API Gateway: How to authenticate using LDAP?

What is API Gateway

API Gateways are becoming increasingly crucial for businesses to streamline application communication and redirect API traffic. An API Gateway is a platform a company can use to create, manage, monitor, and maintain its APIs.

Apache APISIX is an example of an open-source API Gateway that grants users access to different API load balancing, dynamic upstreams, rate limiting, authentication, authorization, and other API gateway functionalities in one place. With the help of API Gateways like Apache APISIX and API7 Enterprise, businesses can quickly understand where their API communication is coming from and where it is going while securing their data with robust security protocols.

https://api7.ai

What is LDAP

LDAP, also known as the Lightweight Directory Access Protocol, is a widely used protocol for directory services. It is an open network protocol that can access and maintain distributed directory information, and it provides authentication, authorization, storage, accounting, and other features.

When used with Apache APISIX, LDAP can provide secure access control based on user identity to prevent hacks and unauthorized access to systems. This ensures that only authorized consumers (e.g., clients, developers, applications) are allowed access. Additionally, organizations can increase their efficiency as they don't need to configure a complex system from scratch.

The most common method to authenticate LDAP clients is Simple Bind Authentication, also known as Password-based Authentication.

Set up API Gateway with LDAP

Setting up Apache APISIX or API7 Enterprise with LDAP authentication is relatively straightforward. It only requires adding some simple LDAP parameters to the API Gateway's configurations. This allows you to authenticate users quickly and securely.

In this post, we will use API7 Enterprise as an API Gateway and the Simple Bind Authentication method of LDAP. This way, LDAP clients only need to provide the correct username and password.

Connect to VM

In this post, I’m using the Virtual Machine (2 Cores, 4 GB Memory, Ubuntu 20) with IP 43.154.201.123.

$ ssh ubuntu@43.154.201.123

Install API7 Enterprise

API7 Enterprise is the On-Premises, Enterprise-grade API management platform based on Apache APISIX.

  1. Download API7 Enterprise from https://api7.ai/try?product=enterprise
  2. Follow the instructions to start API7 Enterprise
$ docker pull api7/api7-ee:2.13.2302

$ docker run -d --name api7-ee -p 80:80 -p 443:443 -p 9000:9000 api7/api7-ee:2.13.2302
  1. Visit http://43.154.201.123:9000 and upload your License to activate API7 Enterprise

  1. After activation successfully, you will be redirected to the landing page

Install LDAP Server

OpenLDAP is the leading open-source LDAP Server solution that utilizes LDAP to store and manage a range of data, including user credentials and access control policies.

The following command starts a LDAP server, and creates two default users (user01 and user02).

$ docker run -d --name openldap \
  -p 1389:1389 \
  -e LDAP_ROOT=dc=example,dc=org \
  -e LDAP_USER_DC=users \
  -e LDAP_ADMIN_USERNAME=admin \
  -e LDAP_ADMIN_PASSWORD=adminpassword \
  -e LDAP_USERS=user01,user02 \
  -e LDAP_PASSWORDS=password1,password2 \
  bitnami/openldap:2.6

NOTE: Check bitnami/openldap for more configurations.

Connect Containers

Because both API7 Enterprise and OpenLDAP are running in different Docker containers, we need to connect them in the same network, then each container can communicate with another.

$ docker network create gateway-network

$ docker network connect gateway-network openldap

$ docker network connect gateway-network api7-ee 

To verify the two containers, openldap and api7-ee, are connected, you can run the following command to display details:

$ docker network inspect gateway-network

The expected output should like:

