LDAP Endpoint Service

LDAP Endpoint Service

classname : be.securit.trustbuilder.service.LdapService

The LDAP endpoint service is opening a listener port for the ldap endpoint.

Currently only a search and authenticate is supported. Search is however limited to what you define in the workflows. Using a normal ldap client to browse the server isn't possible as the endpoint is ment for authentication only.

Properties

  • port : Port used for the listener
  • workflow : Which workflow has to be run by the engine when this service is called

Note on ldap port

If you running your as non-root user you can't open ports under 1024. We recommend setting the ldap port higher and if you want to use port 389 fpr ldap make usage of software that forwards the connection from port 389 to your trustbuilder ldap endpoint.

Config

<stb:Service stb:id="ldapserv" stb:singleton="false" stb:synchronised="false" stb:type="be.securit.trustbuilder.service.LdapService">
   <stb:property stb:name="port">1389</stb:property>
   <stb:property stb:name="workflow">ldapworkflow</stb:property>
</stb:Service>

We set the listener to port 1389 and attach the "ldapworkflow" to it. Each requests to this endpoint starts the configured workflow.

Requests

Bind Request

{"user":"null","type":"bind","ip":"10.0.10.243","dn":"cn=administrator,dc=securit,dc=biz","password":"somepasswd"}

Exposed fields in the input :

user :
type : bind
ip : ip of requesting host
dn : DN to bind to
password : the given password to bind

Search Request

Engine.WorkItem - set ___INPUT___=LdapEndpointSearchRequest: {
       baseDN: 'dc=securit,dc=biz',
       scope: 'SUB',
       filter: '(&(objectclass=posixaccount)(uid=ewold))',
       attributes: '[userPassword, cn, gidNumber, uidNumber, loginShell, objectClass, gecos, uid, homeDirectory]',
} []

{"user":"null","type":"search","base":"dc=securit,dc=biz","scope":"SUB","filter":"(&(objectclass=posixaccount)(uid=username))","attributes":["userPassword","cn","gidNumber","uidNumber","loginShell","objectClass","gecos","uid","homeDirectory"]}

Exposed fields in input :

User :
Type : Search
Base : Search base
Scope : Search scope
Filter : Search filter
Attributs : Required attributes in return

Response

To create a response to the ldap client TrustBuilder uses a function that called on the input object.

Bind Response :

// Authentication accepted
workItem.output = workItem.input.generateResponse(0);

// Authentication rejected
workItem.output = workItem.input.generateResponse(49);

Search Response :

var username = "testuser";
var response = {
                       "host" : "10.0.10.243",
                       "gidNumber" : info.gidNumber,
                       "uidNumber" : info.uidNumber,
                       "homeDirectory" : info.homeDirectory,
                       "loginShell" : info.loginShell,
                       "userPassword" : "password"
               };
workItem.output = workItem.input.generateResponse(0);
// Add search Result and attributes
workItem.output.addResult("cn="+username,response);

The addResult function can be called multiple times.

Returning error codes

The 49 is an invalid credentials error code. If you wish to use other codes you can have a look at : http://docs.oracle.com/javase/jndi/tutorial/ldap/models/exceptions.html

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.