Layer7 API Management

I want to set up LDAP pass-through:

LDAP Client -> Gateway listener -> Policy -> Internal LDAP
[----- SSL 1 -------------------------------][---- SSL 2 --------------------]

I am exploring possibility:

LDAP Client -> Gateway l7.raw.tcp listener -> policy using assertion "Raw TCP Routing" -> Internal LDAP
[----- SSL 1 ------------------------------------------][---- SSL 2 ------------------------------------------------------------------]

But how to terminate and setup SSLs, can someone clarify steps need to be done ?
( content type application/octet worries me too (in raw listener and assertion tcp routing )).

Is there more appropriate solution for LDAP pass thru ?

Dear Petar,
Usually we use an identity provider for authentication,
1. create ldap identity provider,
https://docops.ca.com/ca-api-gateway/9-4/en/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/creating-an-ldap-or-simple-ldap-identity-provider
2. on your policy,
require http basic credentials
authenticate against xxx identity provider
(xxx is the name of your ldap identity provider in step 1)

Regards,
Mark
Original Message:
Sent: 09-13-2019 03:34 PM
From: Petar Banicevic
Subject: Pass-through auth via LDAP

I want to set up LDAP pass-through:

LDAP Client -> Gateway listener -> Policy -> Internal LDAP
[----- SSL 1 -------------------------------][---- SSL 2 --------------------]

I am exploring possibility:

LDAP Client -> Gateway l7.raw.tcp listener -> policy using assertion "Raw TCP Routing" -> Internal LDAP
[----- SSL 1 ------------------------------------------][---- SSL 2 ------------------------------------------------------------------]

But how to terminate and setup SSLs, can someone clarify steps need to be done ?
( content type application/octet worries me too (in raw listener and assertion tcp routing )).

Is there more appropriate solution for LDAP pass thru ?

Dear Mark

I did what you have proposed but I am not sure it's solving my problem. Maybe we are talking about different scenario. To clarify:

• My phone has settings in which I am supposed to enter LDAP server address, and phone talks with LDA"P" protocol. In my case that LDAP server will be the gateway itself that should check for LDAP injection, if no injection then pass thru the data to the internal LDAP server.

In your last post you have proposed to making a simple LDAP connector which was easy... When you suggested doing a policy with basic auth and I got lost because policies are linked to HTTP listener (GET/POST/etc) while phone talks LDAP, it's not HTTP. That's why I asked if I should use RAW listener.

Are we on the same page with this question ? 

Thanks
Peter

PS - even worse is that phone is coming with LDAPS protocol, so gateway is the termination point, and before passing-thru to internal ldap, I need again to LDAPS.... but leave this part out for now.
Original Message:
Sent: 09-15-2019 07:46 PM
From: Zhijun He
Subject: Pass-through auth via LDAP

Dear Petar,
Usually we use an identity provider for authentication,
1. create ldap identity provider,
https://docops.ca.com/ca-api-gateway/9-4/en/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/creating-an-ldap-or-simple-ldap-identity-provider
2. on your policy,
require http basic credentials
authenticate against xxx identity provider
(xxx is the name of your ldap identity provider in step 1)

Regards,
Mark
Original Message:
Sent: 09-13-2019 03:34 PM
From: Petar Banicevic
Subject: Pass-through auth via LDAP

I want to set up LDAP pass-through:

LDAP Client -> Gateway listener -> Policy -> Internal LDAP
[----- SSL 1 -------------------------------][---- SSL 2 --------------------]

I am exploring possibility:

LDAP Client -> Gateway l7.raw.tcp listener -> policy using assertion "Raw TCP Routing" -> Internal LDAP
[----- SSL 1 ------------------------------------------][---- SSL 2 ------------------------------------------------------------------]

But how to terminate and setup SSLs, can someone clarify steps need to be done ?
( content type application/octet worries me too (in raw listener and assertion tcp routing )).

Is there more appropriate solution for LDAP pass thru ?

In my opinion, it's not a good practice to let the client to query ldap directly.
But if that's how it was designed, then the client should connect to the real ldap server.
The gateway is not a ldap.

If you want to hide the ldap server, then the client needs to be changed to use other authentication methods, such as oauth/http basic/client cert/etc. which supported by layer7 gateway.

Regards,
Mark
Original Message:
Sent: 10-01-2019 02:15 PM
From: Petar Banicevic
Subject: Pass-through auth via LDAP

Dear Mark

I did what you have proposed but I am not sure it's solving my problem. Maybe we are talking about different scenario. To clarify:

• My phone has settings in which I am supposed to enter LDAP server address, and phone talks with LDA"P" protocol. In my case that LDAP server will be the gateway itself that should check for LDAP injection, if no injection then pass thru the data to the internal LDAP server.

In your last post you have proposed to making a simple LDAP connector which was easy... When you suggested doing a policy with basic auth and I got lost because policies are linked to HTTP listener (GET/POST/etc) while phone talks LDAP, it's not HTTP. That's why I asked if I should use RAW listener.

Are we on the same page with this question ? 

Thanks
Peter

PS - even worse is that phone is coming with LDAPS protocol, so gateway is the termination point, and before passing-thru to internal ldap, I need again to LDAPS.... but leave this part out for now.
Original Message:
Sent: 09-15-2019 07:46 PM
From: Zhijun He
Subject: Pass-through auth via LDAP

Dear Petar,
Usually we use an identity provider for authentication,
1. create ldap identity provider,
https://docops.ca.com/ca-api-gateway/9-4/en/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/creating-an-ldap-or-simple-ldap-identity-provider
2. on your policy,
require http basic credentials
authenticate against xxx identity provider
(xxx is the name of your ldap identity provider in step 1)

Regards,
Mark
Original Message:
Sent: 09-13-2019 03:34 PM
From: Petar Banicevic
Subject: Pass-through auth via LDAP

I want to set up LDAP pass-through:

LDAP Client -> Gateway listener -> Policy -> Internal LDAP
[----- SSL 1 -------------------------------][---- SSL 2 --------------------]

I am exploring possibility:

LDAP Client -> Gateway l7.raw.tcp listener -> policy using assertion "Raw TCP Routing" -> Internal LDAP
[----- SSL 1 ------------------------------------------][---- SSL 2 ------------------------------------------------------------------]

But how to terminate and setup SSLs, can someone clarify steps need to be done ?
( content type application/octet worries me too (in raw listener and assertion tcp routing )).

Is there more appropriate solution for LDAP pass thru ?