LDAP Feature?


#1

Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/b_-ayHxyYs8 Import Date: 2016-01-19 21:10:40 +0000.
Sender:Bill.
Date:Monday, 27 April 2015 23:52:08 UTC+1.

I see a branch for the LDAP feature on GH, https://github.com/lonelycode/tyk/tree/feature/ldap. I assume this allows one to authenticate users against an LDAP instance? If so, is it working? Where might I find some documentation on how to use…even some crude notes perhaps? Thanks!


#2

Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 28 April 2015 08:42:14 UTC+1.

Hi Bill,

Yes there is an LDAP connector in Tyk 1.6, however, the reason it is undocumented is because it is so limited, it acts more as a proof of concept than anything else and is an example of how it is quite simple to add a new storage engine to Tyk, it is also read-only, which means it can’t be used as a management backend in the dashboard and any write commands via the Tyk REST API ill not work - if you are using it, it will be just one-way.

The LDAP storage handler basically replaces the default storage manager used by the auth handler, the auth manager does the following: Tyk will pick up a key or auth token from an inbound request, it will check if the key is in Redis, if it does not find it, it will consult it’s registered storage handler (LDAP, in this case), it will then use the LDAP handler to try and find that auth token on an LDAP server using a predefined query, if found, the LDAP the server must then provide a Session object (the same JSON structure that is used when creating a key using the REST API), which Tyk will then cache in Redis for future use.

In order to make this more secure, we recommend limiting all redis-stored keys to have a specific lifetime so that re-authentication occurs often. to do this, set the “session_lifetime” key in the API Definition to whatever TTL value you want to use (this will make the key expire in redis after a period of time, forcing the LDAP client to re-authenticate).

To set up the LDAP handler, you need to register it as the storage engine in the auth_provider section in your API Definition:

...
"auth_provider": {
    "name": "",
    "storage_engine": "ldap",
    "meta": {
    "ldap_server": "test-ldap.yourserver.com",
    "ldap_port": 389,
    "base_dn": "dc=test-ldap,dc=tyk,dc=io",
    "attributes": ["cn", "description"],
    "session_attribute_name": "description",
    "search_string": "(cn=TYKKEYID)",
    "use_ssl": true
    }
},
...

In the above example, you can see we left “name” empty, this is because it is also possible to change the surrounding logic of how Tyk look sup and manages authentication with an inbound key, before pasing it to the sotrage engine. We have a few parameters that need to be configured:
ldap_server - this is the server to query
ldap_port - the port to connect on
base_dn: the base Dn to use when submitting the query
attributes: the atrributes to return
session_attribute_name: The atttribute in the LDAP records that holds the Session object for the key
search_string: How to find this specific key, here TYKKEYID is a string replacement (not great) and marks where to insert the key string in the search query
use_ssl: Should SSL be enabled - I don’t think this works yet, it’s definetely untested
To see how it works you can check the module in the go code, it’s pretty straightforward to see what’s going on, and, with some time, could probably even become a read/write handler.

I hope that clarifies things a little :slight_smile: We’re not that experienced with LDAP, so any input on this connector would be appreciated immensely!

Cheers,
Martin

On Monday, April 27, 2015 at 11:52:08 PM UTC+1, Bill wrote:
I see a branch for the LDAP feature on GH, https://github.com/lonelycode/tyk/tree/feature/ldap. I assume this allows one to authenticate users against an LDAP instance? If so, is it working? Where might I find some documentation on how to use…even some crude notes perhaps? Thanks!