Authentication against an internal LDAP server - Page 2

rthomas-prest · 02-09-2021 03:25 AM

On Apigee Edge (not private cloud), I am trying to authenticate external (non-console) users against an LDAP server. Our network team has opened the appropriate routes, and I have set the LDAP server up as follows:

<LdapResource name="myldap">
    <Connection>
        <Hosts>
            <Host port="636">myldapserver.internal.mycompany.com</Host>
            <!-- ldaps -->
        </Hosts>
        <SSLEnabled>true</SSLEnabled>
        <Version>3</Version>
        <Authentication>simple</Authentication>
        <ConnectionProvider>jndi</ConnectionProvider>
    </Connection>
    <ConnectPool enabled="true">
        <Timeout>30000</Timeout>
        <Maxsize>50</Maxsize>
        <Prefsize>30</Prefsize>
        <Initsize></Initsize>
        <Protocol></Protocol>
    </ConnectPool>
    <Admin>
        <DN>uid=admin,ou=ou1,ou=apps,dc=dc1,dc=dc2</DN>
        <Password>mypassword</Password>
    </Admin>
</LdapResource>

This LDAP server uses a self-signed certificate. The signing root has been installed into the Apigee TLS keystore using the Apigee Edge administration console. I am trying to authenticate the user with the following policy:

<Ldap name="MyLdapPolicy">
    <LdapResource>myldap</LdapResource>
    <Authentication>
        <UserName ref="request.header.username"/>
        <Password ref="request.header.password"/>
        <Scope>subtree</Scope>
        <BaseDN>ou=ou1,ou=apps,dc=dc1,dc=dc2</BaseDN>
    </Authentication>
</Ldap>

But I get the following error message:

error: Naming exception simple bind failed: myldapserver.internal.mycompany.com:636 occurred. Reason: simple bind failed: myldapserver.internal.mycompany.com:636.
error.class: com.apigee.rest.framework.security.AuthenticationException

Where am I going wrong? Is it possible to access LDAP like this from Apigee Edge, or are we stuck? Is there a way to get more detailed logs?