Share this post:
In this part of our series we are taking a deeper look on how the LDAP reverse proxy works and what is needed to be done to make it work.
In this part we look at what needs to be done on the CI side and what information needs to be collected.
We need to know the cloud url, for this example we will use:
Log into the administrative console and select the “Configuration” from the menu.
On the right side select the Add API Client.
Enter a name for the client: “blog_client”
Scroll down and select the following permission “Auth any user”, as we saw on the API documentation.
After saving the client ID and secret are created, select the edit icon, and copy these two values.
Client ID: d5ed9669-79e5-48df-84a6-9ec1c99ca220
Client Secret: u6d1QYuypF
Cancel out of this window, select the Identity Sources tab, and select the source “Cloud Directory”, from that view copy the ID.
Cloud Directory ID: bbdef01e-dce8-4fa4-b310-88b42b48169d
This is all we need to do to enable CI for access by the proxy.
We will store the configuration in a single properties file, which has the following format:
The tenant information is what we setup and discovered from the CI configuration.
The ldap information is what we define and is used by the client to form ldap bind and search configuration. (this can be set to match what is used today).
The cache information specifies how long the user information is stored in the cache, i.e. how much time can elapse between the bind and lookup operation. The time to life information is in seconds.
The log value sets the log level used, for now we use the highest log level “log”.
The CIToken.js class is used to get and refresh an access token that is needed to perform the authentication call to the CI Rest API’s. The class uses the configuration to get the token, and refreshes the token as needed. Other components can use the classes get() function to get and use the token as needed.
The setTimeout method is used to sleep and then refresh the token using recursion.
The CIRequest.js class provides methods to abstract the POST and GET operations needed for the CI Rest API calls. It manages the use of the token under the covers as well as the required headers. In this example we only need the POST operation.
Basic LDAP Proxy
The ldapproxy_simple.js provides the main program and the ldap proxy component. In addition it has helper methods to convert the returned json object to an ldap return. The converttoLDAP function can be modified to return additional account attributes as needed. It is the method that builds the ldap object which is returned as part of the search.
The solution makes use of the following components which must be installed using npm install:
Starting the Proxy
Using node to start the ldap proxy. Node ldapproxy_simple.js
Testing Using ldapsearch
The following picture shows a command line ldapsearch that can be used to test the proxy, key in this search is that the attribute for the -D and -b have to be the same.