanism (dn bind) > so you need to pass the creds (email\other + pass) to AD and get authenticated, or you can query the LDAP based on your incoming data.

So, your case is like consumerKey arrving, you want to query the LDAP, and do some comparing, right? 

<Ldap name="LdapPolicy">
    <!-- using a custom LDAP provider -->
    <LdapConnectorClass>com.custom.ldap.MyProvider</LdapConnectorClass>
    <LdapResource>MyLdap</LdapResource>
    <Search>
        <BaseDN></BaseDN> <!-- default is dc=apigee,dc=com -->
        <SearchQuery>your_param={request.header.your_param}</SearchQuery>
        <Attributes>
            <Attribute>address</Attribute>
            <Attribute>phone</Attribute>
            <Attribute>title</Attribute>
        </Attributes>
        <Scope></Scope> <!-- default is ‘subtree’ -->
    </Search>
</Ldap>

So once you get the params, run on them (compare with javascript) and do your work

Are my assumptions correct?

-D

0 Likes

Posted on --/--/---- --:-- AM
sanketjahagirda
New Member
In response to deniska
Reply posted on --/--/---- --:-- AM

Yes. This is what I want to do. But LdapResource field I must populate first if I want to use this policy. As per the documentation, I must create a resource first by giving reference to my provider class.

So creating a resource is nothing but making a connection to LDAP? or Provider class should create a connection to LDAP?

Not clear what should be part of provider class and why should we create a resource. As we know already, search and authenticate can already be done using LDAP policy.

0 Likes