How to configure APIX-G to authenticate users from multiple OUs of an LDAP server?
Article ID: KB0083757
Updated On:
| Products | Versions |
|---|---|
| TIBCO API Exchange | ALL |
Description
APIX-G can be configured to authenticate users from multiple OUs in both bind and search modes.
Environment
All supported platforms.
Resolution
There are two ways to achieve this requirement:
1). Configure LDAP Authentication in search-mode. For this, the following properties can be set:
userSearchExpression=
userSearchBaseDN=
userSearchScopeSubtree=true
The value for userSearchBaseDN can be set with the root OU/directory of all the OUs from which users have to be authenticated and with userSearchScopeSubtree set to "true" all the sub-directories/OUs will be used for the search.
2). When LDAP authentication is configured in bind-mode, the value for userDNTemplate should provide the fully-qualified DN of the user on the LDAP server. For example:
<>
If userDNTemplate=cn={0},ou=Support,dc=tibco,dc=com, it can authenticate users in the 'Support' OU.
If the incoming request has user4, then while binding with LDAP, "cn=user4,ou=Support,dc=tibco,dc=com" is used.
Similarly, userDNTemplate=cn={0},ou=PSG,dc=tibco,dc=com, it can authenticate users in the 'PSG' OU.
For the requirement of APIX-G to be able to authenticate(bind) users in different OUs, the following are some sample settings:
- setup my userDNTemplate as "{0},dc=tibco,dc=com
- and send usernames(in the request) for this config as:
cn=user4,ou=Support
cn=user5,ou=PSG
Attached is log file (Filename: MultiOU_auth_testing.log) which shows some sample transactions for this config. Also attached are sample properties files (Filename: LdapAsp.properties and LdapAsp_searchMode.properties) for bind and search modes.
1). Configure LDAP Authentication in search-mode. For this, the following properties can be set:
userSearchExpression=
userSearchBaseDN=
userSearchScopeSubtree=true
The value for userSearchBaseDN can be set with the root OU/directory of all the OUs from which users have to be authenticated and with userSearchScopeSubtree set to "true" all the sub-directories/OUs will be used for the search.
2). When LDAP authentication is configured in bind-mode, the value for userDNTemplate should provide the fully-qualified DN of the user on the LDAP server. For example:
<>
If userDNTemplate=cn={0},ou=Support,dc=tibco,dc=com, it can authenticate users in the 'Support' OU.
If the incoming request has user4, then while binding with LDAP, "cn=user4,ou=Support,dc=tibco,dc=com" is used.
Similarly, userDNTemplate=cn={0},ou=PSG,dc=tibco,dc=com, it can authenticate users in the 'PSG' OU.
For the requirement of APIX-G to be able to authenticate(bind) users in different OUs, the following are some sample settings:
- setup my userDNTemplate as "{0},dc=tibco,dc=com
- and send usernames(in the request) for this config as:
cn=user4,ou=Support
cn=user5,ou=PSG
Attached is log file (Filename: MultiOU_auth_testing.log) which shows some sample transactions for this config. Also attached are sample properties files (Filename: LdapAsp.properties and LdapAsp_searchMode.properties) for bind and search modes.
Issue/Introduction
This article provides samples to configure the API Exchange Gateway engine to authenticate users from multiple OUs of an LDAP server.
Feedback
Yes
No
Powered by
