Howto LDAP Access from external (public) Services

mliebherr99 · August 12, 2021, 7:30am

Hello,

i would like to access my LDAP for user-auth from external Services.

I guess its a bad idea just to port forward the ldap port to ucs.

I was thinking about a little LDAP proxy/gateway which is capable of filtering LDAP requests.
Or Replicate/Copy just the needed LDAP User part to an external OpenLDAP Auth Service?

Any ideas on this?

Cheers,
Michael

Daniel_Duchon · August 12, 2021, 1:13pm

Hi Michael,

depends on your use case.
If you know the IP-Adresses of your external service, then you could just open the firewall for these special IPs on port 7636 (secure ldap).

If you want to deal with an extra proxy, you could use nginx or stunnel4 for that.

an untested nginx-config could look like:

# /etc/nginx/nginx.conf
[...]
stream {
    upstream stream_backend {
         UCS_SERVER:7636;
    }

    server {
        listen                636 ssl;
        proxy_pass            stream_backend;

        ssl_certificate       /etc/ssl/certs/server.crt;
        ssl_certificate_key   /etc/ssl/certs/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
     }
}
<<<FILE END>>>

kind regards, Daniel

codedmind · August 13, 2021, 6:33am

Humm in the “same” or at least similar request… UCS provide any “api” to do the authentication?

peichert · August 14, 2021, 7:30am

@codedmind Here is a guide to create a simple authentication account

codedmind · August 17, 2021, 1:29pm

@peichert thanks for the reply, but what i’m asking is if we can use any “endpoint” of ucs server to send user and password and know if that user is allowed…

peichert · August 17, 2021, 3:43pm

@codedmind not sure if I understand your question correct:

If you ask about any standard to handle username and password: Yes, UCS will support “SAML” out of the box to have a general login form.
If you ask to use any available software for that: It is important that the software has a mechanism for LDAP authentication. Most applications in the Univention App Center are already prepared for this.
If you ask about to use any UCS server: I suggest to use at minimum the “Replica Directory Node” to have a local LDAP for authentication. This speeds up the authentication process.

friedrich · December 14, 2021, 1:02pm

Alternative to Daniels nginx approach (depending on your usecase):

Andreas_T · February 8, 2022, 6:45pm

This is great, thanks a lot!