Configuring RBM for LDAP based Authentication & Authorization in DataPower

Datapower uses Role-based Management (RBM) for access control. By default in DataPower, RBM uses local user account and user-groups to authenticate and authorize users using DataPower interfaces like WebGUI / Blueprint Console, XML Management Interface, REST Management Interface etc. We could configure it to your LDAP / Active Directory for the purpose of authenticating and authorizing users working with DataPower interfaces.

In this blog, I will be illustrating how to configure RBM for * Authenticating users using LDAP user account * Obtain Group membership of authenticated users from LDAP * Setting up local user group in line with LDAP groups for access control

Requirements:

1. Apache Directory Studio for the purpose of LDAP Server

2. Administration Access to Datapower environment

LDAP Configuration

Below figure represents the ldap configuration used for the purpose of illustration

Also provided below is the snapshot of my Apache LDAP Server

Below image shows the attributes of devgrp group configuration in LDAP

Below image shows the attributes of devusr1 user account configuration in LDAP

DataPower Configuration: Application Domain Configuration

1. Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.

• From the left-side navigation options, navigate to Administration > Configuration > Application Domain.

• In the Configure Application Domain screen, click on Add to create a new Application Domain of the name "dev", as shown below

DataPower Configuration: User Group Configuration

1. Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.

2. From the left-side navigation options, navigate to Administration > Access > User Group.

• In the Configure User Group screen, click on Add to create a new user group. We will be creating the user group with the same name as the group (refer to cn attribute) created in the LDAP server.

• Specify the name of the group as "devgrp"

• Members of this group should have completed access only to "dev" application domain. To create Access Profile for the user group as per our requirement, click on Build and select the property values as shown

• Click on Apply to complete configuring the user group.

DataPower Configuration: RBM Configuration

• Access DataPower WebGUI using the url https://[dp-mgmt-address]:[web-interface-port] and login using admin user account into the default domain.

• From the left-side navigation options, navigate to Administration > Access > RBM Settings.

• In the RBM Settings screen, click on Authentication tab, to configure LDAP based authentication

• Select the Authentication Method as LDAP from the drop-down

• Specify the LDAP Server host name in Server Host property

• Specify the LDAP server’s port for the Server Port property

• Change the value for LDAP Version to v3

• Enable the property Search LDAP for DN, by selecting the "on" option

• Configure the DN of the LDAP user account that is to be used by Datapower to connect to LDAP server in the LDAP bind DN property. In my illustration, am specifying the value as "cn=dpldap,ou=people,dc=nebula,dc=com"

• Create new LDAP bind password alias object to specify the password associated with LDAP bind DN user account for LDAP connection, by clicking the (+) icon

• Provide any suitable name for the object

• Specify the password to be used for LDAP connection that corresponds to the LDAP bind DN user account.

• Click on Apply to complete the configuration and return to earlier screen

• Create new LDAP search parameters object to specify the criteria that is to be used by Datapower to locate / search the user account in the LDAP server. For my illustration, am assuming the DataPower users will be using the uid attribute value as the login id to the DataPower interfaces.

• Provide any suitable name for the LDAP search parameter object, e.g. ldapUserSearch

• Provide the LDAP Base DN, under which the user accounts are created in the LDAP hierarchy. As per the LDAP configuration structure provided at the top of this document, all the user accounts are created under "ou=people" and hence the complete base DN for the user account is configured as "ou=people,dc=nebula,dc=com"

• Let the LDAP returned attribute of the successfully matched user account be "dn" itself

• To search the user account matching the login id entered by DataPower user with the uid attribute on the LDAP server, provide the LDAP filter Prefix property value as "(&(uid="

• Provide the LDAP Filter Suffix property value as ")(objectClass=person))"

• Click Apply to complete configuring LDAP search parameter and return to earlier screen

• Although now we have configured LDAP for authentication, for scenarios like network issue or ldap server unavailability, its better to have a fallback option, to ensure that DataPower is accessible if not to all, at least to select few, esp. the administrators.

• Under Fallback section, select the option "Specific Users" for the Local accounts for fallback property

• Add "admin" as the one of the user account for fallback users.

• Click on Apply to save the configuration

Note: Based on LDAP Filter Prefix and Suffix configured, when the user logs in as devusr1 in DataPower, ldap search parameter will be constructed as "(&(uid=devusr1)(objectClass=person))" to locate the matching user account in ldap.

Now that we have configured RBM for LDAP based authentication, lets configure it further to retrieve the group membership of the users from LDAP

• In the RBM Settings screen, click on Credential-Mapping tab, to configure for fetching group membership from LDAP

• Leave the Credential Mapping method property value as "Local user group"

• Enable the property Search LDAP for group name, by selecting the option "on"

• Specify the LDAP Server host name in Server Host property

• Specify the LDAP server’s port for the Server Port property

• Change the value for LDAP Version to v3

• Enable the property Search LDAP for DN, by selecting the "on" option

• Configure the DN of the LDAP user account that is to be used by Datapower to connect to LDAP server in the LDAP bind DN property. In this illustration, am specifying the value as "cn=dpldap,ou=people,dc=nebula,dc=com"

• For the LDAP bind password alias property, select the earlier create object from the drop-down

• Create new LDAP search parameters object to specify the criteria that is to be used by Datapower to locate / search the group membership of authenticated user from the LDAP server.

• Provide any suitable name for the LDAP search parameter object, e.g. ldapGrpSearch

• Provide the LDAP Base DN, under which the user accounts are created in the LDAP hierarchy. As per the LDAP configuration structure provided at the top of this document, all the groups are created under "ou=group" and hence the complete base DN for the group search is configured as "ou=group,dc=nebula,dc=com"

• Specify the LDAP returned attribute of the successfully matched group membership as "cn".

• To search the group membership of authenticated users, we will be using the "member" attribute of group. Provide the LDAP filter Prefix property value as "(&(member="

• Provide the LDAP Filter Suffix property value as ")(objectClass=groupOfNames))"

• Click Apply to complete configuring LDAP search parameter and return to earlier screen

• Click on Apply to save the configuration of RBM Settings.

We have now successfully configured our DataPower RBM settings to user LDAP for authentication as well retrieving the group membership of the authenticated users.

You could further confirm / test this, by using devusr1 as login user id from DataPower WebGUI and the correponsding password for the account as configured in the ldap server. For this user account, access will be provided only to the dev application domainm, since this user account is member of devgrp in ldap server.

#IBMDataPower #LDAP #RBM