Skip to content
/ ldap-authentication-policy Public

3scale LDAP authentication policy ,validates credentials from authorization header in LDAP

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

3scale-demos/ldap-authentication-policy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
policies/ldap_authn/1.0.0
policies/ldap_authn/1.0.0
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
Roverfile
Roverfile
 
 
Roverfile.lock
Roverfile.lock
 
 

Repository files navigation

3scale LDAP Authentication Policy

This Policy allows APICast to determine if access to an API should be granted or denied based on the provided credentials in the Authorization header,it extracts the user name and password from an HTTP Basic request and binds to LDAP using these credentials to check if the user name and password are valid.

The configuration parameters :-

Name Type Description Example
ldap_host string Host on which the LDAP server is running ldap.jumpcloud.com
ldap_port number port where the LDAP server is listening 389
base_dn string Base dn of the LDAP server ou=Users,o=61ad22,dc=jumpcloud,dc=com
uid string Attribute to be used to search the user uid
error_message access is not allowed Error message to show to user when traffic is blocked

Policy Installation on OpenShift

The policy uses lua-resty-ldap dependency for connecting with an LDAP server which must be added on apicast base image.

1. Build Custom APIcast image

  1. create openshift project.

    oc new-project <<apicast-ldap>>

  2. create image stream.

    apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
 name: apicast-ldap

  3. create openshift build. The build uses docker stratgy from the git repo , the docker uses apicast-gateway-rhel8:3scale2.13 as a base image,if you are using a diffeent version from 3scale the docker file needs to be updated to your version of 3scale.

 apiVersion: build.openshift.io/v1
 kind: BuildConfig 
 metadata:
  name: apicast-ldap
 spec:
  output:
    to:
      kind: ImageStreamTag
      name: 'apicast-ldap:latest'
  strategy:
     type: Docker
     dockerStrategy:
      dockerfilePath: Dockerfile
  source:
      type: Git
      git:
       uri: 'https://github.com/abdelhamidfg/3scale-ldap-authentication-policy'
  1. start openshift build.
oc -n <<apicast-ldap>> start-build apicast-ldap --wait --follow

2. Deploy a self-managed APIcast gateway

  1. Install the APIcast operator as described in the documentation
  2. Create a kubernetes secret that contains a 3scale Porta admin portal endpoint information
oc create secret generic 3scaleportal --from-literal=AdminPortalURL=https://[email protected]
  1. create a secret contains the policy files (the files are existed in the repo folder /policies/ldap_authn/1.0.0)
oc create secret generic ldap-authn-policy   --from-file=ldap_authn.lua   --from-file=init.lua   --from-file=apicast-policy.json --from-file=ldap.lua --from-file=asn1.lua

4.Create APIcast custom resource instance The image attrbuite should refered to the custom image build in step 1

apiVersion: apps.3scale.net/v1alpha1
kind: APIcast
metadata:
  name: apicast-ldap
spec: 
  adminPortalCredentialsRef:
    name: 3scaleportal
  replicas: 1  
  image: 'image-registry.openshift-image-registry.svc:5000/apicast-ldap-custom/apicast-ldap'
  customPolicies:
    - name: ldap_authn
      secretRef:
        name: ldap-authn-policy
      version: 1.0.0
  1. Create 3scale CustomPolicyDefinition Custom Resource in order to view the policy configuration in the API Manager policy editor UI , the custom policy should be registered using customPolicyDefinition custom resource
apiVersion: capabilities.3scale.net/v1beta1
kind: CustomPolicyDefinition
metadata:
 name: custompolicydefinition-ldap-authn
spec:
 name: "ldap_authn"
 version: "1.0.0"
 schema:
   name: "ldap_authn"
   version: "1.0.0"
   summary: "The policy checks for valid credentials in the Authorization header , extracts the user name and password from an HTTP Basic request and binds to LDAP using these credentials to check if the user name and password are valid"
   $schema: "http://json-schema.org/draft-07/schema#"
   configuration:
     type: "object"
     properties:
       ldap_host:
           description: "host of ldap server"
           type: "string"
       ldap_port:
           description: "port of ldap server"
           type: "number"
       base_dn:
           description: "Base dn of the LDAP server"
           type: "string"
       uid:
           description: "Attribute to be used to search the user"
           type: "string"
       error_message	:
           description: "Error message to show to user when traffic is blocked	"
           type: "string"
     providerAccountRef:
      name: threescale-provider-account

For more informatino about this step ,check the documentation

1. Testing the policy

  1. Create an API Product and add the policy to the policy chain after the API Cast policy
  2. provides configuration parameters
{
      "name": "ldap_authn",
      "version": "1.0.0",
      "configuration": {
        "ldap_host" : "ldap.jumpcloud.com",
        "ldap_port":389,
        "base_dn":"ou=Users,o=23221k2,dc=jumpcloud,dc=com",
        "uid": "uid"
    },
      "enabled": true
    }

3.Test the service

  curl  <<url of the api product>> -u "username:password"

About

3scale LDAP authentication policy ,validates credentials from authorization header in LDAP

Topics

ldap-authentication 3scale

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages