Modernizing your B2C Portal Security – LDAP Proxy for Cloud Identity

Share this post:

In this part of our series, we are taking a look at a common pattern we see at our customers, that at first look seems to prevent us from moving to the cloud.  I will outline a process that allows us to move to the cloud while improving the overall security posture.

LDAP Authentication

Many customers have integrated existing applications with the portal using the LDAP channel, accessing the registry directly.  Allowing these applications to use the login ID and password used by the portal along with group membership for access control within their application.  Using a ldap bind with a ldap search operation to validate the password and get the group membership.  The following diagram shows this scenario.

In this scenario the following steps are done:

  1. User enter his user id and password into the application.
  2. The application takes the user name and password and performs a simple bind.
  3. If the password is validated, the application does a lookup to get the group memberships.
  4. The application grants access based on group membership.

LDAP to Rest API

In the new model, the existing ldap based operations will be replaced with a single call to a REST API. This single call will contain the user ID and password, and on successful authentication return a json object containing information about the user, including the group membership.

The REST call to make:

The following is a piece of sample code to make that call.

// authenticate user
async function authUser(id, pwd) {
log.debug(‘authUser(id,pwd) (%s,%s)’,id,pwd);
try {
return await req.post(‘/v1.0/authnmethods/password/’+config.tenant.registry, {
“username”: id,
“password”: pwd
});
} catch (e) {
log.error(‘try catch is ‘, e);
return null;
}
}

This is an example result object returned for a successful authentication:

{ “groups”:
[{“sourceId”:”bbdef01e-dce8-4fa4-b310-88b42b48169d”,
“displayName”:”Sales”,
“name”:”501FWE3WUQ”},
{“sourceId”:”bbdef01e-dce8-4fa4-b310-88b42b48169d”,
“displayName”:”Marketing”,
“name”:”505NHXE265″}],
“attributes”:[
{“values”:[“schmidtm@us.ibm.com”],”name”:”email”},
{“values”:[“Martin Schmidt”],”name”:”name”},
{“values”:[“Schmidt”],”name”:”familyName”},
{“values”:[“Martin”],”name”:”givenName”},
{“values”:[“schmidtm”],”name”:”username”},
{“values”:[“cloudIdentityRealm”],”name”:”realm”},
{“values”:[“regular”],”name”:”userCategory”}],
“id”:”50XDE6A3EF”}”

This method returns information that can be used to manage access in the calling application.  This simplifies this type of integration from a ldap based to a REST API methodology; as shown below.

LDAP Proxy Intermediary

In some cases the switch to the REST API may not happen immediately, in this case we can leverage a javascript based proxy that sits between the application and the cloud registry.  Converting the LDAP based bind and search into a REST API call.

The following diagram shows the architecture for this.

An example of such a ldap proxy can be found here:

https://github.com/IBM-Security/CI-ldapproxy

A generic ldap proxy as well as a simple ldap proxy implementation are provided.  The next entry in this series will take a closer look at the simple ldap proxy implementation, the code, components, and configuration required.

Click here to rate this article

Rate this article :

Senior Architect, World Wide IAM Domain Leader

More stories
By Martin Schmidt on June 21, 2019

Modernizing your B2C Portal Security – LDAP Proxy for Cloud Identity

In this part of our series, we are taking a look at a common pattern we see at our customers, that at first look seems to prevent us from moving to the cloud.  I will outline a process that allows us to move to the cloud while improving the overall security posture. LDAP Authentication Many […]

Continue reading