启用外部身份验证

Edge for Private Cloud v4.18.01

本部分介绍如何获取、安装和配置将外部 LDAP 服务集成到 Apigee Edge 以进行用户身份验证所需的组件。

前提条件

  • 您必须安装 Apigee Edge for Private Cloud 4.18.01。
  • 您必须在适用于私有云的 Apigee Edge 上拥有全局系统管理员凭据才能执行此安装。
  • 您需要知道安装私有云的 Apigee Edge 的根目录。默认根目录为 /opt
  • 您必须将 Edge 全局系统管理员凭据添加到外部 LDAP 中。请注意,默认情况下,系统管理员凭据存储在 Edge 内部 LDAP 中。您切换到外部 LDAP 后,系统将改为在外部 LDAP 中对您的系统管理员凭据进行身份验证。因此,在 Edge 中启用外部身份验证之前,您必须先将凭据预配到外部系统。

    例如,如果您使用全局系统管理员凭据配置并安装了适用于 Private Cloud 的 Apigee Edge,如下所示:

    用户名:edgeuser@mydomain.com
    密码:Secret123

    那么使用密码 Secret123 的用户 edgeuser@mydomain.com 也必须存在于外部 LDAP 中。
  • 请注意,如果您运行的是 Management Server 集群,则必须为每个 Management Server 执行本文档中的所有步骤。

配置外部身份验证

您要执行的主要活动是配置 management-server.properties 文件。 此活动包括停止和启动边缘管理服务器、决定要使用直接绑定还是间接绑定、加密敏感凭据以及其他相关任务。

  1. 重要提示:请立即确定您要使用间接绑定还是直接绑定身份验证方法。此决定会影响配置的某些方面。请参阅外部身份验证
  2. 重要提示:您必须在每个 Apigee Edge Management Server 上执行这些配置步骤(如果运行多个 Apigee Edge Management Server)。
  3. 在文本编辑器中打开 /opt/apigee/customer/application/management-server.properties。如果该文件不存在,请创建一个。
  4. 添加以下代码行。注意:请确保该行末尾没有尾随空格

    conf_security_authentication.user.store=externalized.authentication

    此行会将外部身份验证功能添加到您的 Edge,以便安装私有云。
  5. 为简化此步骤,我们创建了两个明确说明的示例配置:一个用于直接绑定,另一个用于间接绑定身份验证。请参阅以下示例,了解您要使用的绑定,并完成配置:

    直接绑定配置示例
    INDIRECT BINDING 配置示例
  6. 重启管理服务器:
    > /opt/apigee/apigee-service/bin/apigee-serviceedge-management-server restart
  7. 验证服务器正在运行:
    > /opt/apigee/apigee-service/bin/apigee-all 状态
  8. 重要提示:在以下任一情况下(或同时符合两种情况)下,您必须进行其他配置:(a) 如果您打算让用户使用非电子邮件地址用户名登录。在这种情况下,如果外部 LDAP 中的系统管理员用户帐号的密码与您在首次安装适用于私有云的 Apigee Edge 时配置的密码不同,则您的系统管理员用户还必须使用用户名进行身份验证,和/或 (b)。请参阅不同系统管理员凭据所需的配置

直接绑定配置示例

## The first property is always required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identify the type of binding:
# Set to "true" for direct binding
# Set to "false" for indirect binding. 
conf_security_externalized.authentication.bind.direct.type=true

## The next seven properties are needed regardless of direct or indirect binding. You need to configure these per your external authentication installation. 
## The IP or domain for your external LDAP instance. 
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## The server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be provided by your external LDAP administrator, and may have more or fewer dc elements depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For example if you are binding against an email address, this would typically be in the userPrincipalName property in your external LDAP instance. Alternatively if you are binding against the user’s ID, this would typically be in the sAMAccountName property:
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## The LDAP attribute where the user email value is stored. For direct binding, set it to userPrincipalName.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## ONLY needed for DIRECT binding.
## The direct.bind.user.directDN property defines the string that is used for the bind against the external authentication service. Ensure it is set as follows:
conf_security_externalized.authentication.direct.bind.user.directDN=${userDN}

INDIRECT BINDING 配置示例

## Required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identifies the type of binding:
# Set to "true" for direct binding
# Set to "false" for indirect binding. 
conf_security_externalized.authentication.bind.direct.type=false

## The next seven properties are needed regardless of direct or indirect binding. You need to configure these per your external LDAP installation. 
## The IP or domain for your external LDAP instance. 
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Replace with your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## Set the server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be provided by your external LDAP administrator, and may have more or fewer dc elements depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For example if you are binding against an email address, this would typically be in the userPrincipalName property in your external LDAP instance. Alternatively if you are binding against the user’s ID, this would typically be in the sAMAccountName property. See also "Configuration required for different sysadmin credentials".
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## Used by Apigee to perform the Authorization step and currently, Apigee only supports email address for Authorization. Make sure to set it to the attribute in your external LDAP that stores the user’s email address. Typically this will be in the userPrincipalName property. 
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## The external LDAP username (for a user with search privileges on the external LDAP) and password and whether the password is encrypted. You must also set the attribute externalized.authentication.bind.direct.type to false.
## The password attribute can be encrypted or in plain text. See "Indirect binding only: Encrypting the external LDAP user’s password" for encryption instructions. Set the password.encrypted attribute to "true" if the password is encrypted. Set it to "false" if the password is in plain text.
conf_security_externalized.authentication.indirect.bind.server.admin.dn=myExtLdapUsername
conf_security_externalized.authentication.indirect.bind.server.admin.password=myExtLdapPassword
conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=true

测试安装

  1. 验证服务器是否正在运行:
    > /opt/apigee/apigee-service/bin/apigee-all 状态
  2. 执行此命令,并提供一组 Apigee Edge 全局系统管理员凭据。我们要测试的 API 调用只能由 Edge 系统管理员执行。

    重要提示:相同的凭据必须存在于您的外部 LDAP 帐号中。 如果没有,您需要立即添加。请注意,用户名通常是电子邮件地址;但是,这取决于您如何配置外部身份验证,如本文档前面所述。
    > curl -v http://<management-server-ip>:8080/v1/o -u <Sysadmin 用户名>

    例如:
    > curl -v http://192.168.52.100:8080/v1/do@u.j 我的域名
  3. 出现提示时,输入您的密码。

    如果该命令返回 200 状态和组织列表,则表示配置正确无误。 此命令用于验证对边缘管理服务器的 API 调用是否已成功通过外部 LDAP 系统进行身份验证。