Modify User Authentication
As part of the Open AMT Cloud Toolkit reference implementation, MPS and the Kong service issue and authenticate a JSON Web Token (JWT) for user authentication. The default configuration offers authentication functionality, but it does not support many common configuration options, such as user groups. In a production environment, alternative authentication is available in 0Auth 2, Lightweight Directory Access Protocol (LDAP), Kerberos, etc.
Warning
In the current release, if you choose to modify the toolkit's default authentication, no keyboard, video and mouse (KVM) or serial over LAN (SOL) support will be available.
The instructions below explain how to add an LDAP plugin to Kong.
Prerequisites¶
Install and start a local LDAP server on the development system. For this tutorial, Go-lang LDAP Authentication* (GLAuth) is referenced. Find more info in the GLAuth Readme.
-
To install, see steps 1 - 3 of the Quickstart section of the GLAuth Readme. We do not need to alter the sample-simple.cfg file.
-
Allow the Terminal or Powershell to remain open to see LDAP activity as you proceed with the tutorial below.
-
Optionally, download curl for testing the authentication with APIs at the end of this tutorial.
Edit the kong.yaml File¶
Reconfigure the Kong* API Gateway to use a different user authentication service:
-
Open the
kong.yaml
file and comment out theplugins
andconsumer
sections of the code by adding a#
character at the beginning of each line. This disables the JWT authentication. -
Paste the new
plugins
section into the file. -
Modify the
ldap_host
to that of your development system or cloud instance.plugins: - name: cors - name: ldap-auth route: mps-route config: hide_credentials: true ldap_host: <Server IP-Address or FQDN> # Replace ldap_port: 3893 start_tls: false ldaps: false base_dn: dc=glauth,dc=com verify_ldap_host: false attribute: cn cache_ttl: 60 header_type: ldap - name: ldap-auth route: rps-route config: hide_credentials: true ldap_host: <Server IP-Address or FQDN> # Replace ldap_port: 3893 start_tls: false ldaps: false base_dn: dc=glauth,dc=com verify_ldap_host: false attribute: cn cache_ttl: 60 header_type: ldap
Note
The following code was adapted for the toolkit. For the default configuration details, see Enable the plugin on a route, on the tab Declarative YAML, in Kong documentation
Restart the Kong Gateway Container¶
-
Open a Terminal or Powershell/Command Prompt and run the command to list the containers:
sudo docker ps
docker ps
-
Restart the Kong container:
sudo docker restart <container ID>
docker restart <container ID>
Test the Configuration¶
Authenticate a user to test the configuration by using an API of your choice. You will need to set the Authorization header to ldap base64encode(user:pass)
.
Test the configuration with curl:
In the following examples, we use the base64 encoding of johndoe:TestAppPw1
as our encoded user:pass
. This value is am9obmRvZTpUZXN0QXBwUHcx
. These credentials are one of the default credentials in the sample-simple.cfg
file provided by GLAuth*.
curl --insecure https://[IP-Address or FQDN]/mps/api/v1/devices \
-H "Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx"
curl --insecure https://[IP-Address or FQDN]/mps/api/v1/devices ^
-H "Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx"
See Devices API Docs for more information and expected responses.
curl --insecure https://[IP-Address or FQDN]/rps/api/v1/admin/profiles \
-H "Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx"
curl --insecure https://[IP-Address or FQDN]/rps/api/v1/admin/profiles ^
-H "Authorization: ldap am9obmRvZTpUZXN0QXBwUHcx"
See Get Profiles API Docs for more information and expected responses.