Layer 7 API Management

Expand all | Collapse all

LDAP Configuration issue-his configuration did not yield any user

  • 1.  LDAP Configuration issue-his configuration did not yield any user

    Posted 12-11-2018 04:40 AM

    Hi Team,

    While configuring LDAP Connector Getting error as "This configuration did not yield any user" while testing the configuration detail using test button . Also as per error message seems connectivity is fine but there is no matching data in ldap directory .

     



  • 2.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-11-2018 03:09 PM

    Good afternoon,

     

    This error can occur for several reasons including how the User Object Classes are configured to match the attributes in the directory schema or that the user does not have the right permissions. What do you have configured on the User Object Classes section of the identity provider?

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support



  • 3.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-12-2018 10:43 AM

    Thank you Stefhen for replying !!

    I am using all other setting as default , did not change anything under User Object Classes .However now I can say issue resolved .

    Message that I was getting  while clicking over test button  seems that is warning . I have used same connector in LDAP Query assertions and tried to make query to the directory and can see expected response .

    I think Ldap query assertion only using connection string from LDAP connector so other property like user object classes, Group Object Classes  etc  we can set as default .

    What do you think ? Your comment on this would be highly appreciated .

     

    Thanks!

    Prashant Srivastava



  • 4.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-12-2018 10:46 AM

    Adding on this.

    If we want to create LDAP Identity Provider using restman API ,What would be request xml ?



  • 5.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-12-2018 02:20 PM

    The request XML for identity provider would be as outlined below and used as a POST against https://gw.support.local:8443/restman/1.0/identityProviders. (Note: I would suggest that you create a secure password first and change the reference ${secpass.<name>.plaintext} in the below payload)

     

    <l7:IdentityProvider xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management" >
    <l7:Name>Sample IDP</l7:Name>
    <l7:IdentityProviderType>LDAP</l7:IdentityProviderType>
    <l7:Properties>
    <l7:Property key="adminEnabled">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="groupCacheMaximumAge">
    <l7:LongValue>60000</l7:LongValue>
    </l7:Property>
    <l7:Property key="groupCacheMaximumAgeUnit">
    <l7:StringValue>minutes</l7:StringValue>
    </l7:Property>
    <l7:Property key="groupCacheSize">
    <l7:IntegerValue>100</l7:IntegerValue>
    </l7:Property>
    <l7:Property key="groupMaximumNesting">
    <l7:IntegerValue>0</l7:IntegerValue>
    </l7:Property>
    <l7:Property key="groupMembershipCaseInsensitive">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="userCertificateUsage">
    <l7:StringValue>None</l7:StringValue>
    </l7:Property>
    <l7:Property key="userLookupByCertMode">
    <l7:StringValue>Common Name from Certificate</l7:StringValue>
    </l7:Property>
    </l7:Properties>
    <l7:Extension>
    <l7:LdapIdentityProviderDetail>
    <l7:SourceType>MicrosoftActiveDirectory</l7:SourceType>
    <l7:ServerUrls>
    <l7:StringValue>ldaps://example.support.local:636</l7:StringValue>
    </l7:ServerUrls>
    <l7:UseSslClientAuthentication>false</l7:UseSslClientAuthentication>
    <l7:SearchBase>DC=support,DC=local</l7:SearchBase>
    <l7:BindDn>queryUser</l7:BindDn>

