ldap

How to bind ldap user with RBAC roles in Kong

techhadoop , , , ,

How to bind ldap user with RBAC roles in Kong

Binding LDAP users with RBAC roles in Kong requires integration with an LDAP directory for user authentication, followed by mapping those users to Kong’s RBAC roles. Here’s a step-by-step guide to achieving this setup in Kong:

Step 1: Configure Kong for LDAP Authentication

First, enable Kong’s LDAP authentication plugin to allow LDAP users to access Kong services.

  1. Install the LDAP Authentication Plugin:
    • The LDAP plugin is available as part of Kong’s plugin suite. Verify that it’s installed by running:

curl -i -X GET http://<kong-admin-url&gt;:8001/plugins

  1. Configure the LDAP Plugin:
    • You can set up the LDAP authentication plugin on a specific route, service, or globally. Here’s an example of enabling it globally:

curl -i -X POST http://<kong-admin-url&gt;:8001/plugins \

  –data “name=ldap-auth” \

  –data “config.ldap_host=<ldap-server-ip-or-hostname>” \

  –data “config.ldap_port=389” \

  –data “config.start_tls=true” \

  –data “config.base_dn=dc=example,dc=com” \

  –data “config.attribute=username” \

  –data “config.cache_ttl=60” \

  –data “config.header_type=ldap”

  1. Replace values such as ldap_host, ldap_port, and base_dn with those specific to your LDAP setup.
  1. Test LDAP Authentication:
    • Ensure that LDAP authentication works by making a request with an LDAP user’s credentials:

curl -i -X GET http://<kong-proxy-url&gt;:8000/your-service \

  –header “Authorization: ldap <base64-encoded-credentials>”

Step 2: Create Kong RBAC Roles and Permissions

  1. Enable RBAC in Kong:
    • RBAC is enabled by setting the KONG_ENFORCE_RBAC=on environment variable and restarting Kong.
  2. Create RBAC Roles:
    • Use the Kong Admin API to create roles. For example:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/roles \

  –data “name=admin”

  1. Create other roles as needed (e.g., developer, read-only, etc.).
  2. Assign Permissions to Roles:
    • Define permissions for each role to control access to various Kong resources. For example:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/roles/admin/endpoints \

  –data “endpoint=/services” \

  –data “actions=create,read,update,delete”

  1. Assign permissions according to your access control needs.

Step 3: Bind LDAP Users to RBAC Roles

LDAP users need Kong RBAC tokens to access the Admin API according to their roles. This step involves creating RBAC users and mapping them to LDAP users.

  1. Create RBAC Users in Kong:
    • For each LDAP user, create a corresponding RBAC user in Kong:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/users \

  –data “name=<ldap-username>” \

  –data “user_token=<custom-generated-token>”

  1. Store the user_token securely, as it serves as the RBAC access token for the user.
  2. Map RBAC Users to Roles:
    • Assign the RBAC user to a role:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/users/<ldap-username>/roles \

  –data “roles[]=admin”

  1. Assign roles according to each user’s LDAP role or group to control access.

Step 4: Authenticate LDAP Users with Kong RBAC

Once LDAP users have been mapped to Kong RBAC roles, they can access Kong based on the permissions defined for their roles.

  1. Access Kong Admin API:
    • LDAP users can authenticate to Kong using their RBAC token by including it in the Authorization header:

curl -i -X GET http://<kong-admin-url&gt;:8001/<protected-endpoint> \

  –header “Authorization: <user_token>”

  1. The RBAC token grants access according to the user’s assigned role and permissions.

Additional Considerations

  • LDAP Group Mapping: If using groups in LDAP, you could create Kong roles that correspond to LDAP groups. This allows easier role assignment by assigning a Kong RBAC user to a role based on their LDAP group.
  • Token Expiration and Rotation: Define an expiration policy for RBAC tokens and ensure tokens are securely managed and rotated if necessary.
  • Monitoring and Auditing: Use Kong’s logging features and plugins to monitor access and audit role usage.

By following these steps, you’ll establish a secure, role-based access control system in Kong, integrating LDAP authentication with Kong RBAC.

Kong – Ldap setting

techhadoop , , , ,

For Kong’s Admin API to have visibility into LDAP users and roles, the following steps ensure LDAP users are recognized and mapped to roles in Kong’s RBAC system. Here’s an overview of how it works and how to set it up:

1. Enable LDAP Authentication on the Admin API

  • Configure Kong to authenticate users from an LDAP server by setting up the ldap-auth plugin on the Admin API. This allows the Admin API to recognize LDAP credentials and authenticate users.
  • This configuration is typically done in kong.conf or using environment variables when launching Kong:

export KONG_ADMIN_LISTEN=”0.0.0.0:8001″

export KONG_LDAP_HOST=”ldap-server.example.com”

export KONG_LDAP_PORT=389

export KONG_LDAP_BASE_DN=”ou=users,dc=example,dc=com”

export KONG_LDAP_BIND_DN=”cn=admin,dc=example,dc=com”

export KONG_LDAP_BIND_PASSWORD=”admin_password”

2. Configure LDAP Bindings for Users in RBAC

  • After LDAP is enabled, Kong must map LDAP users to RBAC roles. This can be done by associating Kong roles with the LDAP user groups or specific LDAP users through RBAC settings.
  • You can create roles and assign permissions to them in Kong’s RBAC configuration by using Admin API requests. For example:

# Create a custom role (if you don’t want to use kong-admin)

curl -i -X POST http://localhost:8001/rbac/roles \

     –data “name=admin-role”

# Assign permissions to the role

curl -i -X POST http://localhost:8001/rbac/roles/admin-role/endpoints \

     –data “workspace=default” \

     –data “endpoint=/services” \

     –data “actions=read,update”

3. Map LDAP Users to Roles

  • Once the roles are set up, map LDAP users to the created roles. You can do this by adding RBAC permissions based on LDAP username:

# Assign the LDAP user to the role

curl -i -X POST http://localhost:8001/rbac/users \

     –data “username=<ldap-username>” \

     –data “custom_id=<unique-ldap-id>” \

     –data “roles=admin-role”

  • Here, <ldap-username> is the LDAP user, and <unique-ldap-id> is the identifier used in LDAP (e.g., uid=…).

4. Authenticate via LDAP User to Access Admin API

  • After assigning the role to the LDAP user, authenticate as the LDAP user using the Admin API. Kong will check the LDAP server for credentials and match the user to the associated RBAC role.
  • Once authenticated, LDAP users with RBAC roles are granted access based on their assigned permissions in Kong.

5. Verify Configuration

  • Test that your LDAP users can access Kong’s Admin API endpoints according to their role permissions by using curl or another HTTP client, as previously described.