API Gateway: How to authenticate using LDAP?
What is API Gateway
API Gateways are becoming increasingly crucial for businesses to streamline application communication and redirect API traffic. An API Gateway is a platform a company can use to create, manage, monitor, and maintain its APIs.
Apache APISIX is an example of an open-source API Gateway that grants users access to different API load balancing, dynamic upstreams, rate limiting, authentication, authorization, and other API gateway functionalities in one place. With the help of API Gateways like Apache APISIX and API7 Enterprise, businesses can quickly understand where their API communication is coming from and where it is going while securing their data with robust security protocols.
What is LDAP
LDAP, also known as the Lightweight Directory Access Protocol, is a widely used protocol for directory services. It is an open network protocol that can access and maintain distributed directory information, and it provides authentication, authorization, storage, accounting, and other features.
When used with Apache APISIX, LDAP can provide secure access control based on user identity to prevent hacks and unauthorized access to systems. This ensures that only authorized consumers (e.g., clients, developers, applications) are allowed access. Additionally, organizations can increase their efficiency as they don't need to configure a complex system from scratch.
The most common method to authenticate LDAP clients is Simple Bind Authentication, also known as Password-based Authentication.
Set up API Gateway with LDAP
Setting up Apache APISIX or API7 Enterprise with LDAP authentication is relatively straightforward. It only requires adding some simple LDAP parameters to the API Gateway's configurations. This allows you to authenticate users quickly and securely.
In this post, we will use API7 Enterprise as an API Gateway and the Simple Bind Authentication method of LDAP. This way, LDAP clients only need to provide the correct username
and password
.
Connect to VM
In this post, I’m using the Virtual Machine (2 Cores, 4 GB Memory, Ubuntu 20) with IP 43.154.201.123
.
$ ssh ubuntu@43.154.201.123
Install API7 Enterprise
API7 Enterprise is the On-Premises, Enterprise-grade API management platform based on Apache APISIX.
- Download API7 Enterprise from https://api7.ai/try?product=enterprise
- Follow the instructions to start API7 Enterprise
$ docker pull api7/api7-ee:2.13.2302
$ docker run -d --name api7-ee -p 80:80 -p 443:443 -p 9000:9000 api7/api7-ee:2.13.2302
- Visit
http://43.154.201.123:9000
and upload your License to activate API7 Enterprise
- After activation successfully, you will be redirected to the landing page
Install LDAP Server
OpenLDAP is the leading open-source LDAP Server solution that utilizes LDAP to store and manage a range of data, including user credentials and access control policies.
The following command starts a LDAP server, and creates two default users (user01
and user02
).
$ docker run -d --name openldap \
-p 1389:1389 \
-e LDAP_ROOT=dc=example,dc=org \
-e LDAP_USER_DC=users \
-e LDAP_ADMIN_USERNAME=admin \
-e LDAP_ADMIN_PASSWORD=adminpassword \
-e LDAP_USERS=user01,user02 \
-e LDAP_PASSWORDS=password1,password2 \
bitnami/openldap:2.6
NOTE: Check bitnami/openldap for more configurations.
Connect Containers
Because both API7 Enterprise and OpenLDAP are running in different Docker containers, we need to connect them in the same network, then each container can communicate with another.
$ docker network create gateway-network
$ docker network connect gateway-network openldap
$ docker network connect gateway-network api7-ee
To verify the two containers, openldap
and api7-ee
, are connected, you can run the following command to display details:
$ docker network inspect gateway-network
The expected output should like:
[
{
"Name":"gateway-network",
"Id":"85eb99e8e6fd1f346df8c46cb4a7054c91a7e444fc0f997e3456ed3b8b6f3188",
"Created":"2023-03-12T13:30:25.019881362+08:00",
"Containers":{
"637a557186c956867963430841f18e937ec1080961a33bc46910c80dd42152e0":{
"Name":"api7-ee",
"EndpointID":"8a2e850f7699f93730bc451ac726a4369a90c83c215c30f19dcd98f40c8a5044",
"IPv4Address":"172.20.0.3/16"
},
"94ff86314d7fca86cf58a3d2e1d095be6716e4196228c3d4632bb89e2b9fdaa2":{
"Name":"openldap",
"EndpointID":"12300f598caa3587fba93989a5bf1bc6e68f5677e869c86f3fe60e63411206d7",
"IPv4Address":"172.20.0.2/16"
}
}
}
]
Configure API7 Enterprise
- Click
View
to enter the defaultCluster Dashboard
. - Click
Workspaces
to show all workspaces you have created (Empty yet). - Click
Create
to create a newWorkspace
with the following information (check snapchat), and clickSubmit
.
