top of page

Configuring RBM for LDAP based Authentication & Authorization in DataPower

Updated: Dec 20, 2019

Datapower uses Role-based Management (RBM) for access control. By default in DataPower, RBM uses local user account and user-groups to authenticate and authorize users using DataPower interfaces like WebGUI / Blueprint Console, XML Management Interface, REST Management Interface etc. We could configure it to your LDAP / Active Directory for the purpose of authenticating and authorizing users working with DataPower interfaces.

In this blog, I will be illustrating how to configure RBM for * Authenticating users using LDAP user account * Obtain Group membership of authenticated users from LDAP * Setting up local user group in line with LDAP groups for access control


Requirements:

  1. Apache Directory Studio for the purpose of LDAP Server

  2. Administration Access to Datapower environment


LDAP Configuration


Below figure represents the ldap configuration used for the purpose of illustration

LDAP Configuration

Also provided below is the snapshot of my Apache LDAP Server

LDAP Hierarchy in Apace Directory Studio
LDAP Setup Snapshot

Below image shows the attributes of devgrp group configuration in LDAP

Attributes of devgrp object
Properties of devgrp Group configured in LDAP

Below image shows the attributes of devusr1 user account configuration in LDAP

Attributes of devusr1 object
Properties of devusr1 User Account configured in LDAP

DataPower Configuration: Application Domain Configuration

  1. Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.

dp login
DataPower WebGUI Login Screen
  • From the left-side navigation options, navigate to Administration > Configuration > Application Domain.

dp domain configuration
DataPower: Application Domain Configuration Screen
  • In the Configure Application Domain screen, click on Add to create a new Application Domain of the name "dev", as shown below

dp dev domain creation
DataPower: Creating new Application Domain "dev"

DataPower Configuration: User Group Configuration

  1. Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.

  2. From the left-side navigation options, navigate to Administration > Access > User Group.

dp user group configuration
DataPower: User Group Configuration Screen
  • In the Configure User Group screen, click on Add to create a new user group. We will be creating the user group with the same name as the group (refer to cn attribute) created in the LDAP server.

  • Specify the name of the group as "devgrp"

  • Members of this group should have completed access only to "dev" application domain. To create Access Profile for the user group as per our requirement, click on Build and select the property values as shown

dp devgrp configuration
DataPower: Creating new user group devgrp as per LDAP group name
  • Click on Apply to complete configuring the user group.

DataPower Configuration: RBM Configuration

  • Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.

  • From the left-side navigation options, navigate to Administration > Access > RBM Settings.

dp rbm settings
  • In the RBM Settings screen, click on Authentication tab, to configure LDAP based authentication

  • Select the Authentication Method as LDAP from the drop-down

  • Specify the LDAP Server host name in Server Host property

  • Specify the LDAP server’s port for the Server Port property

  • Change the value for LDAP Version to v3

  • Enable the property Search LDAP for DN, by selecting the "on" option

  • Configure the DN of the LDAP user account that is to be used by Datapower to connect to LDAP server in the LDAP bind DN property. In my illustration, am specifying the value as "cn=dpldap,ou=people,dc=nebula,dc=com"

ldap authenticate configuration - 1
  • Create new LDAP bind password alias object to specify the password associated with LDAP bind DN user account for LDAP connection, by clicking the (+) icon

  • Provide any suitable name for the object

  • Specify the password to be used for LDAP connection that corresponds to the LDAP bind DN user account.

dp ldap password alias configuration
  • Click on Apply to complete the configuration and return to earlier screen

  • Create new LDAP search parameters object to specify the criteria that is to be used by Datapower to locate / search the user account in the LDAP server. For my illustration, am assuming the DataPower users will be using the uid attribute value as the login id to the DataPower interfaces.

  • Provide any suitable name for the LDAP search parameter object, e.g. ldapUserSearch

  • Provide the LDAP Base DN, under which the user accounts are created in the LDAP hierarchy. As per the LDAP configuration structure provided at the top of this document, all the user accounts are created under "ou=people" and hence the complete base DN for the user account is configured as "ou=people,dc=nebula,dc=com"

  • Let the LDAP returned attribute of the successfully matched user account be "dn" itself

  • To search the user account matching the login id entered by DataPower user with the uid attribute on the LDAP server, provide the LDAP filter Prefix property value as "(&(uid="

  • Provide the LDAP Filter Suffix property value as ")(objectClass=person))"

ldap search parameter for user account
  • Click Apply to complete configuring LDAP search parameter and return to earlier screen

  • Although now we have configured LDAP for authentication, for scenarios like network issue or ldap server unavailability, its better to have a fallback option, to ensure that DataPower is accessible if not to all, at least to select few, esp. the administrators.

  • Under Fallback section, select the option "Specific Users" for the Local accounts for fallback property

  • Add "admin" as the one of the user account for fallback users.

ldap authenticate configuration - 2
  • Click on Apply to save the configuration

Note: Based on LDAP Filter Prefix and Suffix configured, when the user logs in as devusr1 in DataPower, ldap search parameter will be constructed as "(&(uid=devusr1)(objectClass=person))" to locate the matching user account in ldap.


Now that we have configured RBM for LDAP based authentication, lets configure it further to retrieve the group membership of the users from LDAP

  • In the RBM Settings screen, click on Credential-Mapping tab, to configure for fetching group membership from LDAP

  • Leave the Credential Mapping method property value as "Local user group"

  • Enable the property Search LDAP for group name, by selecting the option "on"

  • Specify the LDAP Server host name in Server Host property

  • Specify the LDAP server’s port for the Server Port property

  • Change the value for LDAP Version to v3

  • Enable the property Search LDAP for DN, by selecting the "on" option

  • Configure the DN of the LDAP user account that is to be used by Datapower to connect to LDAP server in the LDAP bind DN property. In this illustration, am specifying the value as "cn=dpldap,ou=people,dc=nebula,dc=com"

  • For the LDAP bind password alias property, select the earlier create object from the drop-down

ldap group retrieval configuration - 1
  • Create new LDAP search parameters object to specify the criteria that is to be used by Datapower to locate / search the group membership of authenticated user from the LDAP server.

  • Provide any suitable name for the LDAP search parameter object, e.g. ldapGrpSearch

  • Provide the LDAP Base DN, under which the user accounts are created in the LDAP hierarchy. As per the LDAP configuration structure provided at the top of this document, all the groups are created under "ou=group" and hence the complete base DN for the group search is configured as "ou=group,dc=nebula,dc=com"

  • Specify the LDAP returned attribute of the successfully matched group membership as "cn".

  • To search the group membership of authenticated users, we will be using the "member" attribute of group. Provide the LDAP filter Prefix property value as "(&(member="

  • Provide the LDAP Filter Suffix property value as ")(objectClass=groupOfNames))"

ldap group search parameter configuration
  • Click Apply to complete configuring LDAP search parameter and return to earlier screen

ldap group retrieval configuration - 2
  • Click on Apply to save the configuration of RBM Settings.

We have now successfully configured our DataPower RBM settings to user LDAP for authentication as well retrieving the group membership of the authenticated users.

You could further confirm / test this, by using devusr1 as login user id from DataPower WebGUI and the correponsding password for the account as configured in the ldap server. For this user account, access will be provided only to the dev application domainm, since this user account is member of devgrp in ldap server.


2,706 views3 comments
bottom of page