LDAP Services

You can use the Apcera generic service gateway to create services for integrating job instances with LDAP providers.

This section provides an example implementation base on the Sample LDAP Client App.

Example Go LDAP Client

The example is based on a sample Golang web application that can query a user on a remote LDAP directory through a LDAP service provisoned using the generic service gateway. The app can communicate with the service over TLS if LDAPS is enabled.

The following steps explain how an LDAP service can be provisioned and bound to an app in Apcera.

Instructions

1) Clone the Apcera sample apps.

git clone git@github.com:apcera/sample-apps.git

2) Update the source code with your LDAP credentials.

cd /sample-apps/example-go-ldap-client/sample-ldap-client.go

adminDN := "cn=Directory Manager"
adminPassword := "f4ktqR3AZUjb"       // for example

3) Target to your cluster using APC and log in.

4) Create an LDAP service using a generic service gateway.

The LDAP service can be used for secure (TLS) communication if Extended 'StartTLS' operation is supported by LDAP server.

apc service create ldap --type generic -- --url "ldap://<ldap-server-host>:389"

Where 389 is the default port for LDAP.

For example:

apc service create ldap --type generic -- --url "ldap://172.27.0.152:389"

5) Create the LDAP client app.

apc app create go-ldap-client --start --disable-routes --allow-ssh --env-set "HTTP_PORT=8080"

This command creates the LDAP client app, opens an SSH port on the job instance (container) running the app, and disables any other inbound communication. The HTTP_PORT environment variable is used to specify the web server's port. This ensures that the sample app will start the web app on the same port.

6) Open a port and create a route for accessing the app.

Although you have set the HTTP_PORT envar, you still need to open port 8080 for the app to be accessible:

apc app update go-ldap-client --port-add 8080

You also need to add a route to the job at port 8080 where the web server is listening:

apc route add --app go-ldap-client --type http --port 8080

7) Verify the web app.

The web app should be accessible at the Route endpoint URL, such as http://go-ldap-client.vagrant.apcera.net. But, an LDAP query will fail because you have not yet bound the app to the LDAP/S service.

8) Bind the app to the ldap service.

apc service bind ldap --job go-ldap-client

Refreshing the page should yield a successful LDAP session. After binding, you may need to restart the job and retry the query.

9) Test the app.

Run a query and make sure it works, for example:

  • Username: user.1
  • BaseDN: ou

But, if you select the option Use secure connection you will see TLS does not work yet.

10) Create secure LDAP service (LDAPS).

Using basic LDAP may be good for development, but in production you should use LDAPS. You can use the same generic service gateway to create a secure LDAPS service. The ldaps service uses the secure LDAP port 636.

apc service create ldaps --type generic -- --url "ldaps://<ldap-server-host>:636"

For example:

apc service create ldaps --type generic -- --url "ldaps://172.27.0.152:636"

11) Bind the app to the ldaps service.

apc service bind ldaps --job go-ldap-client

12) Test the client.

You should get the same results as the ldap service request. The query should work but not if secure communication is selected. The app needs to be presented with a root certificate authority for the client to verify the server certificate.

13) Create a package for the certificate.

The following sequence is one way to extract the server's TLS certificate in PEM format.

export LDAP_HOST=<ldap server host name or IP>
openssl x509 -in <(openssl s_client -connect $LDAP_HOST:636 -prexit </dev/null) > ldap-client-cert.pem
tar cvf ldap-cert.tar ldap-client-cert.pem

Now, create a package from the cert file:

apc package from file ldap-cert.tar ldaps-cert --provides "package=ldaps-cert"

For example:

export LDAP_HOST=172.27.0.152
openssl x509 -in <(openssl s_client -connect $LDAP_HOST:1636 -prexit </dev/null) > ldap-client-cert.pem
tar cvf ldap-cert.tar ldap-client-cert.pem

apc package from file ldap-cert.tar ldaps-cert --provides "package=ldaps-cert"

14) Update the job with the newly created package.

apc job update go-ldap-client --pkg-add ldaps-cert=/app-certs --env-set LDAP_CERT_PATH=/app-certs/ldap-client-cert.pem

The environment variable LDAP_CERT_PATH is used by the app to find the file with the certificate in PEM format.

**15) Go back to home page to query a new user.

This time if you check the secure connection the LDAPS service should return the query result.