Authenticate with an LDAP server

The requester is authenticated by an LDAP server.

The identity string that is extracted from the message must conform to the LDAP DN format (such as CN=Alice).

To define this authentication method, the AAA policy needs the following data.
  • How to contact the LDAP server.
    • The IP address or hostname of the LDAP server and the listening port on the LDAP server.
    • A load balancer group where queries are distributed in accordance with the group settings. Load distribution allows for failover. If you specify a load balancer group, the host and port values are ignored.
  • The TLS profile to secure the connection.
  • The distinguished name (DN) and password for the LDAP bind operation. The use of a password is deprecated. Use a password alias. If you defined a password, add a password alias. After you verify that the password alias works, delete the value for the password.
  • The name of the LDAP attribute that contains the cleartext password.

    This property is meaningful only when the identity extraction uses the UsernameToken from the WS-Security header and the <Username> element in the header has the Type attribute that is set to PasswordDigest. In this case, the LDAP server returns the text in the specified LDAP attribute for the user in the UsernameToken. If the hashed value of the returned text does not match the value in the <Password> element, authentication fails.

  • The LDAP protocol version to access the server.
  • Whether to use an LDAP search to retrieve the DN of the user.
    • With an LDAP search, the login name with LDAP search parameters retrieves the DN of the user.

      When you use an LDAP search, you can configure an LDAP connection pool at the service level and assign it to an AAA policy's XML manager. The AAA policy can reuse the connections in the LDAP connection pool when the DataPower® Gateway connects to an LDAP server.

    • Without an LDAP search, the login name, LDAP prefix, and LDAP suffix construct the DN of the user.
      LDAP prefix
      An LDAP prefix is a string to add before the extracted identity value before submission to the LDAP server. For example, the cn= string.
      LDAP suffix
      An LDAP suffix is the string to add after the extracted identity value before submission to the LDAP server. For example, the o=datapower string.
  • The list of LDAP attributes as the auxiliary information for AAA processing. Use a comma as the delimiter. For example, email,cn,userPassword. The results are appended to the var://context/ldap/auxiliary-attributes context variable. The LDAP attributes are synchronized to the AAA authentication cache.
  • The number of seconds that the DataPower Gateway waits for a response from the LDAP server before the DataPower Gateway closes the LDAP connection.

    If you configure an LDAP connection pool and assign it to the AAA Policy's XML manager, the AAA Policy can use this LDAP connection pool. The LDAP read timeout property of the AAA Policy can work with the Idle timeout property of the LDAP connection pool to remove idle LDAP connections from the LDAP connection pool.

  • The number of seconds that the DataPower Gateway waits for a response from the LDAP server before the DataPower Gateway closes the LDAP connection.

    If you configure an LDAP connection pool and assign it to the AAA Policy's XML manager, the AAA Policy can use this LDAP connection pool. The LDAP read timeout property of the AAA Policy can work with the Idle timeout property of the LDAP connection pool to remove idle LDAP connections from the LDAP connection pool.

    The following process shows how the LDAP read timer works with the LDAP idle timer to handle an incoming LDAP request.
    1. The LDAP read timer starts when the DataPower Gateway sends the LDAP request to an LDAP server.
      • If the LDAP server returns a response within the time that you specified for the LDAP read timer, the DataPower Gateway adds this connection to the LDAP connection pool.
      • If the LDAP server does not return any response within the specified time for the LDAP read timer, the DataPower Gateway closes the connection and removes it from the LDAP connection pool.
    2. The LDAP idle timer starts when the DataPower Gateway adds this connection to the LDAP connection pool.
      • If this connection remains idle for a time interval greater than the specified idle timeout value, the DataPower Gateway removes the LDAP connection from the connection pool.
      • If the DataPower Gateway sends a subsequent request to the same LDAP server with the same bind credentials, the DataPower Gateway reuses the LDAP connection. The LDAP read timer starts again.