Kong LDAP Authentication Plugin Issues

890 views
Skip to first unread message

kongjockey

unread,
Jul 16, 2017, 11:19:16 PM7/16/17
to Kong

One of our REST API's is secured using Windows Authentication (NTLM). I have configured the ldap-auth plugin from Kong website. The plugin was added using below POST command:

curl -X POST http://apis.mycompany.com:8001/apis/UserImage/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=dc01.mycompany.com" --data "config.ldap_port=398" --data "config.base_dn=dc=mycompany,dc=com" --data "config.attribute=cn" --data "config.cache_ttl=60" --data "config.verify_ldap_host=true"

I am trying to pass the user on a domain along with this credentials using the GET command:
curl -v 'http://apis.mycompany.com:8000/UserImage?ldapid=username' --header 'Authorization: LDAP base64(username:password)' 

I get the message of 'Unknown error occurred'. Can anybody look to see if the configuration of plugin in POST command is right? If yes, where am I going wrong? Where can I find more information to debug this?

suj...@gmail.com

unread,
Jul 16, 2017, 11:21:25 PM7/16/17
to Kong, suj...@gmail.com
I forgot to mention that I base64-ed the username:password below.


On Sunday, July 16, 2017 at 10:19:16 PM UTC-5, kongjockey wrote:

One of our REST API's is secured using Windows Authentication (NTLM). I have configured the ldap-auth plugin from Kong website. The plugin was added using below POST command:

curl -X POST http://apis.mycompany.com:8001/apis/UserImage/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=dc01.mycompany.com" --data "config.ldap_port=398" --data "config.base_dn=dc=mycompany,dc=com" --data "config.attribute=cn" --data "config.cache_ttl=60" --data "config.verify_ldap_host=true"

I am trying to pass the user on a domain along with this credentials using the GET command:
curl -v 'http://apis.mycompany.com:8000/UserImage?ldapid=username' --header 'Authorization: LDAP dXNlcm5hbWU6cGFzc3dvcmQ=' 

Shashi Ranjan

unread,
Jul 17, 2017, 12:23:43 AM7/17/17
to Kong, suj...@gmail.com
Currently Kong only support Fully qualified distinguish name. For more debugging details please follow this issue


Thank you,
Shashi Ranjan
Cell# 315-706-8730
Backend Engineer
Mashape, Inc.

On Jul 16, 2017, 8:21 PM -0700, wrote:

username

marsh...@gmail.com

unread,
Jul 17, 2017, 10:47:13 AM7/17/17
to Kong, suj...@gmail.com
hi  I'm using KONG 0.10.3, added ldap plugin trying to protect a resource via HTTP route. Would KONG be able to throw a basic authentication api rather than Header URI. I am trying to replace access manager before my KONG env. 

KongJockey

unread,
Jul 17, 2017, 11:58:29 PM7/17/17
to Kong, suj...@gmail.com
Thanks for the link.  I did go through the post (tried using FQ DN + cn/samAccountName), but irrespective it gave me "Invalid Credentials". I looked through the access.lua and error.log, but didn't lead anywhere. 

The REST API is secured using Windows Authentication (NTLM). That said, which plugin I should be using? One thing which worked was - I removed the LDAP Auth Plugin and used curl to get what I needed: 
curl 'http://apis.mycompany.com:8000/images?ldapid=username' -v --ntlm -u username:password

Comment if there is a better approach.
Reply all
Reply to author
Forward
0 new messages