    <l7:BindPassword>${secpass.<name>.plaintext}</l7:BindPassword>
    <l7:Writable>false</l7:Writable>
    <l7:WriteBase></l7:WriteBase>
    <l7:UserMappings>
    <l7:Mapping>
    <l7:ObjectClass>user</l7:ObjectClass>
    <l7:Mappings>
    <l7:Property key="emailNameAttrName">
    <l7:StringValue>mail</l7:StringValue>
    </l7:Property>
    <l7:Property key="firstNameAttrName">
    <l7:StringValue>givenName</l7:StringValue>
    </l7:Property>
    <l7:Property key="kerberosAttrName">
    <l7:StringValue>sAMAccountName</l7:StringValue>
    </l7:Property>
    <l7:Property key="kerberosEnterpriseAttrName">
    <l7:StringValue>userPrincipalName</l7:StringValue>
    </l7:Property>
    <l7:Property key="lastNameAttrName">
    <l7:StringValue>sn</l7:StringValue>
    </l7:Property>
    <l7:Property key="loginAttrName">
    <l7:StringValue>sAMAccountName</l7:StringValue>
    </l7:Property>
    <l7:Property key="nameAttrName">
    <l7:StringValue>cn</l7:StringValue>
    </l7:Property>
    <l7:Property key="objClass">
    <l7:StringValue>user</l7:StringValue>
    </l7:Property>
    <l7:Property key="passwdAttrName">
    <l7:StringValue>userPassword</l7:StringValue>
    </l7:Property>
    <l7:Property key="userCertAttrName">
    <l7:StringValue>userCertificate</l7:StringValue>
    </l7:Property>
    </l7:Mappings>
    </l7:Mapping>
    </l7:UserMappings>
    <l7:GroupMappings>
    <l7:Mapping>
    <l7:ObjectClass>group</l7:ObjectClass>
    <l7:Mappings>
    <l7:Property key="memberAttrName">
    <l7:StringValue>member</l7:StringValue>
    </l7:Property>
    <l7:Property key="nameAttrName">
    <l7:StringValue>cn</l7:StringValue>
    </l7:Property>
    <l7:Property key="objClass">
    <l7:StringValue>group</l7:StringValue>
    </l7:Property>
    </l7:Mappings>
    <l7:Properties>
    <l7:Property key="memberStrategy">
    <l7:StringValue>Member is User DN</l7:StringValue>
    </l7:Property>
    </l7:Properties>
    </l7:Mapping>
    </l7:GroupMappings>
    <l7:SpecifiedAttributes>
    <l7:StringValue>memberOf</l7:StringValue>
    </l7:SpecifiedAttributes>
    <l7:NtlmProperties>
    <l7:Property key="domain.dns.name">
    <l7:StringValue></l7:StringValue>
    </l7:Property>
    <l7:Property key="domain.netbios.name">
    <l7:StringValue></l7:StringValue>
    </l7:Property>
    <l7:Property key="enabled">
    <l7:StringValue>false</l7:StringValue>
    </l7:Property>
    <l7:Property key="host.dns.name">
    <l7:StringValue></l7:StringValue>
    </l7:Property>
    <l7:Property key="host.netbios.name">
    <l7:StringValue></l7:StringValue>
    </l7:Property>
    <l7:Property key="server.dns.name">
    <l7:StringValue></l7:StringValue>
    </l7:Property>
    <l7:Property key="service.account">
    <l7:StringValue></l7:StringValue>
    </l7:Property>
    <l7:Property key="service.passwordOid">
    <l7:StringValue>7fffffffffffffff0000000001ac8001</l7:StringValue>
    </l7:Property>
    </l7:NtlmProperties>
    </l7:LdapIdentityProviderDetail>
    </l7:Extension>
    </l7:IdentityProvider>

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support



  • 6.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-12-2018 01:32 PM

    I have seen the test in the identity provider not return users in some instances and still work within policy. It may be that the user object class is missing or not aligned to an attribute for the test but that attribute is not needed for the authentication of the user.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support



  • 7.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-20-2018 08:38 PM

    Hello Stephen,

    Few more question came in my mind while developing policy that includes ldap query assertion.

     

    I have to use LDAP connector and LDAP  query assertion in our project I was going through with documentation but did not get all answer .Can anyone please go through with below and help  me?

    I can see reconnect timeout attribute in LDAP Connector and default timeout as 60 sec but what will  be the timeout value when first time Gateway connecting to LDAP instance?
    How many time retry will happen ?
    What will happen in case LDAP server is not listening request from gateway ?(down/slow in response/network glitch )
    What Load balancer mechanism will apply in case we are adding multiple host in LDAP URL ?
    Is there any IP caching at gateway end ?
    Is Gateway have some inbuilt service to check LDAP instances ?
    In case we make a connection with LDAP server ,how long that connection will be active ?Is there some process that is closing inactive connection object ?

