The LDAP Policy is described as “available only in Apigee Edge for Private Cloud.”
What if I’d like to issue an OAuth2.0 token via password grant, and verify the user credentials with an LDAP-accessible directory, but in Apigee Edge for the public cloud?
Is it possible, without the LDAP Policy? If so, how?
Note: This is NOT about authenticating administrators to Apigee Edge.
This question is about how to authenticate app users via OAuth 2.0 password grant.
Yes, it is possible.
As with many other situations, when connecting to different things from within Apigee Edge, nodejs makes it possible. We’ve seen that a simple nodejs script can connect to AWS Lambda, or MS-SQL Server, and other systems.
The same approach can also be used to connect to an LDAP datastore. The key is the ldapjs module for nodejs. Simple code like this can be used to perform a search from node:
var ldap = require('ldapjs');
var client = ldap.createClient({
url: 'ldap://ipa.demo1.freeipa.org:389'
});
var baseDN = "cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org";
var user = 'employee';
var password = 'Secret123';
var fullDN = 'uid=' + user + ',' + baseDN;
client.bind(fullDN, password, function(error) {
if (error) {
console.log("error:" + error);
process.exit(1);
}
else {
console.log("ok");
client.search(fullDN, { scope: 'base' }, function(error, res){
res.on('searchEntry', function(entry) {
console.log('entry: ' + JSON.stringify(entry.object));
});
res.on('searchReference', function(referral) {
console.log('referral: ' + referral.uris.join());
});
res.on('error', function(err) {
console.error('error: ' + err.message);
});
res.on('end', function(result) {
console.log('status: ' + result.status);
process.exit(1);
});
});
}
});
Take NOTE! The above is not code you would run within Apigee Edge. It’s just a simple script to show how to use the ldapjs module.
With that knowledge, it’s very easy to implement a simple API Proxy with a nodejs script, to authenticate users. You could imagine using code that does something like the above, as a node target. Such a proxy could be very simple.
Here’s a working example for you to start with.
There’s a full README explaining what’s going on.
You could design the proxy that issues OAuth2.0 tokens to call that ldap proxy via a ServiceCallout. Upon success, the token-issuing proxy would issue the correct token. OR, you could graft the node-based ScriptTarget directly into the proxy that issues OAuth tokens, and mint the token in the Response flow. Either way works just fine.
Bottom line: you don’t need the LDAP policy to do LDAP search + bind things within an API proxy in Apigee Edge.