Skip to content

Generate an API token using LDAP

Jump to bottom
David Garvey edited this page Feb 15, 2019 · 6 revisions

This example shows how to use the Tyk API Gateway and Identity Broker to allow users to access an API using an LDAP-based identity provider. This uses an OpenLDAP, but you should be able to use an LDAP compatible provider, such as Active Directory.

Prerequisites

For this example we are using a Docker-based installation:

Application configuration

The application configuration should be set up as standard. See configuring Tyk Identity Broker.

Solution

This assumes you have a good understanding of the Tyk products already and just need guidance on the Identity Broker profile configuration.

Identity Broker profile

The Identity Provider's profile.json file configures how it will process authentication requests. Add this profile to it, but update the values based on your Tyk and LDAP installations:

{
    "ActionType": "GenerateTemporaryAuthToken",
    "ID": "ldap",
    "IdentityHandlerConfig": {
        "DashboardCredential": "756fb086d5fe461364944921d00f36ae",
        "TokenAuth": {
            "BaseAPIID": "9d53858fdaa94f5e6bdf222cfb5085f3"
        }
    },
    "MatchedPolicyID": "5c6659e073beb1000115473c",
    "OrgID": "5c652b6b73beb10001154739",
    "ProviderConfig": {
        "FailureRedirect": "http://example.com/failure",
        "LDAPAttributes": [],
        "LDAPPort": "389",
        "LDAPServer": "openldap",
        "LDAPUserDN": "cn=*USERNAME*,dc=my-company,dc=com"
    },
    "ProviderName": "ADProvider",
    "ReturnURL": "",
    "Type": "redirect"
}
  • ActionType: Instructs the Identity Broker on what action to perform if the user authentication is successful. In this case we use GenerateTemporaryAuthToken as we want to generate an API token.
  • ID: Profile Id which will be used when accessing the Identity Broker endpoint. Must be unique in profiles.json.
  • IdentityHandlerConfig.DashboardCredential: Tyk Dashboard API Access Credentials of the Dashboard user. Must be in the same Organisation as the API referenced by IdentityHandlerConfig.OAuth.BaseAPIID.
  • IdentityHandlerConfig.TokenAuth.BaseAPIID: Id of the API.
  • MatchedPolicyID: Policy Id of the policy which grants access to the API.
  • OrgID: Organisation Id of the user referenced by IdentityHandlerConfig.DashboardCredential.
  • ProviderConfig.FailureRedirect: URL to redirect to if the LDAP authentication fails.
  • ProviderConfig.LDAPAttributes: Attributes used as part of the LDAP search request.
  • ProviderConfig.LDAPPort: Port on which Identity Broker can connect to the LDAP server.
  • ProviderConfig.LDAPServer: Hostname on which Identity Broker can connect to the LDAP server.
  • ProviderConfig.LDAPUserDN: The 'Distinguished Name' of the user the Identity Broker will attempt to authenticate. It must include the value *USERNAME*, which acts as a token which the Identity Broker will replace with the username it receives in the request.
  • ProviderName: Specifies the provider type the Identity Broker will use, in this case ADProvider.

LDAP server

For this example we are using a Docker container to provide an LDAP server: https://hub.docker.com/r/mwaeckerlin/openldap/.

I added the container to my host as so:

docker run -d --name openldap --network tyk_network -p 389:389 \
    -e DEBUG_LEVEL=1 \
    -e DOMAIN=my-company.com \
    -e ORGANIZATION="My Company" \
    -e PASSWORD=1234567890 \
    mwaeckerlin/openldap

This exposes the container on port 389 on the hostname openldap and joins the container to the tyk_network network so that it can connect to the other Tyk components. It also creates a basic admin user with the password 1234567890.

Test the solution

Note: Once you have saved your Identity Broker profile, make sure to restart the Identity Broker before testing the solution. This will allow the new profile configuration to be loaded.

To generate an API token using LDAP, call the Identity Broker API e.g.

curl POST \
    http://localhost:3010/auth/ldap/user \
    -d 'username=admin&password=1234567890'
  • POST: We need to POST the user credentials.
  • http://localhost:3010/auth/ldap/user: URL for the Identity Broker. In this example I am running a local Docker container so can use localhost:3010. The path contains three elements:
    • auth: Endpoint for Identity Broker authentication API calls.
    • ldap: ID of the Identity Broker profile.
    • user: This element isn't actually user by the LDAP provider, but we still need to provide some value.
  • -d 'username=admin&password=1234567890': The username and password provided as an x-www-form-encoded value. Here we are providing username admin and password 1234567890.

This request be trigger the Identity Broker to connect to the LDAP server and verify the credentials.

If the request is successful, an API key will be generated and it will be returned in the response:

{
    "key_id": "5c652b6b73beb10001154739f8185d5f9be148e9a2173c24acbc6c71"
}

If the request is not successful, the Identity Broker will redirect the request to the URL provided in the profile's ProviderConfig.FailureRedirect.

The API key can then be used to make API requests.

Clone this wiki locally