Cloud Identity

Modernizing your B2C Portal Security – LDAP Proxy Deep Dive

Share this post:

In this part of our series we are taking a deeper look on how the LDAP reverse proxy works and what is needed to be done to make it work.

Enable CI

In this part we look at what needs to be done on the CI side and what information needs to be collected.

We need to know the cloud url, for this example we will use:

https://ppsdemo.ice.ibmcloud.com

Log into the administrative console and select the “Configuration” from the menu.

On the right side select the Add API Client.

Enter a name for the client: “blog_client”

Scroll down and select the following permission “Auth any user”, as we saw on the API documentation.

Select Save

After saving the client ID and secret are created, select the edit icon, and copy these two values.

Client ID: d5ed9669-79e5-48df-84a6-9ec1c99ca220
Client Secret: u6d1QYuypF

Cancel out of this window, select the Identity Sources tab, and select the source “Cloud Directory”, from that view copy the ID.

Cloud Directory ID: bbdef01e-dce8-4fa4-b310-88b42b48169d

This is all we need to do to enable CI for access by the proxy.

Configuration file

We will store the configuration in a single properties file, which has the following format:

The tenant information is what we setup and discovered from the CI configuration.

The ldap information is what we define and is used by the client to form ldap bind and search configuration.  (this can be set to match what is used today).

The cache information specifies how long the user information is stored in the cache, i.e. how much time can elapse between the bind and lookup operation.  The time to life information is in seconds.

The log value sets the log level used, for now we use the highest log level “log”.

Access Token

The CIToken.js class is used to get and refresh an access token that is needed to perform the authentication call to the CI Rest API’s.  The class uses the configuration to get the token, and refreshes the token as needed.  Other components can use the classes get() function to get and use the token as needed.

The setTimeout method is used to sleep and then refresh the token using recursion.

Request

The CIRequest.js class provides methods to abstract the POST and GET operations needed for the CI Rest API calls.  It manages the use of the token under the covers as well as the required headers.  In this example we only need the POST operation.

Basic LDAP Proxy

The ldapproxy_simple.js provides the main program and the ldap proxy component.  In addition it has helper methods to convert the returned json object to an ldap return.  The converttoLDAP function can be modified to return additional account attributes as needed.  It is the method that builds the ldap object which is returned as part of the search.

Dependencies

The solution makes use of the following components which must be installed using npm install:

  • Request-promise-native
  • Tracer
  • Ldapjs
  • Js-cache

Starting the Proxy

Using node to start the ldap proxy.   Node ldapproxy_simple.js

Testing Using ldapsearch

The following picture shows a command line ldapsearch that can be used to test the proxy, key in this search is that the attribute for the -D and -b have to be the same.

Click here to rate this article

Rate this article :

Senior Architect, World Wide IAM Domain Leader

More Cloud Identity stories
By Gerard Boekhoud on July 24, 2019

IF001 for IGI 5.2.5.1 now available

On July 19, 2019 we made  IF001 on top of IGI 5.2.5.1 publicly available on FixCentral. This iFix include some strong performance improvements especially within the Access Certification module. Improvements are made in the following areas: a. Time to launch Campaign Summary Page (Especially in the event of a high number of campaigns). This improves by […]

Continue reading

By Craig Pearson on May 16, 2019

IBM Verify : MMFA Mapping Rules to Determine Device Registration

This article demonstrates how to configure a pre-token mapping rule for MMFA in ISAM which can prevent authenticator registration when certain undesirable conditions are detected.  For example: Unsupported app or OS version The device is jailbroken Enforce users to register with a customer authenticator app Below are the registration attributes included in the request payload […]

Continue reading

By Carsten Hagemann on April 26, 2019

Verify your One-Time password configuration

One-time passwords (OTP) are widely used as a 2nd factor to add an additional layer of security to your account’s login. IBM Verify and the SDK support the generation of time-based (TOTP) and hash-based one-time passwords (HOTP) for SHA1, SHA256 and SHA512. Despite that its configuration is considered as “easy”, it can be time-consuming to […]

Continue reading