Configure Lightweight Directory Access Protocol
Administrator can configure to support LDAP for user authentication. Other than organization and role, you cannot edit other details for an external IdP user.
Administrator can configure
Layer7 API Developer Portalto support LDAP for user authentication. Other than organization and role, you cannot edit other details for an external IdP user.
Prerequisite:LDAP servers that are populated with users, and roles.
Follow these steps:
- Log in as an administrator.
- From the menu bar, select the gear icon,Authentication.
- On theAuthentication Schemespage, click theAdd Authentication Schemebutton.
- Provide the following information on theAdd Authentication Schemepage:
- Providers: Select an LDAP provider from the available providers, and click Next.
- Basic Details: Specify the LDAP provider name, description, a provider icon, and click Next.By default, CA icon is set as the provider icon. Provide a different PNG file to change the icon, and ensure that the file size must not exceed 500 KB.
- Provider Configuration: Provide the following LDAP server details:AttributeDescriptionExample valueConnection DetailsLDAP HostHost name of your LDAP server.LDAP PortSpecific port of your LDAP server.SSL Enabled?Select Yes if the connection from the LDAP client to the LDAP server is secure.Directory DetailsBase Distinguished NameBase Distinguished Name that is used as the basis for user search.dc=ca,dc=comBind Distinguished NameThe complete Bind Distinguished Name of a user with search permissions in LDAP.cn=admin,ou=admins,dc=ca,dc=comBind PasswordPassword that is associated with the Bind Distinguished Name.Lookup QueryStart *Specifies the text string that is the beginning of an LDAP search expression.(&(cn=End *Specifies the text string that is the end of an LDAP search expression.)(objectClass=*))Effective QueryDefines the combination of Start string, ID-From-Login, and End string of the LDAP search query. ID-From-Login is the username.(&(cn= ID-From-Login )(objectClass=*))Attribute MappingSpecifies the email address attribute that is defined for users in your LDAP.First NameSpecifies the first name attribute that is defined for users in your LDAP.givenNameLast NameSpecifies the last name attribute that is defined for users in your LDAP.snSelect Authorization TypePortalSelect this authorization type, to manage the organization and role mapping from Portal. This means, you can map the Developer user (who has logged in to API Portal, at least once) to multiple organizations by editing the user profile.N/AIdentity ProviderSelect this authorization type, to add the organization and role attributes as provided by this external authentication scheme.This option does not allow a Portal administrator to map a Developer user to multiple organizations. If you want to change the authorization type from Identity Provider to Portal after creating the authentication scheme, seeChange Existing Authentication Scheme from "Identity Provider" to "Portal"section from the Map Existing IdP Users to Multiple Organizations topic.N/AWhen Identity Provider is selected as the Authorization typeOrganizationSpecifies the organization attribute that a user is associated with.oRoleSpecifies the user role attribute that is defined in your LDAP.titleMap the API Portal user roles to the appropriate roles in your IDPSpecifies the API Portal user roles that are similar to the user roles defined in your LDAP:
Configure the group attribute to assign the role to all the users present in a group. If the role attribute value ismemberOf, ensure to provide the full DN in role mapping. The following sample BaseDN is to map the portaladministrators to a group named "Engineering managers" for the domain ca.com:CN=Engineering managers, CN=users, DC=ca, DC=com
- Portal Administrator
- API Owner
- Org Administrator
- Click Create to save the LDAP configuration.Now, LDAP is configured and the LDAP users can be authenticated in CA APIM Portal. CA APIM Portal login page now lists the configured LDAP providers.To set an authentication scheme as a default scheme, select Set as Default option in the Actions section from the Authentication Schemes page. Once the LDAP authentication scheme is your default scheme, CA APIM Portal renders this LDAP login page to prompt for user credentials.Note:To add and manage external users from API Portal, use the Users option in the navigation bar. For information about how to manage users from Portal, see the Get Started - User Types, Roles and Permissions section.
- If you have configured the authorization type as Portal, any new user who logs in to Portal has only Guest user privileges. To map a Developer to multiple organizations, you need a Portal administrator. Use one of the following methods:
- Use an IdP Publisher with Portal administrator role.
- Create another LDAP authentication scheme with authorization type as "Identity Provider".
- Add the role as Portal Administrator.
- Log in to API Portal as the Portal administrator.
- Edit the Developer user profile to map to multiple organizations.
- Use the Portal administrator added and managed in API Portal. Edit the Developer user profile to map to multiple organizations.
Edit and Delete LDAP Configuration
If your LDAP configuration changes, update the same in CA APIM Portal.
To edit the LDAP details, follow the steps:
- Log in to CA APIM Portal as an Administrator.
- From the menu bar, select the gear icon,Authentication.
- On theAuthentication Schemespage, click the down arrow in theActionssection of a configured LDAP, and select Edit.
- In the Edit Authentication Scheme page, select an LDAP configuration to edit. For example, to edit the provider details, select the Provider Configuration option. Make the required changes and click Save.You need to enter the Bind Password in order to save your changes.
- To delete LDAP that is configured with CAPIM Portal: On the Authentication Schemes page, click the down arrow in theActionssection of a configured LDAP, and select Delete.