LDAP Users and Groups for API Authentication and Authorization

Posted on by

Today, API security has become one of the most important thing. It is a vast field with many approaches and meanings. Most commonly, people refer API security as Authentication and Authorization. Encryption can also be included in this space, but lets keep that aside for separate discussion.

For this article, lets just focus on how to use LDAP for API Authentication and Authorization. There are many frameworks like Spring, etc. which can be used to connect your application with LDAP for Authentication. LDAP does not handle Authorization piece but it can return “Groups” and based on that you application can either authorize or deny the request.

In this article, we will see following:

  • How to create a user in LDAP
  • How to create a group in LDAP
  • How to assign user to the group in LDAP

Refer this link if you wish to setup OpenLDAP on your MAC. I had used JXplorer before but for this article I am going to use Apache Directory Studio. Moreover, I am going to use ApacheDS 2.0.0 LDAP Server. Note that all the following points mentioned above are same for OpenLDAP or any other LDAP server.

Create New LDAP Server

  1. Go to LDAP Servers tab >> Right Click >> New >> New Server
  2.  Now select ApacheDS 2.0.0 LDAP Server and click Finish.
  3. Once the server is created, the state of the server will be “Stopped“.
  4. Right click on the server and click “Run” to stat the server.

Create Connection

  1. Make sure the server is up and running and the state is “Started“.
  2. Right click on the server and click on “Create a Connection“.
  3. The connection will be created and alert message will be displayed.

Create Organization Units

  1. Click on “Root DSE
  2. Right click on “dc=example,dc=com
  3. Select “New
  4. Click on “New Entry
  5. Select “Create entry from scratch” and click “Next
  6. Type and select “organizationalUnit” object class
  7. Click on “Add” button and then click on “Next
  8. Type “ou” for “RDN
  9. Type value as “Groups” and then click “Next
  10. Click on “Finish
  11. Organizational Unit: Groups has been created
  12. Follow same approach to create Organizational Unit: Users

Create Users

  1. Select “ou=Users” and right click
  2. Select “New Entry
  3. Select “Create entry from scratch” and click “Next
  4. Type and select “inetOrgPerson” and click “Add” and then click “Next
  5. Select RDN as “cn” and value as “sample_usr_1” and click “Next
  6. Enter “sn” as “sample_usr_1
  7. Right click on the window and select “New Attribute
  8. Select “uid” and set value as “sample_usr_1
  9. Right click on the window and select “New Attribute
  10. Select “userPassword” and click “Finish
  11. On the next window, setup the password for the user
  12. Click “Finish
  13. User “dn: cn=sample_usr_1,ou=Users,dc=example,dc=com” has been created.
  14. Follow same approach to create some more users

Create Group

  1. Select “ou=Groups” and right click
  2. Select “New Entry
  3. Select “Create entry from scratch” option and click “Next
  4. Select “groupOfUniqueNames
  5. Click on “Add” and then click “Next
  6. Enter RDN as “ou” and value as “SAMPLE_GRP
  7. Click “Next
  8. Type value for “cn” as “SAMPLE_GRP
  9. You will be asked to enter “uniqueMember
  10. Provide value as “cn=sample_usr_1,ou=Users,dc=example,dc=com” (or any other user).
  11. Click “Finish
  12. User “sample_usr_1″ has been added to the group
  13. Follow same approach to add more users to the group

Now, you have everything to implement LDAP Authentication and Authorization in your application.

Leave a Reply

Your email address will not be published. Required fields are marked *