启用外部身份验证

适用于私有云的 Edge v4.18.05

本部分介绍了如何获取、安装和配置 将 LDAP 服务集成到 Apigee Edge 中以进行用户身份验证。

前提条件

  • 您必须已安装适用于私有云 4.18.05 的 Apigee Edge。
  • 您必须在适用于私有云的 Apigee Edge 上拥有全球系统管理员凭据,才能执行以下操作: 执行此安装。
  • 您需要知道用于私有云的 Apigee Edge 的安装根目录。通过 默认根目录为 /opt
  • 您必须将 Edge 全局系统管理员凭据添加到 外部 LDAP。请注意,默认情况下,系统管理员凭据存储在 Edge 中 内部 LDAP。切换到外部 LDAP 后,您的系统管理员凭据 将改为在此处进行身份验证因此,您必须将凭据预配到 外部系统,然后再在 Edge 中启用外部身份验证

    例如,如果您已经配置并安装了适用于私有云的 Apigee Edge, 系统管理员凭据如下所示:

    username: edgeuser@mydomain.com
    password: Secret123

    然后,用户 edgeuser@mydomain.com 设置了密码 Secret123 还必须存在于外部 LDAP 中。

  • 请注意,如果您运行的是管理服务器集群,则必须执行 本文档中对每个管理服务器进行详细介绍。

配置外部身份验证

您将执行的主要 activity 是配置 management-server.properties 文件。 此活动包括停止和启动边缘管理服务器、决定是否要 想要使用直接或间接绑定、加密敏感凭据,以及 任务。

  1. 重要提示:现在请确定您打算使用“间接”还是“直接” 绑定身份验证方法。此决定会影响配置的某些方面。请参阅 外部身份验证
  2. 重要提示:您必须对每个 Apigee Edge Management 执行这些配置步骤 服务器(如果您运行多个服务器)。
  3. 打开“/opt/apigee/customer/application/management-server.properties” 文本编辑器中。如果该文件不存在,请创建该文件。
  4. 添加以下行:
    conf_security_authentication.user.store=externalized.authentication

    此行会将外部身份验证功能添加到 Edge for Private Cloud 安装。

  5. 为简化此步骤,我们创建了两个引人入胜的配置示例 -- 一个用于直接绑定身份验证,另一个用于间接绑定身份验证。请参阅以下示例 要使用的绑定,然后完成以下配置: <ph type="x-smartling-placeholder">
  6. 重启管理服务器:
    /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart
  7. 验证服务器是否正在运行:
    /opt/apigee/apigee-service/bin/apigee-all status
  8. 重要提示:您必须在任一位置(或两者)下进行其他配置 以下情况: <ph type="x-smartling-placeholder">
      </ph>
    1. 如果您希望用户使用 而不是电子邮件地址。在这种情况下,您的系统管理员用户还必须使用 用户名。

      和/或

    2. 如果外部命令行中您的系统管理员用户账号的密码 LDAP 与您首次安装 Apigee Edge 时配置的密码不同 Private Cloud请参阅不同系统管理员凭据所需的配置

直接绑定 配置示例

## The first property is always required to enable the external authorization feature.
## Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identify the type of binding:
## Set to "true" for direct binding
## Set to "false" for indirect binding.
conf_security_externalized.authentication.bind.direct.type=true

## The next seven properties are needed regardless of direct or indirect binding. You need to
## configure these per your external authentication installation.
## The IP or domain for your external LDAP instance. 
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## The server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be
## provided by your external LDAP administrator, and may have more or fewer dc elements depending
## on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For
## example if you are binding against an email address in Microsoft Active Directory, this would be
## the userPrincipalName property in your external LDAP instance. Alternatively if you are binding
## against the user's ID, this would typically be in the sAMAccountName property:
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## The LDAP attribute where the user email value is stored. For direct binding with AD, set it to
## userPrincipalName.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## ONLY needed for DIRECT binding.
## The direct.bind.user.directDN property defines the string that is used for the bind against the
## external authentication service. Ensure it is set as follows:
conf_security_externalized.authentication.direct.bind.user.directDN=${userDN}

间接绑定配置示例

## Required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identifies the type of binding:
## Set to "true" for direct binding
## Set to "false" for indirect binding.
conf_security_externalized.authentication.bind.direct.type=false

## The next seven properties are needed regardless of direct or indirect binding. You need to
## configure these per your external LDAP installation.
## The IP or domain for your external LDAP instance.
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Replace with your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## Set the server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be
# provided by your external LDAP administrator, and may have more or fewer dc elements
# depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For example
## if you are binding against an email address, this would typically be in the
## userPrincipalName property in your external LDAP instance. Alternatively if you are binding
## against the user's ID, this would typically be in the sAMAccountName property.
## See also "Configuration required for different sysadmin credentials".
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## Used by Apigee to perform the Authorization step and currently, Apigee only supports email
## address for Authorization. Make sure to set it to the attribute in your external LDAP that
## stores the user's email address. Typically this will be in the userPrincipalName property.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## The external LDAP username (for a user with search privileges on the external LDAP) and
## password and whether the password is encrypted. You must also set the attribute
## externalized.authentication.bind.direct.type to false.
## The password attribute can be encrypted or in plain text. See
## "Indirect binding only: Encrypting the external LDAP user's password"
## for encryption instructions. Set the password.encrypted attribute to "true" if the password is
## encrypted. Set it to "false" if the password is in plain text.
conf_security_externalized.authentication.indirect.bind.server.admin.dn=myExtLdapUsername
conf_security_externalized.authentication.indirect.bind.server.admin.password=myExtLdapPassword
conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=true

测试安装

  1. 验证服务器是否正在运行:
    /opt/apigee/apigee-service/bin/apigee-all status
  2. 执行此命令,并提供一组 Apigee Edge 全球系统管理员 凭据。我们要测试的 API 调用只能由 sysadmin.
    curl -v http://management-server-IP:8080/v1/o -u sysadmin_username

    例如:

    curl -v http://192.168.52.100:8080/v1/o -u jdoe@mydomain.com
  3. 出现提示时,输入您的密码。

    如果该命令返回 200 状态和组织列表,则表示配置正确。 此命令用于验证对边缘管理服务器的 API 调用是否成功 已通过外部 LDAP 系统进行身份验证。