LDAP authentication

The Lightweight Directory Access Protocol (LDAP) is an internet protocol for accessing and maintaining distributed directory information services over a network. If you rely on LDAP to authenticate users for web applications, take a minute to review the contents of this topic before beginning.

Programming guidelines

When authenticating with LDAP, observe the following guidelines:
  • Use only a LDAP interface -- Users can only be authenticated via a connection to an LDAP server.
  • Active Directory -- Use of an Active Directory interface is prohibited, however, LDAP authentication with Active Directory is supported.
  • Administrator properties -- The LDAP administrator must have access to all user's LDAP properties.
LDAP attributes read by IBM® API Connect are as follows:
Attribute Definition
mail User's SMTP email address.
cn Used internally to determine user's common name.
sn Used internally to determine user's last name or surname.
givenname Used internally to determine user's first name.
Prefix from Search dn Used as username.

Using an LDAP Server for User Authentication

Every entry in an LDAP directory server has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory. A DN is made up of attribute=value pairs, separated by commas. For example:
cn=Ben Gray,ou=editing,o=New York Times,c=US
cn=Lucille White,ou=editing,o=New York Times,c=US
cn=Tom Brown,ou=reporting,o=New York Times,c=US

Any of the attributes defined in the directory schema can be used to make up a DN. The order of the component attribute value pairs is important. The DN contains one component for each level of the directory hierarchy from the root down to the level where the entry resides. LDAP DNs begin with the most specific attribute (usually some sort of name) and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent. In the previous examples, the RDN "cn=Ben Gray" separates the first entry from the second entry, (with RDN "cn=Lucille White"). These two example DNs are otherwise equivalent. The attribute=value pair making up the RDN for an entry must also be present in the entry. (This is not true of the other components of the DN.)

Examples

In the following examples, a user search is performed from Base DN. The search is done anonymously, or if authenticated bind is used, an authenticated user is used. Search DN appends the prefix, the given user name, and the suffix. If the prefix used is (uid= and the suffix used is ")", uid becomes the user name attribute. The default search filter used is: (|(cn={filter}*)(sn={filter}*)(mail={filter}*)(givenName={filter})) and attributes used for prefix are also added to the search filter. In this case, where '(uid=' is the prefix, when searching for users, the search filter becomes:
  (|(cn={filter}*)(sn={filter}*)(mail={filter}*)(givenName={filter}*)(uid={filter}*))
where {filter} is replaced by actual text.

The authenticated bind DN is a user on the external LDAP server permitted to get base DNs and search the LDAP directory within the defined search base. It should also be able to read other user properties and be used if anonymous access to LDAP to get base DNs and to search and get access to user attributes is not allowed. When a search is performed for Steve, the LDAP query filter shown in the following example is used and search is done from base DN specified in UI. When the user's DN is returned, the DN and password are used to authenticate the user:

(|(cn=Steve*)(sn=Steve*)(mail=Steve*)(givenName=Steve*)(uid=Steve*)).
For bind during login calls, the search string used is the prefix. For example, if the prefix is '(uid=', the search string used to search for a user during log in becomes: (uid=Steve).
Using the mail attribute as the user name
When you want to use an email address as the user name, (for example steve@company.com), you typically use the mail attribute as the prefix '(mail='. In this case, use the following search string to perform the search internally (assuming '(mail=' as prefix):
(|(cn=steve@company.com*)(sn=steve@company.com*)(mail=steve@company.com*)
(givenName=steve@company.com*)(mail=steve@company.com*))
In the previous example, if DN is found, the password is used with the DN to perform a bind. The first result is taken, so be sure to use a unique attribute for username. Next, the LDAP properties for the user are read (cn, sn, mail, givenName). If LDAP properties cannot be read using the logged-in user, they are read from the user's DN using authenticated bind credentials. If the user name attribute differs, it is also queried for. For example, if the prefix is '(uid=', the uid attribute is also read from the user's DN object:
(|(cn={filter}*)(sn={filter}*)(mail={filter}*)(givenName={filter}*))
Note: The prefix and suffix cannot be used to get a user's DN directly. For example, the following attempt to directly get a user's DN fails: 
Prefix: "uid=", Suffix: ",ou=users,dc=company,dc=com"

LDAP referrals

LDAP referrals allow a directory tree to be partitioned and distributed between multiple LDAP servers. An LDAP referral is a domain controller's way of indicating to a client application that it does not have a copy of a requested object, while giving the client a location that is more likely to hold the object. The client then uses the object as the basis for a DNS search for a domain controller.

API Connect support for LDAP referral includes:
  • Searching for users that are part of multiple Active Directory trees and forests.
  • Authenticating users in the Cloud Manager, API Manager and the Developer Portal.
Note: API Connect LDAP referral support is dependent on the following conditions:
  • A single LDAP host/port is configured with administrator credentials and all users are referred to from the tree/server's base DN.
  • As part of the user search following the LDAP referral , the same administrator credentials are used in the downstream trees/forests.
  • LDAP API authentication does not support external LDAP referral. Internal LDAP referral is supported with IBM API Connect Version 2018.4.1.12 and later releases.