     

    Thanks!

    Prashant Srivastava



  • 8.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-24-2018 12:42 PM

    Prashant,

     

    In response to your questions:

    I can see reconnect timeout attribute in LDAP Connector and default timeout as 60 sec but what will  be the timeout value when first time Gateway connecting to LDAP instance?

    Response: The initial connection timeout is 5s and is controlled by the cluster wide property (CWP) ldap.connection.timeout default 5s. Another setting ldap.read.timeout default 30s for responses to be read from the LDAP.

     

    How many time retry will happen ?

    Response: No retries are attempted.


    What will happen in case LDAP server is not listening request from gateway ?(down/slow in response/network glitch )

    Response: If the gateway is unable to connect to the LDAP server is will place it on the blacklist and will continue on to the next server listed in the LDAP Host URL. The blacklist time can be controlled through the CWP  ldap.reconnect.timeout default 60000 ms or on the individual LDAP Provider configure as Reconnect Timeout (Introduced in version 9.2).


    What Load balancer mechanism will apply in case we are adding multiple host in LDAP URL?

    Response: None it will go through the list starting with the first and will move through the list only if a failure occurs with the first.


    Is there any IP caching at gateway end ?

    Response: If you are referring to IP caching based on host name, we use a 30 second TTL for DNS configuration within JAVA.


    Is Gateway have some inbuilt service to check LDAP instances ?

    Response: No


    In case we make a connection with LDAP server ,how long that connection will be active ?Is there some process that is closing inactive connection object ?

    Response: Once the connection has been deemed inactive it will be cleared out within 60 seconds.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support



  • 9.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 12-30-2018 11:49 PM

    Thank you for your suggestion Stephen!!

    There is one more point that I want to bring while implementing error handling .I was going through with ldap query assertion to implement error handling in case of LDAP down or readtimeout . 

     

    LDAP query assertion have any attribute in response  for error handling ?. For example if  LDAP server is down , Can we capture that dynamic error message and error code in variable ?

     

    Scenario :

    First :

     DB call --> get all user info

    if db is down

    --> Stop complete flow

    In case not getting all the required value fro DB [example name address present in db but salary is not there ]

        LDAP call internal directory 

       if no value return from internal directory 

         LDAP call virtual directory 

    if no value return from virtual directory 

     Continue processing 

    if DB is down or connection timeout 

      Stop flow 

     

    so here problem is I can not segregate both negative scenario --> in case no value return and LDAP readtimeout



  • 10.  Re: LDAP Configuration issue-his configuration did not yield any user

    Posted 01-08-2019 06:02 PM

    Good afternoon,

     

    I've just tested in a Gateway 9.3 and you can build policy that outputs the last audit detail which in turn can be used to make additional policy decision.

     

    <?xml version="1.0" encoding="UTF-8"?>
    <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
    <wsp:All wsp:Usage="Required">
    <wsp:OneOrMore wsp:Usage="Required">
    <L7p:LDAPQuery>
    <L7p:AttrNames stringArrayValue="included"/>
    <L7p:CacheSize intValue="100"/>
    <L7p:LdapProviderOid goidValue="24f0c594066dc3bf7509a7f5d643fcb9"/>
    <L7p:QueryMappings queryAttributeMappings="included"/>
    <L7p:SearchFilter stringValue="(cn=demo1)"/>
    <L7p:SearchFilterInjectionProtected booleanValue="true"/>
    </L7p:LDAPQuery>
    <L7p:AuditDetailAssertion>
    <L7p:Detail stringValue="Last Audit: ${audit.details.last.fullText}"/>
    <L7p:LoggingOnly booleanValue="true"/>
    </L7p:AuditDetailAssertion>
    </wsp:OneOrMore>
    </wsp:All>
    </wsp:Policy>

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support