Configure Lightweight Directory Access Protocol

Administrator can configure  to support LDAP with Secure Sockets Layer (SSL) or without SSL for user authentication.
apip42
Administrator can configure 
API Developer Portal
 to support LDAP with Secure Sockets Layer (SSL) or without SSL for user authentication.
Prerequisite
LDAP servers that are populated with users, and roles.
How to Configure Lightweight Directory Access Protocol (LDAP)
To configure the CA APIM Portal for LDAP, follow the steps:
  1. Log in as an administrator.
  2. Select 
    Administration
    , and then select the 
    Authentication
    option in the navigation bar.
  3. On the 
    Authentication Schemes
     page, select the 
    Add Authentication Scheme
     button.
  4. In 
    Providers
    , select
    LDAP
     as the provider from the available providers, and select 
    Next
    .
  5. In 
    Basic Details
    , enter the LDAP provider name and a description.
  6. (Optional) Add a provider icon, and select 
    Next
    . The provider icon must be a PNG file, and the size must not exceed 500 KB.
  7. In
    Provider Configuration
    , configure the provider details. For more information about each field, see Add Provider Configuration Details.
  8. In 
    Mappings
    , configure the values for user attribute mapping and role mapping. For more information about each field, see Map User Attributes and Map Roles
  9. image2018-6-26 11:49:20.png (Optional) In 
    Advanced Configuration
    , select 
    Enable 
    to enforce the enhanced security of user credentials. By default, the enhanced security option is disabled. 
    The Administrator can enable enhanced security while creating or editing the LDAP authentication scheme. Enhancing security may have minimal performance impact on validating users.
  10. Select
    Create
    to save the LDAP configuration. This step configures the LDAP and authenticates the LDAP users CA APIM Portal. The CA APIM Portal login page now lists the configured LDAP providers. 
To set an authentication scheme as a default scheme:
On the
Authentication Schemes
page, select the
Set as Default
option in the
Actions
drop-down list. Once the LDAP authentication scheme is your default, CA APIM Portal renders this LDAP login page to prompt for user credentials.
To add and manage external users from CA APIM Portal:
Select the 
Users
 option in the navigation bar. For more information about how to manage users from Portal, see Manage Users.
Add Provider Configuration Details
Attribute
Description
Example value
Connection Details
LDAP Host
Specify the hostname of the LDAP server.
Only provide the hostname. If you provide the full LDAP, the configuration cannot be completed.
LDAP Port
Specify the port that is used to communicate to the LDAP server.
389
4251.png
(Optional) SSL Enabled?
If the LDAP is SSL enabled, select
Yes
to secure the communications between LDAP clients and the Directory server. By default, LDAP without SSL is configured.
If you select
Yes
, then the
Upload Certificate
field appears. Select
Choose File
to upload a trusted certificate in X.509 format to connect securely to the LDAP server. Select
Clear File
to delete the uploaded file and use LDAP without SSL, or upload a new certificate.
Directory Details
Base Distinguished Name
Specify the base distinguished name to be used as the basis for a user search.
dc=ca,dc=com
Bind Distinguished Name
Specify the complete bind distinguished name of a user with search permissions in LDAP.
cn=admin,ou=admins,dc=ca,dc=com
Bind Password
Specify a password that is associated with the bind distinguished name.
Lookup Query
Start
Specify the text string that is the beginning of an LDAP search expression.
(&(cn=
End
Specify the text string that is the end of an LDAP search expression.
)(objectClass=*))
Effective Query
Define the combination of Start string, ID-From-Login, and End string of the LDAP search query. ID-From-Login is the username.
(&(cn= ID-From-Login )(objectClass=*))
Map User Attributes
Configure the user attributes and roles for the authentication schemes.
Attribute Mapping
Email
Specify the e-mail address attribute defined for users in your LDAP.
mail
First Name
Specify the first name attribute defined for users in your LDAP.
givenName
Last Name
Specify the last name attribute defined for users in your LDAP.
sn
Organization
Specify the organization attribute that a user is associated with.
o
Role
Specify the user role attribute defined in your LDAP.
title
Map Roles
Select a role from the available list. Map it to the following CA APIM Portal user roles that are similar to the user roles defined in your LDAP: 
    • Portal Administrator
    • API Owner
    • Developer
    • Org Administrator
Configure the group attribute to assign the role to all the users present in a group. If the role attribute value is 
memberOf
, make sure you provide the full DN in role mapping. The following sample, Base DN, maps portaladministrators to a group named "Engineering managers" for the domain ca.com:
CN=Engineering managers, CN=users, DC=ca, DC=com
Edit LDAP Configuration
To edit the LDAP details:
  1. Log in to the API Portal as an Administrator.
  2. Select 
    Administration
    , and then select the 
    Authentication 
    option in the navigation bar.
  3. On the 
    Authentication Schemes
     page, select the drop-down list in 
    Actions
     for a configured LDAP, and select 
    Edit
    .
  4. On the
    Edit Authentication Scheme
    page, select the LDAP configuration to edit. For example, to edit the provider details, select the
    Provider Configuration
    tab. Make the required changes and select 
    Save
    .
Delete LDAP Configuration
To delete the LDAP configuration:
  1. Log in to the API Portal as an Administrator.
  2. Select 
    Administration
    , and then select the 
    Authentication 
    option in the navigation bar.
  3. On the 
    Authentication Schemes
     page, select the down arrow in the Actions section of a configured LDAP, and select 
    Delete
    .