啟用外部驗證功能

Edge for Private Cloud 4.18.05

本節說明如何取得、安裝及設定整合 LDAP 服務至 Apigee Edge 的必要元件,以便進行使用者驗證。

必要條件

  • 您必須安裝 Apigee Edge for Private Cloud 4.18.05。
  • 您必須具備 Apigee Edge for Private Cloud 的全球系統管理員憑證,才能執行這項安裝作業。
  • 您必須知道 Apigee Edge for Private Cloud 安裝作業的根目錄。預設的根目錄為 /opt
  • 您必須將 Edge 全球系統管理員憑證新增至外部 LDAP。請注意,根據預設,系統管理員憑證會儲存在 Edge 內部 LDAP 中。切換至外部 LDAP 後,系統會改為在該處驗證系統管理員憑證。因此,您必須在 Edge 啟用外部驗證功能前,先為外部系統提供憑證。

    舉例來說,如果您已使用全球系統管理員憑證設定及安裝 Apigee Edge for Private Cloud,憑證如下:

    username: edgeuser@mydomain.com
password: Secret123

    接著,使用者 edgeuser@mydomain.com 和密碼 Secret123 也必須存在於外部 LDAP 中。

  • 如果您執行管理伺服器叢集,請注意,您必須為每個管理伺服器執行本文中的所有步驟。

設定外部驗證

您要執行的主要活動是設定 management-server.properties 檔案。這項活動包括停止及啟動 Edge Management Server、決定要使用直接或間接繫結、加密敏感憑證,以及其他相關工作。

  1. 重要事項:請立即決定要使用間接或直接綁定驗證方法。這項決定會影響設定的某些面向。請參閱外部驗證
  2. 重要事項:您必須在每個 Apigee Edge 管理伺服器 (如果您執行多個) 上執行這些設定步驟。
  3. 在文字編輯器中開啟 /opt/apigee/customer/application/management-server.properties。如果檔案不存在,請建立檔案。
  4. 新增下列程式碼行: 
    conf_security_authentication.user.store=externalized.authentication

    這行會在 Edge for Private Cloud 安裝中新增外部驗證功能。

  5. 為了簡化這個步驟,我們建立了兩個附有詳細註解的設定範例:一個用於直接綁定驗證,另一個用於間接綁定驗證。請參閱下列範例,瞭解您要使用的繫結,並完成設定:
  6. 重新啟動管理伺服器: 
    /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart
  7. 驗證伺服器是否正在執行: 
    /opt/apigee/apigee-service/bin/apigee-all status
  8. 重要事項:您必須在下列任一 (或兩者) 情況下進行額外設定:
    1. 如果您希望使用者使用非電子郵件地址的使用者名稱登入。在這種情況下,系統管理員使用者也必須使用使用者名稱進行驗證。

      AND/OR

    2. 如果外部 LDAP 中系統管理員使用者帳戶的密碼,與您首次安裝 Apigee Edge for Private Cloud 時所設定的密碼不同,請參閱不同的 sysadmin 憑證需要設定

直接繫結設定範例

## The first property is always required to enable the external authorization feature.
## Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identify the type of binding:
## Set to "true" for direct binding
## Set to "false" for indirect binding.
conf_security_externalized.authentication.bind.direct.type=true

## The next seven properties are needed regardless of direct or indirect binding. You need to
## configure these per your external authentication installation.
## The IP or domain for your external LDAP instance. 
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## The server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be
## provided by your external LDAP administrator, and may have more or fewer dc elements depending
## on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For
## example if you are binding against an email address in Microsoft Active Directory, this would be
## the userPrincipalName property in your external LDAP instance. Alternatively if you are binding
## against the user's ID, this would typically be in the sAMAccountName property:
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## The LDAP attribute where the user email value is stored. For direct binding with AD, set it to
## userPrincipalName.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## ONLY needed for DIRECT binding.
## The direct.bind.user.directDN property defines the string that is used for the bind against the
## external authentication service. Ensure it is set as follows:
conf_security_externalized.authentication.direct.bind.user.directDN=${userDN}

間接繫結設定範例

## Required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

## Identifies the type of binding:
## Set to "true" for direct binding
## Set to "false" for indirect binding.
conf_security_externalized.authentication.bind.direct.type=false

## The next seven properties are needed regardless of direct or indirect binding. You need to
## configure these per your external LDAP installation.
## The IP or domain for your external LDAP instance.
conf_security_externalized.authentication.server.url=ldap://localhost:389

## Replace with your external LDAP server version.
conf_security_externalized.authentication.server.version=3

## Set the server timeout in milliseconds. 
conf_security_externalized.authentication.server.conn.timeout=50000

## Change these baseDN values to match your external LDAP service. This attribute value will be
# provided by your external LDAP administrator, and may have more or fewer dc elements
# depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com

## Do not change this search string. It is used internally. 
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

## Identifies the external LDAP property you want to bind against for Authentication. For example
## if you are binding against an email address, this would typically be in the
## userPrincipalName property in your external LDAP instance. Alternatively if you are binding
## against the user's ID, this would typically be in the sAMAccountName property.
## See also "Configuration required for different sysadmin credentials".
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName

## Used by Apigee to perform the Authorization step and currently, Apigee only supports email
## address for Authorization. Make sure to set it to the attribute in your external LDAP that
## stores the user's email address. Typically this will be in the userPrincipalName property.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName

## The external LDAP username (for a user with search privileges on the external LDAP) and
## password and whether the password is encrypted. You must also set the attribute
## externalized.authentication.bind.direct.type to false.
## The password attribute can be encrypted or in plain text. See
## "Indirect binding only: Encrypting the external LDAP user's password"
## for encryption instructions. Set the password.encrypted attribute to "true" if the password is
## encrypted. Set it to "false" if the password is in plain text.
conf_security_externalized.authentication.indirect.bind.server.admin.dn=myExtLdapUsername
conf_security_externalized.authentication.indirect.bind.server.admin.password=myExtLdapPassword
conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=true

測試安裝

  1. 確認伺服器是否正在執行: 
    /opt/apigee/apigee-service/bin/apigee-all status
  2. 執行這個指令,提供一組 Apigee Edge 全域系統管理員憑證。你要測試的 API 呼叫只能透過 Edge sysadmin 執行。 
    curl -v http://management-server-IP:8080/v1/o -u sysadmin_username

    例如:

    curl -v http://192.168.52.100:8080/v1/o -u jdoe@mydomain.com
  3. 出現提示時,輸入密碼。

    如果指令傳回 200 狀態和機構清單,表示設定正確無誤。 這個指令會驗證 Edge 管理伺服器的 API 呼叫是否已透過外部 LDAP 系統成功驗證。