Configuring an API LDAP registry

An API LDAP registry defines the LDAP server to authenticate incoming API requests.

About this task

LDAP registries can be used to authenticate users to APIs.

Procedure

  1. In the search field, enter registry.
  2. From the search results, click API LDAP registry.
  3. Click Add.
  4. Define the basic properties - Name, administrative state, and comments.
  5. Specify the hostname or IP address of the LDAP server.
  6. Specify the listening port on the LDAP server. The default value is 636.
  7. Optional: Specify the TLS client profile to secure connections with the LDAP server.
  8. Specify the LDAP version to use for the bind operation. The default value is v3.
  9. In the User authentication area, define user authentication.
    1. Specify how to create the user for authentication. The default value is Search DN.
      Compose DN
      Select Compose DN when the DN can be composed from the username. uid=john,ou=People,dc=company,dc=com is an example DN format that can be composed from the username.
      Compose UPN
      Select Compose UPN when the UPN can be composed from the username. john@example.com is an example UPN format that can be composed from the username .
      Search DN
      Select Search DN when the DN cannot be composed from the username and an LDAP search is needed to retrieve information that matches the username.
    2. For an authenticated bind, provide the administrator DN and password. For an anonymous bind, do not define these properties.
    3. Specify the LDAP search parameters for the LDAP search to retrieve the user DN.
      Compose DN
      When Compose DN, the search parameters can include the base DN, but must include the prefix and suffix. For example, enter (uid= as the prefix and ) as the suffix.
      Compose UPN
      When Compose UPN, the search parameters must include the suffix. For example, enter @example.com as the suffix.
      Search DN
      When Search DN, the search parameters can include the base DN, but must include the prefix and suffix. For example, enter (uid= as the prefix and ) as the suffix.
    4. Enter the time to wait in seconds for a response from the LDAP server before the LDAP connection is closed. The default value is 60. A value of 0 indicates that the connection never times out.
  10. Optional: In the Group authentication area, define how to check group membership for an authenticated user in the LDAP registry.
    1. Enable group authentication.
    2. Specify the configuration type for group authentication.
      Dynamic
      Build group authentication dynamically, which is always used for compose UPN.
      Static
      Build group authentication from predefined configuration, which cannot be used for compose UPN.
    3. Specify the search scope.
    4. For static configuration, specify the base DN, filter prefix, and filter suffix.
    5. For dynamic configuration, specify the filter expression.
  11. Click Apply to save changes to the running configuration.
  12. Click Save to save changes to the persisted configuration.

What to do next

Associate the LDAP registry as necessary to the following configurations.
  • Basic authentication security definition
  • Client security assembly action
  • User security assembly action