LDAP is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network. LDAP is a "lightweight" version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. LDAP is considered lightweight because it uses a smaller amount of code than other protocols.
A directory tells the user where in the network something is located. On TCP/IP networks -- including the internet -- the domain name system (DNS) is the directory system used to relate the domain name to a specific network address, which is a unique location on the network. However, the user may not know the domain name. LDAP allows a user to search for an individual without knowing where they're located, although additional information will help with the search.
Url
Url of your ldap server. Must include protocol and non-default ports. E.g. ldap://my.server or ldaps://my.server:1234
Search Base
DN of some group (OU) in your ldap. Only users within this group or any of its sub-groups can log in. Example: OU=Users,OU=apiida.com,DC=ad,DC=apiida,DC=com
Technical User
Full DN of a user with read (ideally: read-only) access on the ldap. Tipp: On windows you can run 'whoami /fqdn' to get the DN of the current user. Example: CN=John Doe,OU=Users,OU=apiida.com,DC=ad,DC=apiida,DC=com
Technical User Password
User Name Attribute
Attribute of user entries that is used for login. This determines what your users will use as username in the API Control Plane. Examples are mail, sAMAccountName, userPrincipleName.
Display Name Attribute (optional)
User entry attribute that will be used to obtain the user's display name. If not specified, this is the same as user name attribute. Examples are cn, name, displayName.
Email Attribute (optional)
User entry attribute that (if present) will be used to obtain the user's email address. In most cases, this attribute is named mail.
User Group (optional)
If specified, in addition to being located under search base, regular users must also be member of a group (OU) with this exact name. Alternatively users can be members of the admin group, if that is specified.
Admin Group (optional)
If specified, any user (under search base) that is also part of a group (OU) with this exact name, will be logged in with the global admin role.
Server Certificate (optional)
If you are using ldaps with a self-signed certificate, you can enter that here in PEM format. The certificate must have been issued for the hostname used in url.
Overview
The LDAP (Lightweight Directory Access Protocol) Configuration page in the API management interface Control Plane is where administrators can set up and manage LDAP integration for user authentication and directory services. This setup allows the platform to authenticate users against an LDAP directory such as Active Directory, OpenLDAP, or other LDAP-compliant directories.
Layout
This configuration page is found under the Authentication category in the Configuration section on the side navigation menu. The layout is form-based and consists of several fields to be filled in with LDAP directory information:
Configuration Fields
Enabled/Disabled Toggle: Activates or deactivates LDAP authentication.
URL: The connection string to the LDAP server.
and Functionalities
A toggle switch allows for quick enablement or disablement of LDAP integration. In the form below, all relevant subjects can be specified.
The form includes fields for:
"Url": Where the LDAP server's URL is specified, indicating where the API platform should direct its authentication requests.
"Search Base": Denoting the starting point within the LDAP directory from which where to begin the search for user entries.
"Technical User": The A distinguished name (DN) of a user with permissions to search carry out actions in the LDAP directory, perhaps used for querying user data.
"Technical User Password": The A password field, obfuscated for security, corresponding to the technical user.
"User Name Attribute": The attribute used to match the login identifier provided by the user.log in or identify the user within the LDAP directory, which is typically 'userPrincipalName'.
"Display Name Attribute (optional)": The attribute that defines the user's full name.If provided, this attribute would specify how user names are displayed within the platform.
"Email Attribute (optional)": The An attribute for the user's email address, which might be used for notifications or integration with other services.
"User Group (optional): The attribute to determine group membership.": To designate a particular user group from LDAP for special privileges or restrictions within the API management platform.
"Admin Group (optional): The attribute value that indicates a user is part of an administrative group.": To define an LDAP group whose members are granted administrative privileges on the platform.
"Server Certificate (optional)": The public certificate for Add the LDAP server used to establish a secure connection.
Actions
Save: To store the entered LDAP configuration settings.
Constraints and Considerations
Accurate LDAP configuration is crucial for ensuring that users can log in and are assigned correct permissions based on their directory attributes and group memberships.
A technical user with adequate permissions must be provided to allow the API management platform to query the LDAP directory.
If using secure LDAP (LDAPS), the server certificate must be valid and trusted by the API management platform to establish a secure connection.
Table of contents
's SSL certificate to enable secure communications.
Table of contents
| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|