Layer7 API Management

  • 1.  Gateway administration with AD

    Posted Jun 08, 2017 10:31 AM

    Hi , I am running API Gateway 9.2 . I have a AD as Identity Provider authenticating/authorizing users for assertions. For administration purposes, I have created internal users and assigned them certain roles such as 'Manage log sinks'. Instead of creating internal users, can I use a AD group administer gateway? Can someone help me how this can be done. Thanks.

     

    When I search for a internal user I have :

     

    When I search for a group in AD I have: I dont have the roles/Groups tabs. Membership describes which groups this object is a memberOf with in AD.

     



  • 2.  Re: Gateway administration with AD

    Posted Jun 08, 2017 02:39 PM

    Hello Sam, 

     

    Have you tried going to Manage Roles, and assign a group or AD user to a Role?

    Normally, you are able to assign a AD group/user to a Role, but I have see issues with an AD group assignment. You might be better with AD user assigned to the role directly. 

    Having a Group assigned might cause performance issues, due to a group being a member of other groups or having too many users that are members of other groups ... 

     

    Thanks

    CA Support

    Kemal Ajan



  • 3.  Re: Gateway administration with AD

    Posted Jun 08, 2017 05:53 PM

    Thanks for your response, Kemal. I tried following your suggestion , but I still dont see AD or my X509 Identity Providers in the drop down. Only Internal Identity Provider shows up.

     



  • 4.  Re: Gateway administration with AD
    Best Answer

    Broadcom Employee
    Posted Jun 08, 2017 09:53 PM

    Hello SamWalker ,

    You can add role to a ldap user only when administrative access has been enable for the LDAP Identity Provider.

    It's on the first step of ldap identity provider wizard, or first screen when you edit the properties of the LDAP Identity Provider, check the option, "Allow assignment to administrative roles"

     

    Regards,

    Mark



  • 5.  Re: Gateway administration with AD

    Posted Jun 15, 2017 11:47 AM

    I've also noticed that AD users are still subject to deactivation due to inactivity and the only way I find to unlock them is by updating thier login record in the database.  Is that a know issue or is there another way to reactivate them?



  • 6.  Re: Gateway administration with AD

    Broadcom Employee
    Posted Jun 25, 2017 09:13 PM

    Hi Ben.Deutsch,

    I may misunderstand your question. But AD users won't be stored in gateway database, if AD users is inactive, or any other problem, need to be fixed on AD side.

     

    Regards,

    Mark



  • 7.  Re: Gateway administration with AD

    Posted Jun 26, 2017 12:25 PM

    As a matter of fact, they are tracked in the logon_info table when used to log in via policy manager.

    create an AD provider, mark it to 'allow assignment to administrative roles', allocate an AD account for access to a gateway role, login with that AD account, then run the following query in mysql:

    select p.name, u.login, u.fail_count, u.last_attempted, u.last_activity, u.state from logon_info u, identity_provider p where u.provider_goid=p.goid;



  • 8.  Re: Gateway administration with AD

    Broadcom Employee
    Posted Jun 26, 2017 10:12 PM

    I see, thank you. I'm not sure, but I still think the account status should from AD.

    And for the users from AD, on its properties window, all properties are gray out and there is no "Activate" button.

    If the gateway can still deactivate the AD users, it could be a problem. It could be better to open a support ticket to investigate further.



  • 9.  Re: Gateway administration with AD

    Posted Jun 27, 2017 12:24 PM

    It is a problem.  I'm familier enough with the database that it doesn't bother me (I just update the inactive user on the logon_info table).  Please feel free to raise the issue with engineering.