Gateway: Basic auth, validate against ldap

bitsofinfo · July 13, 2017, 1:28pm

Hi,

I have an existing API that I am transferring to Tyk, all requests are authenticated via basic auth.

I’d like to take the username/pw in the basic auth Authorization header for inbound API calls going through the gateway, and have it validated against my ldap server.

How can I do this? The LDAP IDP integration only seems to be for the portal/dashboard?

Martin · July 13, 2017, 7:36pm

You could do this with the Tyk identity Broker:

But here’s no gateway support for LDAP

bitsofinfo · July 17, 2017, 2:53pm

Any examples of this out there? The ones described on the README seem to be around presenting login, form, generating tokens, redirects etc?

I just want something that will take the authorization header, bind that uname/pw against ldap, and do nothing else. If OK, let request proceed, of FAIL return 500. No token generations, redirects etc

Martin · July 17, 2017, 7:25pm

Yeah that doesn’t exist, you could fork TIB :-/

Martin · July 17, 2017, 7:25pm

You could always write your own auth middleware?

bitsofinfo · July 19, 2017, 4:37pm

For anyone else w/ this same confusion on what to use, for sure Identity broker is not a solution for this:

github.com/TykTechnologies/tyk-identity-broker

Basic Auth against LDAP integration

opened 03:22PM - 19 Jul 17 UTC

closed 04:35PM - 19 Jul 17 UTC

bitsofinfo

My use case is as follows: a) User sends an API request w/ a basic-auth heade…r to an exposed API on a gateway b) I need to take that basic auth uname/pw and validate it against ldap c) Return a 401 on authn fail, otherwise let the request proceeed Please correct me if I am wrong, but the identity broker as I understand it, is not really a solution for this scenario? It seems to be more of just an AUTHN backend for existing token based flows, with the auth request being requested against the id broker, not just a gateway API. (per this diagram: https://tyk.io/docs/concepts/tyk-components/identity-broker/) I need some sort of middleware hook that can do this against ldap, I don't see anything out of the box in Tyk which just supports this. (other than the IDP support for LDAP for securing the dashboard/portal only, but not just a user-defined API the gateways serve up)