Layer7 API Management

  • Private Community

  • 1.  API Portal integration with LDAP

    Posted May 03, 2016 07:21 PM

    Hello there,

    I'm integrating the API Portal with the LDAP for the authentication of internal and external users.

    I have followed all the steps outlined in Integrate LDAP Servers with the API Portal - CA API Developer Portal - 3.5 - CA Technologies Documentation

    1. Created Groups in LDAP.

    2. Integrated gateway with LDAP.

    3. Configured Auth and management service in gateway.

    4. Edited the <RoleMappings/> in Layer 7 Auth plugin in API portal.

    5. enabled the LDAP authentication like <Startup started="yes" enabled="yes"/>

    6. Changed href="ldapauthenticator.xml". in the system/conf.

    7. Rebooted API Portal VM.

    8. Tested user in LDAP connection test tool in API Portal and gave me success response.

     

    However when i tried to login to dashboard it is throwing error as user with specified name not found.

     

    Can someone please help me with this.

     

    Thanks,

    Sravan



  • 2.  Re: API Portal integration with LDAP

    Broadcom Employee
    Posted May 04, 2016 12:24 PM

    Hello Sravan,

     

    Don't forget to create the Groups in the LDAP (i.e., Administrator, ApiOwner, RegisteredUser, OrganizationAdmin etc.,). and reference them in "Edit Settings" of "Layer7 Auth" plugin exactly by same name.

     

    If you see an error message something like "No user found", you will have to create the user in LDAP and make him part of any one of the groups. Or else, if the user is found, but if it says something like "Not enabled", then you have a problem with RoleMappings.

     

    The catalina.out log calls it out clearly.

     

    HTH.

     

    Best Regards,

    Vaseem



  • 3.  Re: API Portal integration with LDAP

    Posted May 04, 2016 12:36 PM

    Hello Vaseem,

    Thank you for the reply.

    I did created the groups in LDAP but with the different names which suites best for my case as ADMINS, SUPER ADMINS, DEVELOPERS and USERS. Also added the members in to the group. Below screenshot shows LDAP test is successful which means user also exists.

     

    I have mapped this user to the admin as adding one more line to <Rolemappings></Rolemappings> as

    <RoleMapping>

      <Role>administrator</Role>

      <Mapping>SUPERADMIN</Mapping>

      </RoleMapping>

     

    whle i'm logging in to the portal it throws as below

     

    I'm pretty sure this user is in the right group as he can login for the policy manager using the same group.

     

    Thanks,

    Sravan



  • 4.  Re: API Portal integration with LDAP

    Broadcom Employee
    Posted May 04, 2016 12:42 PM

    The name of the Group in LDAP must be exactly same as you mention it in the RoleMappings or vice versa.

     

    The catalina.sh log from /opt/Deployments/lrs/server/logs should give you a little more details on that.

     

    Also, if you have created the user from Sign Up or Developer Invitation, in order to activate his account, you must use the activation link sent out in the email. It doesn't work, if you enable his account from CMS Admin console.

     

    Regards, Vaseem



  • 5.  Re: API Portal integration with LDAP

    Posted May 04, 2016 01:51 PM

    Hello Vaseem,

    Below is what the catalina.out gave me. Do you have any clue. I haven't created the user from the signup page or developer invitation. this user already exists in LDAP.

    May 03, 2016 9:44:50 PM com.l7tech.extension.ExtensionManagerPlugin getExtension

    INFO: getExtension: authenticationHandler

    05/03 21:44:50.860 DEBUG (http-37080-7:) - [ExtensionManagerPlugin general] -- Extension does not belong to known handler types. Probably a custom handler? class com.l7tech.ldap.GatewayAuthenticationPlugin

    May 03, 2016 9:44:50 PM com.l7tech.ldap.RequestUtil processRequest

    INFO: Response Status Code:200

    May 03, 2016 9:44:50 PM com.l7tech.ldap.GatewayAuthenticationPlugin authenticate

    WARNING: Login attribute (login) from GIMS doesn't match username provided by user. Found:  expected: skanumur

    05/03 21:44:50.979 DEBUG (http-37080-7:) - [XSLTUtil general] -- XSLTUtil.translate: XSLT in:161194 out:1553 time: 7 ms.

    05/03 21:44:50.979 DEBUG (http-37080-7:) - [EditingUtils timings] -- Internal request /internal/layer7/change-password/form-writer/skanumur (HEAD - en)  PRE - Threads:49 Memory max:1908932608 total:1704460288 free:560032736

      >> Undefined (SiteVarUpdater) in 0 ms

      >> MainContent (XMLDocument) in 1 ms

      >> ReferenceContent (XMLDocument) in 0 ms

      >> ReferenceContent (XMLDocument) in 0 ms

      >> ReferenceContent (XMLDocument) in 0 ms

      >> ReferenceContent (XMLDocument) in 0 ms

      >> ReferenceContent (XMLDocument) in 0 ms

      >> ReferenceContent (DocumentListing) in 26 ms

      >> ReferenceContent (XMLDocument) in 0 ms

      Created XML for pagerule [webadmin-change-password] in 28 ms

     

    Thank you



  • 6.  Re: API Portal integration with LDAP
    Best Answer

    Posted May 04, 2016 01:56 PM

    Sravan,

    It appears that you are experiencing a configuration issue with your user mapping. We would be interested in confirming your configuration steps, seeing your catalina.out log as well as confirming version and platform information.

     

    In order to assist you with this issue in the most time efficient manner, please contact CA Support so that a ticket can be filed in our issue tracker.

     

    Mark Swan

    Manager – API Developer Portal