CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

LDAP Auth for SafeLine WAF: A Step-by-Step Guide

#ldap #safeline #waf #beginners

Image description

SafeLine WAF supports integration with enterprise directory services through LDAP (Lightweight Directory Access Protocol), allowing users to securely log in to applications or websites using their existing enterprise accounts. Supported LDAP services include but are not limited to Microsoft Active Directory, OpenLDAP, Apache Directory, and more.

Introduction to LDAP Protocol

LDAP (Lightweight Directory Access Protocol) is an application protocol used for accessing and maintaining distributed directory information services. It is commonly used as the foundation for single sign-on infrastructure, allowing users to access multiple systems with a single set of credentials. LDAP directories typically store user information, organizational structures, permission settings, and other data.

Configuration Steps

  1. In the SafeLine WAF console, navigate to "Auth" → "SETTINGS".

  2. Click the "Third-Party Login" button and select "LDAP" type.

  3. Fill in the following parameters:

    • LDAP Server URL
    • Bind DN
    • Bind Password
    • User baseDN
    • Query Condition

  4. After verifying the configuration, click the "SUBMIT" button to complete the LDAP identity source setup.

Configuration Parameter Details

1. LDAP Server URL

Format: ldap://hostname:port or ldaps://hostname:port (using SSL).

  • Standard ports: 389 (non-encrypted) or 636 (SSL encrypted)
  • Examples:
    • ldap://ldap.example.com:389 (standard connection)
    • ldaps://ldap.example.com:636 (SSL encrypted connection)
    • ldap://192.168.1.100:389 (using IP address)

2. Bind DN

The account used to bind to the LDAP server. This account needs sufficient permissions to query user information.

  • Active Directory example: cn=Administrator,cn=Users,dc=domain,dc=com
  • OpenLDAP example: cn=admin,dc=example,dc=com

It is recommended to use a dedicated service account with read-only permissions rather than an administrator account.

3. Bind Password

The password for the Bind DN account.

4. User baseDN

Specifies the node from which to start searching for users. This affects performance and search scope.

  • Active Directory example: cn=Users,dc=domain,dc=com
  • OpenLDAP example: ou=People,dc=example,dc=com

5. Query Condition

A filter expression used to match user entries in the LDAP directory. Supports using %s as a placeholder for the username entered by the user.

  • Basic example: (&(objectClass=person)(uid=%s))
    • This means finding entries where objectClass is "person" and uid equals the username entered by the user
  • Active Directory example: (&(objectClass=user)(sAMAccountName=%s))
  • OpenLDAP example: (&(objectClass=inetOrgPerson)(uid=%s))

Configuration Examples for Various LDAP Servers (For Reference Only)

Microsoft Active Directory 

LDAP Server URL: ldap://ad.company.com:389
Bind DN: cn=LDAPService,cn=Users,dc=company,dc=com
Bind Password: (service account password)
User baseDN: cn=Users,dc=company,dc=com
Query Condition: (&(objectClass=user)(sAMAccountName=%s))
Enter fullscreen mode Exit fullscreen mode

OpenLDAP 

LDAP Server URL: ldap://openldap.company.com:389
Bind DN: cn=admin,dc=company,dc=com
Bind Password: (admin password)
User baseDN: ou=People,dc=company,dc=com
Query Condition: (&(objectClass=person)(uid=%s))
Enter fullscreen mode Exit fullscreen mode

FreeIPA 

LDAP Server URL: ldap://ipa.company.com:389
Bind DN: uid=admin,cn=users,cn=accounts,dc=company,dc=com
Bind Password: (admin password)
User baseDN: cn=users,cn=accounts,dc=company,dc=com
Query Condition: (&(objectClass=person)(uid=%s))
Enter fullscreen mode Exit fullscreen mode

User Authentication Flow

After enabling the "Auth" feature and selecting LDAP login method for an application:

  1. When users access the application, they will be prompted to authenticate using their LDAP account.
  2. Users log in using their LDAP credentials.
  3. New users require "verification confirmation" by the SafeLine administrator in the console after their first authentication.
    • Users who pass verification gain authorization for this application and can successfully log in after authentication without further verification in the future.
    • Users who don't pass verification will be blocked and cannot access the application.

User Management

On the "Auth" → "User Management" page, you can:

  • Check whether users have been bound to LDAP.
  • Perform verification operations for new users.
  • Manage user access permissions.

SSO Settings (Optional)

If you want users to authenticate only once to access multiple applications, you can configure SSO:

  • Go to "Auth" → "Settings" → "SSO".
  • Enable the SSO feature.
  • Add applications to SSO.
  • Once SSO is enabled, users only need to authenticate once through LDAP to access all applications participating in SSO.

Frequently Asked Questions

Q: Why can't users log in?

A: If the connection is successful but users cannot log in, please check:

  1. User baseDN: Ensure the user actually exists under the specified baseDN
  2. Query Condition:
    • Make sure the query condition format is correct
    • Verify that the %s placeholder is used correctly
    • Check that attribute names are correct (e.g., uid, sAMAccountName, etc.)
    • Check if the outermost parentheses are properly filled in
  3. User Account: Confirm that the user account is active in LDAP, not locked or disabled

Q: Why is the connection failing?

A: If the LDAP connection fails, please check:

  1. Server URL Format: Ensure the format is correct, including the correct protocol (ldap:// or ldaps://), hostname, and port
  2. Network Connection: Make sure the SafeLine WAF server can access the LDAP server
  3. Bind DN and Password: Ensure the binding account and password are correct
  4. SSL Certificate: If using ldaps://, ensure the certificate is valid or configure trust relationships

Q: What does %s in the search condition represent?

A: %s is a placeholder that is automatically replaced with the username entered by the user during login. For example, if a user enters "john", the search condition (&(objectClass=person)(uid=%s)) becomes (&(objectClass=person)(uid=john)).

Q: Does it support Active Directory security group filtering?

A: You can add group membership conditions in the query condition, for example: (&(objectClass=user)(sAMAccountName=%s)(memberOf=CN=AllowedGroup,OU=Groups,DC=company,DC=com))

Q: What if my query condition has syntax errors?

A: LDAP query conditions use prefix notation. Ensure parentheses are matched and check the attribute=value syntax. You can use online LDAP filter syntax checking tools for validation.

Join the SafeLine Community

Top comments (0)