Configuring LDAP authN to login to ldap before searching for user DN

By: Steven Carmody user 21 Feb 2017 at 9:50 a.m. CST

10 Responses
Steven Carmody gravatar
I'm reading this page -- https://www.gluu.org/docs/authn-guide/basic/ the section titled "Configuring Basic Authentication" . Local policy REQUIRES that I first authenticate against the ldap server with a supplied system ID BEFORE I do the search described in Step 2. is there a way to add those values (supplied system DN, associated password) to the gluu server config, and have the server use those values to authenticate before doing the search ? Of course, once it has the user's DN, it will proceed to Step 3. thanks very much !
Rhel67
closed

Answers

By Mohib Zico staff 21 Feb 2017 at 10:18 a.m. CST

Copy
Mohib Zico gravatar
Hi Steven, I don't think it's possible. However little curious.. what's the use case of your requirement?

By Steven Carmody user 21 Feb 2017 at 10:24 a.m. CST

Copy
Steven Carmody gravatar
Hi, Local policy REQUIRES authentication to LDAP before doing ANY search. To block harvesting of info .... I know that the SHib IDP supports the flow I'm describing, and can be configured to do this. You're saying I can't enter this config thru the GLUU GUI, tho ?

By Mohib Zico staff 21 Feb 2017 at 10:30 a.m. CST

Copy
Mohib Zico gravatar
Ok, if Shibboleth support that we can facilitate such if required. However, Gluu Server's authentication is little different than base Shibboleth v2/v3 login procedure; we use oxAuth for authentication and after that... user information is shared with other services of Gluu Server ( Shibboleth, OpenID connect, CAS etc. ). >> You're saying I can't enter this config thru the GLUU GUI, tho ? Which config?

By Steven Carmody user 21 Feb 2017 at 10:47 a.m. CST

Copy
Steven Carmody gravatar
The flow I'm referring to is described on this page: https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration and specifically : bindSearchAuthenticator Binds as a configured DN then searches for the user's DN You're saying that even if I were to manually edit that value in the Shib IDP config files, it would have no effect, because the GLUU package would be using oxAuth and not the standard Shib IDP authN config ?

By Mohib Zico staff 21 Feb 2017 at 11:52 a.m. CST

Copy
Mohib Zico gravatar
Thanks for the link, Steven. >> bindSearchAuthenticator Binds as a configured DN then searches for the user's DN We are actually doing same in Gluu Server with our OpenID Authenticator ( oxIDPAuthentication ). - With some BinDN ( cn=directory manager,o=gluu ); System is going to 'read' for 'abc' user who is trying to login into Gluu Server. That means.... - 'cn=directory manager' or 'cn=directory manager,o=gluu' has read access to internal OpenLDAP ( of Gluu Server ). - User 'abc' tried to login in login form. - BindDN user searching internal LDAP tree for user 'abc'.

By Steven Carmody user 21 Feb 2017 at 1:37 p.m. CST

Copy
Steven Carmody gravatar
Hi, is there a way to configure the GLUU server to use the bindSearchAuthenticator flow when accessing an external ldap server (ie the one at my campus) ? thanks

By Mohib Zico staff 21 Feb 2017 at 4:39 p.m. CST

Copy
Mohib Zico gravatar
There are two ways to use external LDAP server from Gluu Server: - [Cache Refresh](https://gluu.org/docs/admin-guide/user-group/#ldap-synchronization): Gluu Server will only use 'ou=people' tree from your backend LDAP / AD server for collecting user's info and authenticating users with that LDAP server (as we don't save password here in Gluu Server). - Totally use a remote LDAP server to store all information ( user's information + Gluu Server configuration ).

By Steven Carmody user 22 Feb 2017 at 10:04 a.m. CST

Copy
Steven Carmody gravatar
I think I'll go with option one (Cache Refresh), since I won't be able to store the GLUU server config info in one of our local PROD ldap servers. in this model, when I am using the GLUU Identity Appliance (GUI) on my local install, I would NOT change anything in the "Manage Authentication" screen (have it continue to point to the local GLUU ldap server). Within the GUI, tho, I would go to the "Configuration Cache Refresh" panels. Using these panels is described here: https://www.gluu.org/docs/admin-guide/oxtrust-ui/#attributes and here: https://www.gluu.org/docs/admin-guide/user-group/#ldap-synchronization So, I just follow those steps ... am I understanding this correctly ? thanks !

By Mohib Zico staff 22 Feb 2017 at 10:10 a.m. CST

Copy
Mohib Zico gravatar
Hi Steven, That's correct. One issue though... If you don't change default 'Manage Authentication' ( generally it points to backend LDAP server for those users who are using Cache Refresh ), you have to import password attributes into your Gluu Server as well ( which we don't encourage ), otherwise authentication will fail because 'localhost:1636' has no password for Username: abc ( this 'abc' pulled from backend LDAP ).

By Michael Schwartz Account Admin 23 Feb 2017 at 4:17 p.m. CST

Copy
Michael Schwartz gravatar
Steve, I'm a little confused by this issue. The Gluu Server does bind as a different user before it sends the search request. An authentication always involves a search to find the DN before we can send the second BIND request with the password. If this is not possible, you can always write an authentication script to match your custom requirements. Feel free to setup a meeting if you want to have a quick chat: [http://gluu.org/booking](http://gluu.org/booking) - Mike

Post an answer