- Click
View
to enter theLDAP Workspace
. - Click
API -> Plugin Template
and clickCreate
. - Search the
ldap-auth
plugin, clickEnable
and enter the configuration:
{
"ldap_uri": "openldap:1389",
"use_tls": false,
"base_dn": "ou=users,dc=example,dc=org",
"uid": "cn"
}
- Click
Upstream -> Creatm
to create an Upstream:
- Click
API -> List -> Create
to create an API:
- Click
Consumer -> Create
to create a new consumer:
The following configuration binds user01
to the consumer LDAP_Consumer
, which means only the user01
user can access the APIs.
{
"user_dn": "cn=user01,ou=users,dc=example,dc=org"
}
Validate
- Send a request without any username or password
$ curl -i 127.0.0.1/ip -H "Host: example.com"
# Response
HTTP/1.1 401 Unauthorized
Date: Sun, 12 Mar 2023 05:56:31 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Basic realm='.'
Server: APISIX/2.13.2302
{"message":"Missing authorization in request"}
- Send a request with the wrong username and password
$ curl -i 127.0.0.1/ip -H "Host: example.com" -u user01:wrongpassword
HTTP/1.1 401 Unauthorized
Date: Sun, 12 Mar 2023 06:06:52 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.2302
{"message":"Invalid user authorization"}
- Send a request with the correct username and password, and the username
user01
is bound with one consumerLDAP_Consumer
$ curl -i 127.0.0.1/ip -H "Host: example.com" -u user01:password1
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
Date: Sun, 12 Mar 2023 06:08:23 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2302
{
"origin": "172.17.0.1, 43.154.201.123"
}
- Send a request with the correct username and password, but the username
user02
is not bound with one consumer
$ curl -i 127.0.0.1/ip -H "Host: example.com" -u user02:password2
HTTP/1.1 401 Unauthorized
Date: Sun, 12 Mar 2023 06:09:54 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.2302
{"message":"Invalid API key in request"}
Pitfalls to avoid when implementing an API Gateway with LDAP authentication
When implementing an API Gateway with LDAP authentication, there are a few common pitfalls to be aware of to ensure successful integration and prevent data loss.
Firstly, credential management and rotation are essential when setting up the gateway initially and afterward – if your passwords become compromised or expire, you risk getting locked out of your system.
Secondly, extra security measures should be taken to minimize any potential of infiltration by malicious actors; things such as session timeouts, administrative permissions control (who has access to significant resources), and authentication token audits may all contribute to a safe environment.
Finally, ensure that reliable customer support is available so that any issues arising during the implementation process can be addressed efficiently. If you're using Apache APISIX, its original creator, API7.ai, can provide professional and quick support.
Conclusion
We now understand what an API Gateway is and why it is necessary. We have also learned how to utilize the API Gateway, API7 Enterprise, to authenticate using LDAP, and the benefits and common pitfalls to avoid when implementing authentication.
LDAP authentication with an API gateway can help you establish a secure system and a solid foundation for your RESTful APIs. If you want control over your authorization process and are looking for a way to enhance security measures in accessing your APIs, consider trying out Apache APISIX-based solutions such as API7 Enterprise and API7 Cloud. With their advanced capabilities and impressive feature set, you can experience ultimate performance at every layer of your app stack.