Connecting Tyk/TIB to LDAP


#1

I have configured everything (Tyk and OpenLDAP) fresh on an Ubuntu 14.04.02 VM since my previous configuration apparently had some issues.

Tyk works fine. OpenLDAP works fine too. Now I need to get the OpenLDAP work with Tyk (the simplest scenario). However, currently I am unable to perform any Identity Management Actions.

Every time I click the “Identity Management Profiles” option
http://dashboard.tyk-local.com:3000/#/tib/profiles
I get the below error in TIB:
ERRO[0004] [API] Authorization failed: Header mismatch

I also get the error:
[May 18 16:39:30] ERROR TIB: Request failed: Did not receive code:200 got: 401
in the dashboard log.

The Dashboard always indicates,
!Error
TIB: Request failed.

The TIB start-up logs indicate the below:
^[email protected]:~/programs/tib-v0.1$ ./tib
toth/tothic: no SESSION_SECRET environment variable is set. The default cookie store is not available and any calls will fail. Ignore this warning if you are using a different store.
INFO[0000] Tyk Identity Broker v0.1
INFO[0000] Copyright Martin Buhr 2016

INFO[0000] [MAIN] Initialising Profile Configuration Store
INFO[0000] [IN-MEMORY STORE] Initialised
INFO[0000] [MAIN] Initialising Identity Cache
INFO[0000] [REDIS STORE] Initialised
INFO[0000] [FILE LOADER] Loaded: 1 profiles from profiles.json
INFO[0000] [MAIN] Broker Listening on :3010

Probably, I do not even understand what are a few of these parameters.

profiles.json

I got the OrgID from a curl response, such as,
curl -H “Authorization: e6d2926b358f43a0497850012c373b90” \ …
So I assume I got that right.

LDAP port and LDAP server are OpenLDAP default, and are correct.

I am not sure about the ProviderConstraints. So I left them unchanged - empty domain and group.
“ReturnURL”: “http://portal.tyk-local.com:3000/portal/sso/”,
here,
portal.tyk-local.com is reserved in /etc/hosts as
127.0.0.1 portal.tyk-local.com
But never used anywhere else.
changing it to,
“ReturnURL”: “http://dashboard.tyk-local.com:3000/portal/sso/”,
made no difference.

    "LDAPUserDN": "cn=*USERNAME*,cn=admin,ou=Groups,dc=my-domain,dc=com"

should be correct, as ,cn=admin,ou=Groups,dc=my-domain,dc=com is fine.

My complete profiles.json is,
[{
“ActionType”: “GenerateOrLoginDeveloperProfile”,
“ID”: “5”,
“IdentityHandlerConfig”: {
“DashboardCredential”: “573cb5c7a57deb1f78000001198fa5db868d42ff47dc56fa4a8080fd”
},
“OrgID”: “573cb5c7a57deb1f78000001”,
“ProviderConfig”: {
“FailureRedirect”: “http://portal.tyk-local.com:3000/portal/login/”,
“LDAPAttributes”: [],
“LDAPPort”: “389”,
“LDAPServer”: “localhost”,
“LDAPUserDN”: “cn=USERNAME,cn=admin,ou=Groups,dc=my-domain,dc=com”
},
“ProviderConstraints”: {
“Domain”: “”,
“Group”: “”
},
“ProviderName”: “ADProvider”,
“ReturnURL”: “http://portal.tyk-local.com:3000/portal/sso/”,
“Type”: “passthrough”
}
]

#tib.conf
I have left “Secret” to be “secret” (My OpenLDAP secret). Which is this secret?
I do not have server.pem, server.key, or even .certs folder.

I left the Backend configurations to be default.

I have done the relevant TykAPISettings. However, I have left the “AdminSecret” entries to their default, as I am not sure what are these two admin secrets.

My complete tib.conf is,
{
“Secret”: “secret”,
“HttpServerOptions”: {
“UseSSL”: false,
“CertFile”: “./certs/server.pem”,
“KeyFile”: “./certs/server.key”
},
“BackEnd”: {
“Name”: “in_memory”,
“ProfileBackendSettings”: {},
“IdentityBackendSettings”: {
“Hosts” : {
“localhost”: “6379”
},
“Password”: “”,
“Database”: 0,
“EnableCluster”: false,
“MaxIdle”: 1000,
“MaxActive”: 2000
}
},
“TykAPISettings”: {
“GatewayConfig”: {
“Endpoint”: “http://dashboard.tyk-local.com”,
“Port”: “8080”,
“AdminSecret”: “54321”
},
“DashboardConfig”: {
“Endpoint”: “http://dashboard.tyk-local.com”,
“Port”: “3000”,
“AdminSecret”: “12345”
}
}
}

Please let me know where am I going wrong.

Thank you.
Regards,
Pradeeban.


#2

Maybe one problem at a time :slight_smile:

The dashboard and TIB shared secrets don’t match, you need to set that up in your tyk_analytics.conf file to match the secret that is in your TIB.conf

See the identity broker section in the confogurarion docs for the dashboard:

https://tyk.io/docs/tyk-dashboard-v1-0/configuration/


#3

Thanks a lot.
Setting that up basically fixed all the error messages. :slight_smile:

So now, I am using my browser to connect to
http://localhost:3010/auth/[email protected]/ldap

It gives the error in browser
{“Status”:“error”,“Error”:“Profile not found”}

and in tib console,
ERRO[0572] [AUTH HANDLERS] Profile not found: Not found

I have a user with the email [email protected] in ldap. Any hint on what is missing?


