Skip to content

Configure the ldap auth plugin for a Service with Kong

Jump to bottom
Pradeeban Kathiravelu edited this page Aug 2, 2018 · 10 revisions

LDAP Configuration

First, download and configure an LDAP such as OpenDJ or Apache DS. In this page, we are using OpenDJ.

Enable the Kong LDAP plugin on a route

$ curl -X POST http://localhost:8001/routes/f145d2da-a692-447e-a6af-331b13a2975a/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=pradeebans-mbp.wireless.emory.edu" --data "config.ldap_port=10389" --data "config.start_tls=false" --data "config.base_dn=dc=example,dc=com" --data "config.verify_ldap_host=false" --data "config.attribute=cn" --data "config.cache_ttl=60" --data "config.header_type=ldap"

{"created_at":1533149271000,"config":{"header_type":"ldap","timeout":10000,"keepalive":60000,"hide_credentials":true,"ldap_host":"pradeebans-mbp.wireless.emory.edu","ldap_port":10389,"start_tls":false,"verify_ldap_host":false,"cache_ttl":60,"anonymous":"","attribute":"cn","base_dn":"dc=example,dc=com"},"id":"70bc7f0b-fc52-4a10-ae14-ecf198359ced","enabled":true,"route_id":"72d9a90b-32fb-46c7-8afb-8c494d1b1789","name":"ldap-auth"}

Please note above we have replaced the {route_id} in the below command with a route_id (id of a route) that we created before for our service.

Also, config.ldap_host is set to pradeebans-mbp.wireless.emory.edu the fully qualified hostname of the LDAP server and config.ldap_port to 10389, as we use the Apache DS installation in the host.

Verify that the plugin is properly configured

$ curl -i -X GET --url http://localhost:8000/ --header 'Host: find-service.com'

HTTP/1.1 401 Unauthorized Date: Wed, 01 Aug 2018 16:20:12 GMT Content-Type: application/json; charset=utf-8 Connection: keep-alive WWW-Authenticate: LDAP realm="kong" Server: kong/0.14.0 Content-Length: 27

{"message":"Unauthorized"}

As you can see, now the call to the API fails when no authentication was given.

Authenticate with an LDAP entry.

$ curl -i -X GET --url http://localhost:8000 --header "Host: find-service.com" --header "Authorization: ldap ZmU6c21pdGhh"

Above, we retrieve the base64 encode of the cn:password from a service such as https://www.base64encode.org/

Input: fe:smitha

Output: ZmU6c21pdGhh

Here, the cn (the attribute set as config.attribute) and password are fe and smitha, respectively, as set from the LDAP (we did it by importing the sample ldif file during the configuration of OpenDJ).

$ curl -i -X GET --url http://localhost:8000 --header "Host: find-service.com" --header "Authorization: ldap ZmU6c21pdGhh"

HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Bindaas-version: 3.0.6 Date: Thu, 02 Aug 2018 14:35:00 GMT metadata: {} responseTime: 0 tags: [] Vendor: CCI Emory University Server: Jetty(8.1.7.v20120910) X-Kong-Upstream-Latency: 7 X-Kong-Proxy-Latency: 39 Via: kong/0.14.0

[{ "item" : "bulk" , "qty" : 1100.0},{ "item" : "bulk" , "qty" : 1100.0},{ "item" : "bulk" , "qty" : 1100.0 , "nu" : 1.0}]

Clone this wiki locally