Kong LDAP Authentication Plugin Issues

kongjockey

unread,

Jul 16, 2017, 11:19:16 PM7/16/17

to Kong

One of our REST API's is secured using Windows Authentication (NTLM). I have configured the ldap-auth plugin from Kong website. The plugin was added using below POST command:

curl -X POST http://apis.mycompany.com:8001/apis/UserImage/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=dc01.mycompany.com" --data "config.ldap_port=398" --data "config.base_dn=dc=mycompany,dc=com" --data "config.attribute=cn" --data "config.cache_ttl=60" --data "config.verify_ldap_host=true"

I am trying to pass the user on a domain along with this credentials using the GET command:

curl -v 'http://apis.mycompany.com:8000/UserImage?ldapid=username' --header 'Authorization: LDAP base64(username:password)'

I get the message of 'Unknown error occurred'. Can anybody look to see if the configuration of plugin in POST command is right? If yes, where am I going wrong? Where can I find more information to debug this?

suj...@gmail.com

unread,

Jul 16, 2017, 11:21:25 PM7/16/17

to Kong, suj...@gmail.com

I forgot to mention that I base64-ed the username:password below.

On Sunday, July 16, 2017 at 10:19:16 PM UTC-5, kongjockey wrote:

One of our REST API's is secured using Windows Authentication (NTLM). I have configured the ldap-auth plugin from Kong website. The plugin was added using below POST command:

curl -X POST http://apis.mycompany.com:8001/apis/UserImage/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=dc01.mycompany.com" --data "config.ldap_port=398" --data "config.base_dn=dc=mycompany,dc=com" --data "config.attribute=cn" --data "config.cache_ttl=60" --data "config.verify_ldap_host=true"

I am trying to pass the user on a domain along with this credentials using the GET command:

curl -v 'http://apis.mycompany.com:8000/UserImage?ldapid=username' --header 'Authorization: LDAP dXNlcm5hbWU6cGFzc3dvcmQ='

Shashi Ranjan

unread,

Jul 17, 2017, 12:23:43 AM7/17/17

to Kong, suj...@gmail.com

Currently Kong only support Fully qualified distinguish name. For more debugging details please follow this issue

https://github.com/Mashape/kong/issues/1821

Thank you,

Shashi Ranjan

Cell# 315-706-8730

Backend Engineer

Mashape, Inc.

On Jul 16, 2017, 8:21 PM -0700, wrote:

username

marsh...@gmail.com

unread,

Jul 17, 2017, 10:47:13 AM7/17/17

to Kong, suj...@gmail.com

hi I'm using KONG 0.10.3, added ldap plugin trying to protect a resource via HTTP route. Would KONG be able to throw a basic authentication api rather than Header URI. I am trying to replace access manager before my KONG env.

KongJockey

unread,

Jul 17, 2017, 11:58:29 PM7/17/17

to Kong, suj...@gmail.com

Thanks for the link. I did go through the post (tried using FQ DN + cn/samAccountName), but irrespective it gave me "Invalid Credentials". I looked through the access.lua and error.log, but didn't lead anywhere.

The REST API is secured using Windows Authentication (NTLM). That said, which plugin I should be using? One thing which worked was - I removed the LDAP Auth Plugin and used curl to get what I needed:

curl 'http://apis.mycompany.com:8000/images?ldapid=username' -v --ntlm -u username:password

Comment if there is a better approach.

Reply all

Reply to author

Forward