[
    {
        "Name":"gateway-network",
        "Id":"85eb99e8e6fd1f346df8c46cb4a7054c91a7e444fc0f997e3456ed3b8b6f3188",
        "Created":"2023-03-12T13:30:25.019881362+08:00",
        "Containers":{
            "637a557186c956867963430841f18e937ec1080961a33bc46910c80dd42152e0":{
                "Name":"api7-ee",
                "EndpointID":"8a2e850f7699f93730bc451ac726a4369a90c83c215c30f19dcd98f40c8a5044",
                "IPv4Address":"172.20.0.3/16"
            },
            "94ff86314d7fca86cf58a3d2e1d095be6716e4196228c3d4632bb89e2b9fdaa2":{
                "Name":"openldap",
                "EndpointID":"12300f598caa3587fba93989a5bf1bc6e68f5677e869c86f3fe60e63411206d7",
                "IPv4Address":"172.20.0.2/16"
            }
        }
    }
]

Configure API7 Enterprise

  1. Click View to enter the default Cluster Dashboard.
  2. Click Workspaces to show all workspaces you have created (Empty yet).
  3. Click Create to create a new Workspace with the following information (check snapchat), and click Submit.

  1. Click View to enter the LDAP Workspace.
  2. Click API -> Plugin Template and click Create.
  3. Search the ldap-auth plugin, click Enable and enter the configuration:
{
  "ldap_uri": "openldap:1389",
  "use_tls": false,
  "base_dn": "ou=users,dc=example,dc=org",
  "uid": "cn"
}

  1. Click Upstream -> Creatm to create an Upstream:

  1. Click API -> List -> Create to create an API:

  1. Click Consumer -> Create to create a new consumer:

The following configuration binds user01 to the consumer LDAP_Consumer, which means only the user01 user can access the APIs.

{
  "user_dn": "cn=user01,ou=users,dc=example,dc=org"
}

Validate

  1. Send a request without any username or password
$ curl -i 127.0.0.1/ip -H "Host: example.com"

# Response

HTTP/1.1 401 Unauthorized
Date: Sun, 12 Mar 2023 05:56:31 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Basic realm='.'
Server: APISIX/2.13.2302

{"message":"Missing authorization in request"}
  1. Send a request with the wrong username and password
$ curl -i 127.0.0.1/ip -H "Host: example.com" -u user01:wrongpassword

HTTP/1.1 401 Unauthorized
Date: Sun, 12 Mar 2023 06:06:52 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.2302

{"message":"Invalid user authorization"}
  1. Send a request with the correct username and password, and the username user01 is bound with one consumer LDAP_Consumer
$ curl -i 127.0.0.1/ip -H "Host: example.com" -u user01:password1

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
Date: Sun, 12 Mar 2023 06:08:23 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2302

{
  "origin": "172.17.0.1, 43.154.201.123"
}
  1. Send a request with the correct username and password, but the username user02 is not bound with one consumer
$ curl -i 127.0.0.1/ip -H "Host: example.com" -u user02:password2

HTTP/1.1 401 Unauthorized
Date: Sun, 12 Mar 2023 06:09:54 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.13.2302

{"message":"Invalid API key in request"}

Pitfalls to avoid when implementing an API Gateway with LDAP authentication

When implementing an API Gateway with LDAP authentication, there are a few common pitfalls to be aware of to ensure successful integration and prevent data loss.

Firstly, credential management and rotation are essential when setting up the gateway initially and afterward – if your passwords become compromised or expire, you risk getting locked out of your system.

Secondly, extra security measures should be taken to minimize any potential of infiltration by malicious actors; things such as session timeouts, administrative permissions control (who has access to significant resources), and authentication token audits may all contribute to a safe environment.

Finally, ensure that reliable customer support is available so that any issues arising during the implementation process can be addressed efficiently. If you're using Apache APISIX, its original creator, API7.ai, can provide professional and quick support.

Conclusion

We now understand what an API Gateway is and why it is necessary. We have also learned how to utilize the API Gateway, API7 Enterprise, to authenticate using LDAP, and the benefits and common pitfalls to avoid when implementing authentication.

LDAP authentication with an API gateway can help you establish a secure system and a solid foundation for your RESTful APIs. If you want control over your authorization process and are looking for a way to enhance security measures in accessing your APIs, consider trying out Apache APISIX-based solutions such as API7 Enterprise and API7 Cloud. With their advanced capabilities and impressive feature set, you can experience ultimate performance at every layer of your app stack.