LDAP Authentication
Overview
Edge Xpert supports communication with a Lightweight Directory Access Protocol (LDAP) server, OpenLDAP by default, to authenticate the user.
The LDAP authentication workflow consists of three steps:
- Bind to LDAP server using bind DN (distinguished name) and password
- Search for the user details in the LDAP server
- Bind to LDAP server again with user DN and password
In order to perform above steps successfully the following parameter is required:
| LDAP parameter | Description |
|---|---|
| url | LDAP server URL |
| basedn | LDAP search base DN |
| binddn | LDAP bind DN |
| bindpasswd | password associated to the bind DN |
| template | LDAP search template |
| username | username to be authenticated |
| password | password associated to the username |
These parameters need to be provided from configuration, secret store and HTTP request header.
First we need to update /etc/edgexpert/nginx.conf.xpert to change from default JWT authentication to LDAP authentication:
sudo sed -i 's/jwt/ldap/g' /etc/edgexpert/nginx.conf.xpert
Configuration
proxy-auth configuration includes LdapAuth section:
[LdapAuth]
URL = "ldap://localhost:389"
BaseDN = "dc=example,dc=com"
SearchTemplate = "(&(uid=%s)(objectClass=inetOrgPerson))"
RoleAttributeNames = ["ou", "memberOf"]
The SearchTemplate is a format string which supports %s verb substitution.
%s will be replaced by X-Ldap-Username value described in HTTP Request section.
The RoleAttributeNames is a string array, each of the value indicating the name of LDAP attribute that possibly represents user's group (role).
proxy-auth will check each of the value and return if any of them matches.
The returning matched group will be used to perform API authorization.
For information on API authorization, refer to Authorization With Access Control List.
Override LdapAuth Configuration with Environment Variables
To override specific configuration settings, you can specify environment variables directly inside compose files.
In the following example, a couple of LdapAuth configurations are overridden by environment variables:
services:
proxy-auth:
environment:
LDAPAUTH_URL: ldap://192.168.56.10:389
LDAPAUTH_BASEDN: dc=test,dc=com
Secret Store
The bind DN and associated password are considered a LDAP server's credentials and should be store in secret store service (Vault).
Note
For information on Secret Store Service, refer to Secret Store.
Post the secrets into the secret store via the REST API of Proxy-Auth Microservice
Follow the steps below to use POST secrets REST API of Proxy-Auth service to add secrets into secret store:
-
Inspect the
IPAddressof the running Proxy-Auth Microservice:$ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' proxy-auth 172.18.0.9 -
Make the REST call to add the secret. Note that all necessary secrets must be added in a single REST call, otherwise the secrets content will be overwritten by REST calls afterwards.
$ curl -k -X POST -d '{ "apiVersion": "v2", "path": "LDAP", "secretData": [ {"key":"BindDN", "value":"cn=admin,dc=example,dc=com"}, {"key":"BindPass", "value":"secret"} ] }' http://172.18.0.9:59842/api/v2/secret {"apiVersion":"v2","statusCode":201}
Note
The path is required to be LDAP strictly in order for the proxy-auth service to correctly read the secret.
HTTP request header
Lastly, the username and password, which may differ on each request, need to be
specified in HTTP request header X-Ldap-Username and X-Ldap-Password respectively:
$ curl -k -H "X-Ldap-Username: tester" -H "X-Ldap-Password: secret" https://localhost:8443/core-data/api/v2/ping"
{"apiVersion":"v2","timestamp":"Fri Aug 5 05:30:40 UTC 2022","serviceName":"core-data"}