Datapower uses Role-based Management (RBM) for access control. By default in DataPower, RBM uses local user account and user-groups to authenticate and authorize users using DataPower interfaces like WebGUI / Blueprint Console, XML Management Interface, REST Management Interface etc. We could configure it to your LDAP / Active Directory for the purpose of authenticating and authorizing users working with DataPower interfaces.
In this blog, I will be illustrating how to configure RBM for * Authenticating users using LDAP user account * Obtain Group membership of authenticated users from LDAP * Setting up local user group in line with LDAP groups for access control
Requirements:
Apache Directory Studio for the purpose of LDAP Server
Administration Access to Datapower environment
LDAP Configuration
Below figure represents the ldap configuration used for the purpose of illustration
Also provided below is the snapshot of my Apache LDAP Server
Below image shows the attributes of devgrp group configuration in LDAP
Below image shows the attributes of devusr1 user account configuration in LDAP
DataPower Configuration: Application Domain Configuration
Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.
From the left-side navigation options, navigate to Administration > Configuration > Application Domain.
In the Configure Application Domain screen, click on Add to create a new Application Domain of the name "dev", as shown below
DataPower Configuration: User Group Configuration
Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.
From the left-side navigation options, navigate to Administration > Access > User Group.
In the Configure User Group screen, click on Add to create a new user group. We will be creating the user group with the same name as the group (refer to cn attribute) created in the LDAP server.
Specify the name of the group as "devgrp"
Members of this group should have completed access only to "dev" application domain. To create Access Profile for the user group as per our requirement, click on Build and select the property values as shown
Click on Apply to complete configuring the user group.
DataPower Configuration: RBM Configuration
Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.
From the left-side navigation options, navigate to Administration > Access > RBM Settings.
In the RBM Settings screen, click on Authentication tab, to configure LDAP based authentication
Select the Authentication Method as LDAP from the drop-down
Specify the LDAP Server host name in Server Host property
Specify the LDAP server’s port for the Server Port property
Change the value for LDAP Version to v3
Enable the property Search LDAP for DN, by selecting the "on" option
Configure the DN of the LDAP user account that is to be used by Datapower to connect to LDAP server in the LDAP bind DN property. In my illustration, am specifying the value as "cn=dpldap,ou=people,dc=nebula,dc=com"
Create new LDAP bind password alias object to specify the password associated with LDAP bind DN user account for LDAP connection, by clicking the (+) icon
Provide any suitable name for the object
Specify the password to be used for LDAP connection that corresponds to the LDAP bind DN user account.
Click on Apply to complete the configuration and return to earlier screen
Create new LDAP search parameters object to specify the criteria that is to be used by Datapower to locate / search the user account in the LDAP server. For my illustration, am assuming the DataPower users will be using the uid attribute value as the login id to the DataPower interfaces.
Provide any suitable name for the LDAP search parameter object, e.g. ldapUserSearch
Provide the LDAP Base DN, under which the user accounts are created in the LDAP hierarchy. As per the LDAP configuration structure provided at the top of this document, all the user accounts are created under "ou=people" and hence the complete base DN for the user account is configured as "ou=people,dc=nebula,dc=com"
Let the LDAP returned attribute of the successfully matched user account be "dn" itself
To search the user account matching the login id entered by DataPower user with the uid attribute on the LDAP server, provide the LDAP filter Prefix property value as "(&(uid="
Provide the LDAP Filter Suffix property value as ")(objectClass=person))"
Click Apply to complete configuring LDAP search parameter and return to earlier screen
Although now we have configured LDAP for authentication, for scenarios like network issue or ldap server unavailability, its better to have a fallback option, to ensure that DataPower is accessible if not to all, at least to select few, esp. the administrators.
Under Fallback section, select the option "Specific Users" for the Local accounts for fallback property
Add "admin" as the one of the user account for fallback users.
Click on Apply to save the configuration
Note: Based on LDAP Filter Prefix and Suffix configured, when the user logs in as devusr1 in DataPower, ldap search parameter will be constructed as "(&(uid=devusr1)(objectClass=person))" to locate the matching user account in ldap.
Now that we have configured RBM for LDAP based authentication, lets configure it further to retrieve the group membership of the users from LDAP
In the RBM Settings screen, click on Credential-Mapping tab, to configure for fetching group membership from LDAP
Leave the Credential Mapping method property value as "Local user group"
Enable the property Search LDAP for group name, by selecting the option "on"
Specify the LDAP Server host name in Server Host property
Specify the LDAP server’s port for the Server Port property
Change the value for LDAP Version to v3
Enable the property Search LDAP for DN, by selecting the "on" option
Configure the DN of the LDAP user account that is to be used by Datapower to connect to LDAP server in the LDAP bind DN property. In this illustration, am specifying the value as "cn=dpldap,ou=people,dc=nebula,dc=com"
For the LDAP bind password alias property, select the earlier create object from the drop-down
Create new LDAP search parameters object to specify the criteria that is to be used by Datapower to locate / search the group membership of authenticated user from the LDAP server.
Provide any suitable name for the LDAP search parameter object, e.g. ldapGrpSearch
Provide the LDAP Base DN, under which the user accounts are created in the LDAP hierarchy. As per the LDAP configuration structure provided at the top of this document, all the groups are created under "ou=group" and hence the complete base DN for the group search is configured as "ou=group,dc=nebula,dc=com"
Specify the LDAP returned attribute of the successfully matched group membership as "cn".
To search the group membership of authenticated users, we will be using the "member" attribute of group. Provide the LDAP filter Prefix property value as "(&(member="
Provide the LDAP Filter Suffix property value as ")(objectClass=groupOfNames))"
Click Apply to complete configuring LDAP search parameter and return to earlier screen
Click on Apply to save the configuration of RBM Settings.
We have now successfully configured our DataPower RBM settings to user LDAP for authentication as well retrieving the group membership of the authenticated users.
You could further confirm / test this, by using devusr1 as login user id from DataPower WebGUI and the correponsding password for the account as configured in the ldap server. For this user account, access will be provided only to the dev application domainm, since this user account is member of devgrp in ldap server.
Prashant
Hope its all working now after our connect. Do reach out if you have any further queries / issues.
Thanks
Yuvi
Hi Yuvaraj,
Can you please suggest on this .
Regards
Prashant Sidana
Hi Yuvaraj,
How are you doing ? I tried following your document to configure LDAP on DP GW but its not working . So need your support to suggest where have i gone wrong . I have shared below the step that i have followed.
- Created a user group - DPGWGroup
- Got my user added in this group
- Mentioned below is the configuration details
LDAP URL -LDAPS://Etisalat.Corp.ae:636
Base DN - DC=ETISALAT,DC=CORP,DC=AE
User DN ( you don’t have user name) use Group DN -
CN=DPGWGroup,OU=AppGroups,DC=etisalat,DC=corp,DC=ae
Search Attribute -sAMAccountName
FQDN - Etisalat.corp.ae
Prefix - As above
Suffix - As above
DP GW configuration
Created a user group - DPGWGroup
RBM Setting Authentication -
Authentication method : LDAP
Server host:…