7

We have a scenario where we have to authenticate the user with LDAP server

Flow 1:

client --> application server --> LDAP server

In above flow the client enters LDAP credentials which comes to application server and then using python-ldap we can authenticate the user, straight forward. Since the user LDAP credentials comes to application server an organisation may not be willing for such flow for obvious reasons.

Flow 2:

client --> oauth2 --> LDAP server

Oauth scenario suites best here, since authentication of the user is responsibility of the oauth and application server do not need to know the user credentials.

Have anyone encountered such case, if yes, how you tackled it? Is there are any Oauth client for LDAP free and paid ?

navyad
  • 3,752
  • 7
  • 47
  • 88

3 Answers3

4

If you don't want user credentials to reach the Application server then what you need is a perimeter authentication. You need to have an external authentication provider , say Oracle Access Manager, that will perform the authentication and set a certain token in the request. The application server can assert this token and let user access resources. This model enables SSO as well.

  1. The resources that require authorized access are configured as protected URLs in OAM.

  2. When a user tries to access a protected resource he is challenged for credentials.

  3. OAM authenticates the user against an LDAP directory(that is configured in OAM).

  4. A token corresponding to the authenticated user is set in the request. Also an SSO cookie is set.

  5. Application server (Weblogic) can assert (verify) this token and let the user access the resource.

Note: Oracle Access Manager supports oAuth as well.

Roshith
  • 2,116
  • 13
  • 21
3

Ory Hydra https://ory.sh/hydra might be what the original poster was asking for. This question is several years old now but in the interest of helping anyone else who sees this...check out Ory Hydra. It provides the OAuth2/OpenID parts and can be linked to an LDAP server behind the scenes.

Eric Evans
  • 94
  • 10
2

canaille is a free and light OAuth2/OpenID service over a LDAP backend, written in python. (canaille developper here)

https://gitlab.com/yaal/canaille

azmeuk
  • 4,026
  • 3
  • 37
  • 64