启用外部身份验证

适用于私有云的 Edge v. 4.17.09

本部分介绍了如何获取、安装和配置 将外部 LDAP 服务集成到 Apigee Edge 中以进行用户身份验证。

前提条件

  • 您必须已安装适用于私有云 4.17.09 的 Apigee Edge。
  • 您必须在适用于私有云的 Apigee Edge 上拥有全球系统管理员凭据,才能执行以下操作: 执行此安装。
  • 您需要知道用于私有云的 Apigee Edge 的安装根目录。通过 默认根目录为 /opt
  • 您必须将 Edge 全局系统管理员凭据添加到 外部 LDAP。请注意,默认情况下,系统管理员凭据存储在 Edge 中 内部 LDAP。切换到外部 LDAP 后,您的系统管理员凭据 将改为在此处进行身份验证因此,您必须将凭据预配到 外部系统,然后再在 Edge 中启用外部身份验证

    例如,如果您已经配置并安装了适用于私有云的 Apigee Edge, 系统管理员凭据,格式为:

    用户名:edgeuser@mydomain.com
    密码:Secret123

    然后是密码为 edgeuser@mydomain.com 的用户 还必须存在 Secret123 在外部 LDAP 中。
  • 请注意,如果您运行的是管理服务器集群,则必须执行 本文档中对每个管理服务器进行详细介绍。

配置外部身份验证

您要执行的主要活动是配置 management-server.properties 文件。 此活动包括停止和启动边缘管理服务器、决定是否要 想要使用直接或间接绑定、加密敏感凭据,以及 任务。

  1. 重要提示:现在请确定您打算使用“间接”还是“直接” 绑定身份验证方法。此决定会影响配置的某些方面。请参阅 外部身份验证
  2. 重要提示:您必须对每个 Apigee Edge Management 执行这些配置步骤 服务器(如果您运行多个服务器)。
  3. 打开 /opt/apigee/customer/application/management-server.properties 文本编辑器中。如果该文件不存在,请创建该文件。
  4. 添加以下行。注意:请确保末尾没有空格 输出内容

    conf_security_authentication.user.store=externalized.authentication

    此行会将外部身份验证功能添加到 Edge for Private Cloud 安装。
  5. 为简化此步骤,我们创建了两个引人入胜的配置示例 -- 一个用于直接绑定身份验证,另一个用于间接绑定身份验证。请参阅以下示例 您要使用的绑定,然后完成以下配置:

    直接 BINDING 配置示例
    间接 BINDING 配置示例
  6. 重启管理服务器:
    > /opt/apigee/apigee-service/bin/apigee-service Edge-management-server restart”
  7. 验证服务器是否正在运行:
    > /opt/apigee/apigee-service/bin/apigee-all 状态
  8. 重要提示:您必须在任一位置(或两者)下进行其他配置 (a) 如果您希望用户使用 而不是电子邮件地址。在这种情况下,您的系统管理员用户还必须使用用户名进行身份验证 和/或 (b) 如果您在外部 LDAP 与您首次安装 Apigee Edge 时配置的密码不同 Private Cloud请参阅 不同的系统管理员凭据

直接绑定 配置示例

## The first property is always required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identify the type of binding:
# Set to "true" for direct binding
# Set to "false" for indirect binding. 
conf_security_externalized.authentication.bind.direct.type=true

## The next seven properties are needed regardless of direct or indirect binding. You need to configure these per your external authentication installation. 
## The IP or domain for your external LDAP instance. 
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## The server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be provided by your external LDAP administrator, and may have more or fewer dc elements depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For example if you are binding against an email address, this would typically be in the userPrincipalName property in your external LDAP instance. Alternatively if you are binding against the user’s ID, this would typically be in the sAMAccountName property:
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## The LDAP attribute where the user email value is stored. For direct binding, set it to userPrincipalName.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## ONLY needed for DIRECT binding.
## The direct.bind.user.directDN property defines the string that is used for the bind against the external authentication service. Ensure it is set as follows:
conf_security_externalized.authentication.direct.bind.user.directDN=${userDN}

间接绑定 配置示例

## Required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identifies the type of binding:
# Set to "true" for direct binding
# Set to "false" for indirect binding. 
conf_security_externalized.authentication.bind.direct.type=false

## The next seven properties are needed regardless of direct or indirect binding. You need to configure these per your external LDAP installation. 
## The IP or domain for your external LDAP instance. 
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Replace with your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## Set the server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be provided by your external LDAP administrator, and may have more or fewer dc elements depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For example if you are binding against an email address, this would typically be in the userPrincipalName property in your external LDAP instance. Alternatively if you are binding against the user’s ID, this would typically be in the sAMAccountName property. See also "Configuration required for different sysadmin credentials".
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## Used by Apigee to perform the Authorization step and currently, Apigee only supports email address for Authorization. Make sure to set it to the attribute in your external LDAP that stores the user’s email address. Typically this will be in the userPrincipalName property. 
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## The external LDAP username (for a user with search privileges on the external LDAP) and password and whether the password is encrypted. You must also set the attribute externalized.authentication.bind.direct.type to false.
## The password attribute can be encrypted or in plain text. See "Indirect binding only: Encrypting the external LDAP user’s password" for encryption instructions. Set the password.encrypted attribute to "true" if the password is encrypted. Set it to "false" if the password is in plain text.
conf_security_externalized.authentication.indirect.bind.server.admin.dn=myExtLdapUsername
conf_security_externalized.authentication.indirect.bind.server.admin.password=myExtLdapPassword
conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=true

测试安装

  1. 验证服务器是否正在运行:
    >/opt/apigee/apigee-service/bin/apigee-all 状态
  2. 执行此命令,并提供一组 Apigee Edge 全球系统管理员 凭据。我们要测试的 API 调用只能由 sysadmin.

    重要提示:您的外部 LDAP 账号中必须有相同的凭据。 如果没有,您需要立即添加。请注意,用户名通常是电子邮件地址;不过, 取决于您是如何配置外部身份验证的, 文档。
    &gt;curl -v http://<management-server-ip>:8080/v1/o -u <Sysadmin 用户名>

    例如:
    &gt;curl -v http://192.168.52.100:8080/v1/o -u jdoe@mydomain.com
  3. 出现提示时,输入您的密码。

    如果该命令返回 200 状态和组织列表,则表示配置正确。 此命令用于验证对边缘管理服务器的 API 调用是否成功 已通过外部 LDAP 系统进行身份验证。