LDAP Data Source
An LDAP Data Source reads the data from a configured LDAP service.
Creating or Configuring the Data Source through the Styra DAS UI
Create or configure the Data Source through the Styra DAS UI.
- Login to the Styra DAS UI.
- Select the System to add the Data Source.
- Click the kebab icon (three dots ⋮) to the right of the System and select Add Data Source. The Add Data Source dialog box appears.
- Select LDAP.
- In Path type a new or existing path separated by
/
. For example,datasourcetypes
. - In Data Source name (required) type the name for the Data Source.
- (Optional) Type in a Description.
- In Search DN (required) type a string representing the base Distinguished Name (DN). For example,
dc=appentitlement,dn=onmicrosoft,dn=com
. - In Search filter (required) type a string representing search filter. For example, enter
(objectclass=users)
. See more examples. - In Refresh interval type a refresh interval which is the amount of time between polling intervals. Default is
s
. - In Enable TLS verification enable or disable the switch based on the SSL certificate verification.
- In URL (required) type the URL where the LDAP server is deployed.
- In CA certificate provide a CA certificate.
- In Access Keys type the following access key credentials.
- Username (required): Enter the access key ID.
- Password (required): Enter the password.
noteIf no credentials are provided, then the plugin will make an attempt to poll the data without a bind request. If the password is blank, the plugin will make a bind request with
AllowEmptyPassword
flag set totrue
. - Click the arrow to expand the Advanced field.
- In Search scope select the search scope field from one of the following enumerated values: Base object, Single level, or Whole subtree to perform the search scope. The default is Whole subtree.
- In Search Dereferencing Aliases if there are references in the output then LDAP should return the object itself and not its reference. The dereference policy options are Never, Searching, Finding, and Always.
- In Add search attributes type the attributes to search for.
- In Search attributes type a string representing the search attributes.
- In Search page size type the number of returned objects per single request. According to the benchmarks, the higher number is better. The default value is
0
.
- In Data transform specify a policy and write a query that allows you to apply Rego transformations before it is persisted as data. For example, Select Custom and fill in the following fields:
- In Policy type an existing policy separated by /. For example,
transform/transform.rego
. - In Rego query type the Rego rule to evaluate. For example,
data.transform.query
.
- In Policy type an existing policy separated by /. For example,
- Leave the Enable on-premises data source agent switch off. Enable on-premises data source agent shows how and where to run the data source. If set to
true
thendatasource-agent
will run on-premises setup. - Preview the Data Source in the right pane. If the data is over 1 MB, the Preview will display an error.
- Click Add.
The following shows an example output which appears after the data source is created in Styra DAS.
{
"dn": {
"CN": [
"Users"
],
"DC": [
"appentitlement",
"onmicrosoft",
"com"
],
"_raw": "CN=Users,DC=appentitlement,DC=onmicrosoft,DC=com"
}
}
Configuring Data Source through the Styra DAS API
To create the LDAP data source plugin, run the following curl command:
curl -H 'Authorization: bearer XXX' \
-H 'Content-Type: application/json' \
-X PUT https://<das-id>.styra.com/v1/datasources/ldap/main -d'
{
"category": "ldap",
"urls": ["<url to main replica>", "<url to secondary replica>", "..."],
"credentials": "<secret id with LDAP credentials>",
"polling_interval: "60s",
"search": {
"base_DN": "<base DN>",
"filter": "<search filter>",
}
}'
Filter and Transform the Data
A policy_filter
is used to poll from a data source that you want to transform captured data source information before storing it. Specifying a policy_filter
and policy_query
will allow you to apply Rego transformations before it is persisted as data. This mechanism is useful for filtering out data that you no longer want to store or for any other mutations that you want to perform.
It works by specifying a policy that will be evaluated via Rego with captured data as input. You also specify a query to apply to that policy and data. The result of that query will be stored as data, instead of what is polled by the data source plugin.
Raw Data Returned by Plugin
[
{
"ou": [
"Users"
],
"objectClass": [
"organizationalUnit"
],
"dn": {
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "ou=Users,dc=test,dc=styra,dc=com"
}
},
{
"cn": [
"Foo Bar"
],
"sn": [
"Bar"
],
"uid": [
"fbar"
],
"objectClass": [
"inetOrgPerson"
],
"dn": {
"cn": [
"Foo Bar"
],
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
}
},
{
"cn": [
"IT"
],
"member": [
"cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
],
"objectClass": [
"groupOfNames"
],
"dn": {
"cn": [
"IT"
],
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "cn=IT,ou=Users,dc=test,dc=styra,dc=com"
}
}
]
Policy Bundle
package tmp.policy
import input
users[record] {
in := input[_]
in.objectClass[_] == "inetOrgPerson"
record := {
"dn": in.dn._raw,
"name": concat(" ", in.cn),
"id": concat(" ", in.uid),
"units": in.dn.ou
}
}
groups[record] {
in := input[_]
in.objectClass[_] == "groupOfNames"
record := {
"dn": in.dn._raw,
"name": in.cn[_],
"members": in.member,
}
}
units[record] {
in := input[_]
in.objectClass[_] == "organizationalUnit"
record := {
"dn": in.dn._raw,
"name": concat(" ", in.ou),
}
}
Output
The following shows the final result after applying the Rego Bundle.
{
"groups": [
{
"dn": "cn=IT,ou=Users,dc=test,dc=styra,dc=com",
"members": [
"cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
],
"name": "IT"
}
],
"units": [
{
"dn": "ou=Users,dc=test,dc=styra,dc=com",
"name": "Users"
}
],
"users": [
{
"dn": "cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com",
"id": "fbar",
"name": "Foo Bar",
"units": [
"Users"
]
}
]
}