On Apigee Edge (not private cloud), I am trying to authenticate external (non-console) users against an LDAP server. Our network team has opened the appropriate routes, and I have set the LDAP server up as follows:
<LdapResource name="myldap">
<Connection>
<Hosts>
<Host port="636">myldapserver.internal.mycompany.com</Host>
<!-- ldaps -->
</Hosts>
<SSLEnabled>true</SSLEnabled>
<Version>3</Version>
<Authentication>simple</Authentication>
<ConnectionProvider>jndi</ConnectionProvider>
</Connection>
<ConnectPool enabled="true">
<Timeout>30000</Timeout>
<Maxsize>50</Maxsize>
<Prefsize>30</Prefsize>
<Initsize></Initsize>
<Protocol></Protocol>
</ConnectPool>
<Admin>
<DN>uid=admin,ou=ou1,ou=apps,dc=dc1,dc=dc2</DN>
<Password>mypassword</Password>
</Admin>
</LdapResource>
This LDAP server uses a self-signed certificate. The signing root has been installed into the Apigee TLS keystore using the Apigee Edge administration console. I am trying to authenticate the user with the following policy:
<Ldap name="MyLdapPolicy">
<LdapResource>myldap</LdapResource>
<Authentication>
<UserName ref="request.header.username"/>
<Password ref="request.header.password"/>
<Scope>subtree</Scope>
<BaseDN>ou=ou1,ou=apps,dc=dc1,dc=dc2</BaseDN>
</Authentication>
</Ldap>
But I get the following error message:
error: Naming exception simple bind failed: myldapserver.internal.mycompany.com:636 occurred. Reason: simple bind failed: myldapserver.internal.mycompany.com:636.
error.class: com.apigee.rest.framework.security.AuthenticationException
Where am I going wrong? Is it possible to access LDAP like this from Apigee Edge, or are we stuck? Is there a way to get more detailed logs?