LDAP is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network. LDAP is a "lightweight" version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. LDAP is considered lightweight because it uses a smaller amount of code than other protocols.
A directory tells the user where in the network something is located. On TCP/IP networks -- including the internet -- the domain name system (DNS) is the directory system used to relate the domain name to a specific network address, which is a unique location on the network. However, the user may not know the domain name. LDAP allows a user to search for an individual without knowing where they're located, although additional information will help with the search.
Url
Url of your ldap server. Must include protocol and non-default ports. E.g. ldap://my.server or ldaps://my.server:1234
Search Base
DN of some group (OU) in your ldap. Only users within this group or any of its sub-groups can log in. Example: OU=Users,OU=apiida.com,DC=ad,DC=apiida,DC=com
Technical User
Full DN of a user with read (ideally: read-only) access on the ldap. Tipp: On windows you can run 'whoami /fqdn' to get the DN of the current user. Example: CN=John Doe,OU=Users,OU=apiida.com,DC=ad,DC=apiida,DC=com
Technical User Password
User Name Attribute
Attribute of user entries that is used for login. This determines what your users will use as username in the API Control Plane. Examples are mail, sAMAccountName, userPrincipleName.
Display Name Attribute (optional)
User entry attribute that will be used to obtain the user's display name. If not specified, this is the same as user name attribute. Examples are cn, name, displayName.
Email Attribute (optional)
User entry attribute that (if present) will be used to obtain the user's email address. In most cases, this attribute is named mail.
User Group (optional)
If specified, in addition to being located under search base, regular users must also be member of a group (OU) with this exact name. Alternatively users can be members of the admin group, if that is specified.
Admin Group (optional)
If specified, any user (under search base) that is also part of a group (OU) with this exact name, will be logged in with the global admin role.
Server Certificate (optional)
If you are using ldaps with a self-signed certificate, you can enter that here in PEM format. The certificate must have been issued for the hostname used in url.
Overview
The LDAP (Lightweight Directory Access Protocol) Configuration page in the API management interface is where administrators can set up and manage LDAP integration for user authentication and directory services. This setup allows the platform to authenticate users against an LDAP directory such as Active Directory, OpenLDAP, or other LDAP-compliant directories.
Interface Layout
This configuration page is found under the Authentication category in the Configuration section on the side navigation menu. The layout is form-based and consists of several fields to be filled in with LDAP directory information:
Configuration Fields
Enabled/Disabled Toggle: Activates or deactivates LDAP authentication.
URL: The connection string to the LDAP server.
Search Base: The starting point within the LDAP directory from which to search for user entries.
Technical User: The distinguished name (DN) of a user with permissions to search the directory.
Technical User Password: The password for the technical user.
User Name Attribute: The attribute used to match the login identifier provided by the user.
Display Name Attribute (optional): The attribute that defines the user's full name.
Email Attribute (optional): The attribute for the user's email address.
User Group (optional): The attribute to determine group membership.
Admin Group (optional): The attribute value that indicates a user is part of an administrative group.
Server Certificate (optional): The public certificate for the LDAP server used to establish a secure connection.
Actions
Save: To store the entered LDAP configuration settings.
Constraints and Considerations
Accurate LDAP configuration is crucial for ensuring that users can log in and are assigned correct permissions based on their directory attributes and group memberships.
A technical user with adequate permissions must be provided to allow the API management platform to query the LDAP directory.
If using secure LDAP (LDAPS), the server certificate must be valid and trusted by the API management platform to establish a secure connection.
Table of contents
| Table of Contents | ||
|---|---|---|
|