CA API Gateway 9.1

9.4 9.1

Simple LDAP Identity Provider Wizard

The Simple LDAP Identity Provider Wizard helps you create or edit a Simple LDAP?Identity Provider.
gateway83
The Simple LDAP Identity Provider Wizard helps you create or edit a Simple LDAP?Identity Provider.
There is only one step to the wizard. Complete it as follows:
Setting
Description
Provider Name
Enter a descriptive name for the LDAP Identity Provider. This name appears in the [
Identity Providers
] tab and on the
Search Identity Providers
 dialog.
LDAP URLs
  • Click [
    Add
    ] to enter the URL of the LDAP or LDAPS directory service you want to connect to.
    When configuring using the IPv6 address space, the host URL must be enclosed within '[ ]' if a literal IPv6 address is used, for example:
    ldap://oracle.companyx.com:389 (no brackets required) 
    ldap://[2222::22]:389 (brackets required)
  • Click [
    Remove
    ] to remove a URL from the list.
  • Use [
    Move Up
    ] and [
    Move Down
    ] to change the order of the URLs.
Use Client Authentication
Select this check box to present a certificate to the server during the SSL handshake, if one is requested.
Clear this check box to never present a certificate, even if one is requested. Note that access may be denied in this case.
When Client Authentication is enabled, it is used with the specified key when connecting to an LDAP server for any ldaps connections. If there are no ldaps connections, then the Client Certification options have no effect.
Auth DN Prefix
Auth DN Suffix
Optionally enter a prefix and or a suffix for the authorization DN.
The DN prefix and suffix are combined with the client-provided username to produce a DN that is used to attempt to bind with the client-provided password in order to check whether the client-provided username is authenticated.
Example:
The
API Gateway
 uses a prefix ("CN=") and a suffix (",OU=Sales,O=Layer 7") to configure the provider. During runtime, say a request arrives with HTTP credentials: username=bob, password=secret!123. The username is used to build a DN:
CN=bob,OU=Sales,O=layer 7
The
API Gateway
 then issues a "bind" request to the LDAP server using this DN and with the password "secret!123".
If the prefix and suffix are omitted, the
API Gateway
 uses the raw login name as the login for the authentication bind.
The client-provided username must conform to the regular expression defined in the ldap.simple.username.pattern cluster property before it can be used to produce a DN.
Security Zone
Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "
No security zone
". For more information about security zones, see Understanding Security Zones.
This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).
Testing the Configuration
You can click [
Test
] to verify the configuration before completing the wizard. You are prompted to enter the login credentials to the LDAP server. If the credentials and configuration are correct, you should see a message validating the configuration of the Simple LDAP Identity Provider. If an error message displays instead, note the configuration problems and take the appropriate corrective actions:
Configuration Error
Suggested Solution
Connection error
Verify that all connection details in the wizard are correct.
Test credentials rejected
Verify that the login credentials for the LDAP server have been entered correctly and then try again.
Repeat the testing and fixing until no more errors appear. 
The new Simple LDAP Identity Provider appears in the [
Identity Providers
] tab.

Content feedback and comments