Open in app

Sign in

Write

Sign in

Writable LDAP registry

Nisha Narayanan
2 min readNov 21, 2019

--

This blog is the fourth part of the series Securing your API Connect Cloud with LDAP. The series aims to provide a brief introduction to LDAP, how its used for user authentication and how you can secure your API Connect cloud with LDAP to meet your enterprise security needs. You can find the complete list of entries for this series from the main page here.

This feature is available in the API Connect 2018.x version starting from 2018.4.1.8 only.

In addition to supporting user authentication with an LDAP server, API Connect also allows you manage the users in your LDAP. This means you could create user accounts, update account information, reset passwords, delete user accounts etc. in your LDAP server through API Connect. The use case for this is when you want users signing up to your Developer Portals to be created in your own LDAP server instead of the local registry which comes with the product.

This post will cover how to create an LDAP configuration in API Connect to leverage this capability.

LDAP configuration properties:

In addition to the standard LDAP configuration properties, you would need the following LDAP properties to enable this feature:

Additionally, the user_managed field for the user registry itself needs to be set to true.

user_registry: true

Example configuration:

Given below is a sample LDAP configuration showing an LDAP attribute mapping:

{
  authentication_method: 'search_dn',
  authenticated_bind: 'true',
  admin_dn: 'CN=Administrator,CN=Users,DC=apim,DC=ca,DC=com',
  admin_password: 'secret',
  search_dn_base: 'CN=Users,DC=apim,DC=ca,DC=com',
  search_dn_filter_prefix: '(sAMAccountName=',
  search_dn_filter_suffix: )’,
  directory_type: 'ad',
  attribute_mapping: {
    dn: 'CN=[first_name] [last_name],CN=Users,DC=apim,DC=ca,DC=com',
    cn: '[first_name] [last_name]',
    sn: '[last_name]',
    userPassword: '[password]',
    userPrincipalName: '[username]@apim.ca.com',
    sAMAccountName: '[username]'
  }
}

Let’s assume a user signed up to API Connect, with the following information:

first_name: Sprout
last_name: Ponoma
username: sprout
password: password

An LDAP user entry that has been created based off of the user data and attribute_mapping defined above would look like:

Like in the create use case shown here, if a user updated his profile or requested a password reset in API Connect, the corresponding changes can be found reflected in the LDAP server.

For complete instructions on creating and configuring an LDAP registry, you can refer to the examples here.

Authentication
Ldap
Apiconnect

--

--

Nisha Narayanan

Written by Nisha Narayanan

59 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams