Skip to main content

LDAP Data Source

An LDAP Data Source reads the data from a configured LDAP service.

Configuring Data Source through the Styra DAS UI

Configure <das-id>.styra.com to access a LDAP Data Source using the Styra DAS UI.

  1. Login to the Styra DAS UI.
  2. Select the System to add the Data Source.
  3. Click the kebab icon (three dots ⋮) to the right of the System and select Add Data Source. The Add Data Source dialog box appears.
  4. Select LDAP.
  5. In Path type a new or existing path separated by /. For example, datasourcetypes.
  6. In Data source name (required) type a name for the Data Source type. For example, ldap.
  7. (Optional) Type in a Description.
  8. In Search DN (required) type a string representing the base Distinguished Name (DN). For example, dc=appentitlement,dn=onmicrosoft,dn=com.
  9. In Search filter (required) type a string representing search filter. For example, enter (objectclass=users). See more examples.
  10. In Refresh interval type a refresh interval which is the amount of time between polling intervals. Default is s.
  11. In Enable TLS verification enable or disable the switch based on the SSL certificate verification.
  12. In URL (required) type the URL where the LDAP server is deployed.
  13. In CA certificate provide a CA certificate.
  14. In Access Keys type the following access key credentials.
    • Username (required): Enter the access key ID.
    • Password (required): Enter the password.
      note

      If no credentials are provided, then the plugin will make an attempt to poll the data without a bind request. If the password is blank, the plugin will make a bind request with AllowEmptyPassword flag set to true.

  15. Click the arrow to expand the Advanced field.
    • In Search scope select the search scope field from one of the following enumerated values: Base object, Single level, or Whole subtree to perform the search scope. The default is Whole subtree.
    • In Search Dereferencing Aliases if there are references in the output then LDAP should return the object itself and not its reference. The dereference policy options are Never, Searching, Finding, and Always.
    • In Add search attributes type the attributes to search for.
      • In Search attributes type a string representing the search attributes.
      • In Search page size type the number of returned objects per single request. According to the benchmarks, the higher number is better. The default value is 0.
  16. In Data transform specify a policy and write a query that allows you to apply Rego transformations before it is persisted as data. For example, Select Custom and fill in the following fields:
    • In Policy type an existing policy separated by /. For example, transform/transform.rego.
    • In Rego query type the Rego rule to evaluate. For example, data.transform.query.
  17. Leave the Enable on-premises data source agent switch off. Enable on-premises data source agent shows how and where to run the data source. If set to true then datasource-agent will run on-premises setup.
  18. Click Add.

The following shows an example output which appears after the data source is created in Styra DAS.

{
"dn": {
"CN": [
"Users"
],
"DC": [
"appentitlement",
"onmicrosoft",
"com"
],
"_raw": "CN=Users,DC=appentitlement,DC=onmicrosoft,DC=com"
}
}

Configuring Data Source through the Styra DAS API

To create the LDAP data source plugin, run the following curl command:

curl -H 'Authorization: bearer XXX' \
-H 'Content-Type: application/json' \
-X PUT https://<das-id>.styra.com/v1/datasources/ldap/main -d'
{
"category": "ldap",
"urls": ["<url to main replica>", "<url to secondary replica>", "..."],
"credentials": "<secret id with LDAP credentials>",
"polling_interval: "60s",
"search": {
"base_DN": "<base DN>",
"filter": "<search filter>",
}
}'

Filter and Transform the Data

A policy_filter is used to poll from a data source that you want to transform captured data source information before storing it. Specifying a policy_filter and policy_query will allow you to apply Rego transformations before it is persisted as data. This mechanism is useful for filtering out data that you no longer want to store or for any other mutations that you want to perform.

It works by specifying a policy that will be evaluated via Rego with captured data as input. You also specify a query to apply to that policy and data. The result of that query will be stored as data, instead of what is polled by the data source plugin.

Raw Data Returned by Plugin

Raw plugin data
[
{
"ou": [
"Users"
],
"objectClass": [
"organizationalUnit"
],
"dn": {
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "ou=Users,dc=test,dc=styra,dc=com"
}
},
{
"cn": [
"Foo Bar"
],
"sn": [
"Bar"
],
"uid": [
"fbar"
],
"objectClass": [
"inetOrgPerson"
],
"dn": {
"cn": [
"Foo Bar"
],
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
}
},
{
"cn": [
"IT"
],
"member": [
"cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
],
"objectClass": [
"groupOfNames"
],
"dn": {
"cn": [
"IT"
],
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "cn=IT,ou=Users,dc=test,dc=styra,dc=com"
}
}
]

Policy Bundle

package tmp.policy

import input

users[record] {
in := input[_]
in.objectClass[_] == "inetOrgPerson"

record := {
"dn": in.dn._raw,
"name": concat(" ", in.cn),
"id": concat(" ", in.uid),
"units": in.dn.ou
}
}

groups[record] {
in := input[_]
in.objectClass[_] == "groupOfNames"

record := {
"dn": in.dn._raw,
"name": in.cn[_],
"members": in.member,
}
}

units[record] {
in := input[_]
in.objectClass[_] == "organizationalUnit"

record := {
"dn": in.dn._raw,
"name": concat(" ", in.ou),
}
}

Output

The following shows the final result after applying the Rego Bundle.

{
"groups": [
{
"dn": "cn=IT,ou=Users,dc=test,dc=styra,dc=com",
"members": [
"cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
],
"name": "IT"
}
],
"units": [
{
"dn": "ou=Users,dc=test,dc=styra,dc=com",
"name": "Users"
}
],
"users": [
{
"dn": "cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com",
"id": "fbar",
"name": "Foo Bar",
"units": [
"Users"
]
}
]
}