#4

This URL is wrong, it will be:

http://localhost:3010/auth/{profile-id}/ldap

Where profile-id refers the the ID of the profile that you set up to handle LDAP connections, it will just be a number or GUID.


#5

I am sorry. But where can I find the ID of the profile? Did you mean the API ID or something?

I could not find it from System Management -> Users.

Also in this url, I am merely replacing {ldap}, I suppose it should have some meaning as well (hence the “{ }” placeholders ). Please let me know if this also should be replaced by some specific param.
http://your-host.com:{tib-port}/auth/{profile-id}/{ldap}


#6

The URL will be:

http://your-host.com:{tib-port}/auth/{profile-id}/ldap

The last param can be anything with LDAP, it is ignored with those profiles (but required for the URL match).


#7

Thanks. I guess I am close now. :slight_smile:
I am getting this now - which probably means I should specify my LDAP “secret” somewhere in Tyk/TIB.

ERRO[0779] [AD AUTH] Bind failed for user:
ERRO[0779] [AD AUTH] --> Error was: LDAP Result Code 53 “Unwilling To Perform”: unauthenticated bind (DN with no password) disallowed

Any pointer to where do I specify it, or is it something else?


#8

If you look at the TIB LDAP docs they state:

TIB can pull a username and password out of a request in two ways:
Two form fields called “username” and “password”
A basic auth header using the Basic Authentication standard form
By default, TIB will look for the two form fields. To enable Basic Auth header extraction, add “GetAuthFromBAHeader”: true to the ProviderConfig section.

So either post the username and pass or use a basic auth header.


#9

I am getting the error below:
ERRO[0079] [AD AUTH] Bind failed for user:
ERRO[0079] [AD AUTH] --> Error was: LDAP Result Code 34 “Invalid DN Syntax”: invalid DN

I changed my profiles.json as below to include this:
[{
“ActionType”: “GenerateOrLoginDeveloperProfile”,
“ID”: “5”,
“IdentityHandlerConfig”: {
“DashboardCredential”: “573cb5c7a57deb1f78000001198fa5db868d42ff47dc56fa4a8080fd”
},
“OrgID”: “573cb5c7a57deb1f78000001”,
“ProviderConfig”: {
“FailureRedirect”: “http://portal.tyk-local.com:3000/portal/login/”,
“LDAPAttributes”: [],
“LDAPPort”: “389”,
“LDAPServer”: “localhost”,
“LDAPUserDN”: “cn=*USERNAME*,cn=email,dc=my-domain,dc=com”,
“GetAuthFromBAHeader”: true
},
“ProviderConstraints”: {
“Domain”: “”,
“Group”: “”
},
“ProviderName”: “ADProvider”,
“ReturnURL”: “http://portal.tyk-local.com:3000/portal/sso/”,
“Type”: “passthrough”
}
]

However, when I restart TIB as below:
[email protected]:~/programs/tib-v0.1$ ./tib
it does not really propagate this.

In the Add IDM Profile option, it gives default params, such as
http://domain.com/?fail=true
and
cn=*USERNAME*,cn=dashboard,ou=Group,dc=test-ldap,dc=domain,dc=io

So basically, I manually changed again from the dashboard:
User DN:
cn=*USERNAME*,cn=admin,ou=email,dc=my-domain,dc=com

My LDAP has the below entries:
[email protected]alBox:~/programs/tib-v0.1$ ldapsearch -x -LLL -H ldap:/// -b dc=my-domain,dc=com dn

dn: dc=my-domain,dc=com

dn: cn=admin,dc=my-domain,dc=com

dn: ou=People,dc=my-domain,dc=com

dn: ou=Groups,dc=my-domain,dc=com

dn: cn=miners,ou=Groups,dc=my-domain,dc=com

dn: uid=john,ou=People,dc=my-domain,dc=com

dn: ou=email,dc=my-domain,dc=com

dn: cn=Pradeeban Kathiravelu,ou=email,dc=my-domain,dc=com

So I guess, I did not give some weird entry to Tyk.
However, I am not very sure about the inclusion of cn=*USERNAME* in the dn in Tyk. Is it what causing the mismatch? Should I add some skeleton to OpenLDAP to reflect this?


#10

Either edit the profiles.json or use the dashboard - don’t do both :slight_smile:

The error is stating that the DN syntax is wrong, the USERNAME placeholder is the DN binding lookup. So basically yu need a valid DN binding syntax that works with your username and then replace the real username with the placeholder.


#11

Thanks, finally I got this working with Apache Directory Studio.

INFO[0008] [AD AUTH] User bind successful: pradeeban
INFO[0008] [TYK ID HANDLER] Creating identity for: {map[] ADProvider [email protected] pradeeban }

Guess I had some issues with OpenLDAP configurations previously.

I am continuing my research, and I will get back to you in another thread if I need any help in another Tyk task. :wink: