Skip to main content

LDAP Data Source

An LDAP data source reads the data from a configured LDAP service.

Configure through the GUI

The following section helps you to configure <das-id>.styra.com to access a data source stored in LDAP using the DAS GUI.

Create a DAS System

Go to <das-id>.styra.com. To add a new system, click the ( ⨁ ) plus icon next to SYSTEMS on the left side of the navigation panel.

Fill in the following fields:

  • System type (required): Select any system type from the drop down list. For example Custom.

  • System name (required): A user-friendly name so that you can distinguish between the different systems.

  • Description (optional): More details about this system.

  • Leave the Show errors switch ON to display the errors.

  • Click Add system button.

Now, your DAS system is created under the SYSTEMS on the left side of the navigation panel.

Add a Data Source

After you create your system, click the three dots () next to it and select Add Data Source to start configuring the data source.

Figure 1 - Add Data SourceFigure 1 - Add Data Source

Now, your Custom System >> Add Data Source dialog appears.

Figure 2 - Add Data Source WindowFigure 2 - Add Data Source Window

Complete the following steps in your Custom System >> Add Data Source dialog box.

  1. Type: An editable data source that you fill in with JSON data and publish. Click the down arrow to select the data source type. For example, select LDAP to pull a JSON object from a specific LDAP directory. This refreshes regularly.

    Figure 3 - Data Source TypeFigure 3 - Data Source Type

  2. Path: Enter a new or existing path separated by /. For example, am/datasourcetypes.

  3. Data source name (required): Enter a name for the data source type. For example, am-ldap.

  4. Description: Enter text that describes the configured data source. This field is optional.

  5. Search DN (required): A string representing the base Distinguished Name (DN). For example, dc=appentitlement,dn=onmicrosoft,dn=com.

  6. Search filter (required): A string representing search filter. For example, enter (objectclass=users). See more examples.

  7. Refresh interval: Enter a refresh interval which is the amount of time between polling intervals. Default is s.

  8. Enable TLS verification: Enable or disable the switch based on the SSL certificate verification. For example, leave the Enable TLS verification switch OFF.

  9. Add url: This field represents the URL where the LDAP server is deployed. In case of LDAP, the LDAP can hear all replicas and not all of them are reachable so you can add the order of URLs in the fields by clicking the + Add url button. The first URL is required, whereas the other URL entries are optional.

    Now, make sure you filled all the fields similar to Figure 4.

    Figure 4 - Verify the Data Source FormFigure 4 - Verify the Data Source Form

  10. CA certificate: Custom CA certificate.

  11. Access Keys: Enter the following access key credentials.

    • Username (required): Enter the access key ID.

    • Password (required): Enter the password.

    note

    If no credentials are provided, then the plugin will make an attempt to poll the data without a bind request. Also, the password can be empty, in which case the plugin will make a bind request with AllowEmptyPassword flag set to true.

  12. Click the arrow to expand the Advanced field.

    • Search scope: The search scope field has enumerated values: Base object, Single level, or Whole subtree to perform the search scope. Default is Whole subtree.

    • Search Dereferencing Aliases: If there are references in the output then LDAP should return the object itself and not its reference. The dereference policy has never, searching, finding, always options. Select the always option

    • Add search attributes: Specify the type of attributes to search for.

      • Search attributes: A string representing the search attributes. Click +Add search attributes to add more search attributes. For example, enter fn and ln to search for first name and last name of users.

      • Search size limit: The maximum number of returned objects. Default value: 0 (no limit). For example, enter 1000.

      • Search page size: The number of returned objects per single request. According to the benchmarks, the higher number is better. Default value is 0. (all data in one request). For example, enter 100.

  13. Data transform: Specify a policy and write a query that allows you to apply Rego transformations before it is persisted as data. For example, Select Custom and fill in the following fields:

    • Policy: An existing policy separated by /. For example, transform/transform.rego.

    • Rego query: Path to the Rego rule to evaluate. For example, data.transform.query.

  14. Leave the Enable on-premises data source agent switch OFF. Enable on-premises data source agent shows how and where to run the data source. If set to true then datasource-agent will run on-premises setup, otherwise on SaaS.

    Now, make sure you filled all the fields similar to Figure 5.

    Figure 5 - Verify the Remaining Portion of the Data Source FormFigure 5 - Verify the Remaining Portion of the Data Source Form

  15. Finally, click the Add button to add a data source.

The following shows an example output which appears after the data source is created in DAS.

{
"dn": {
"CN": [
"Users"
],
"DC": [
"appentitlement",
"onmicrosoft",
"com"
],
"_raw": "CN=Users,DC=appentitlement,DC=onmicrosoft,DC=com"
}
}

Configure through the API

To create the LDAP data source plugin, run the following curl command:

curl -H 'Authorization: bearer XXX' \
-H 'Content-Type: application/json' \
-X PUT https://<das-id>.styra.com/v1/datasources/ldap/main -d'
{
"category": "ldap",
"urls": ["<url to main replica>", "<url to secondary replica>", "..."],
"credentials": "<secret id with LDAP credentials>",
"polling_interval: "60s",
"search": {
"base_DN": "<base DN>",
"filter": "<search filter>",
}
}'

Filter and Transform the Data

A policy_filter is used to poll from a data source that you want to transform captured data source information before storing it. Specifying a policy_filter and policy_query will allow you to apply Rego transformations before it is persisted as data. This mechanism is useful for filtering out data that you no longer want to store or for any other mutations that you want to perform.

It works by specifying a policy that will be evaluated via Rego with captured data as input. You also specify a query to apply to that policy and data. The result of that query will be stored as data, instead of what is polled by the data source plugin.

Raw Data Returned by Plugin

Raw plugin data
[
{
"ou": [
"Users"
],
"objectClass": [
"organizationalUnit"
],
"dn": {
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "ou=Users,dc=test,dc=styra,dc=com"
}
},
{
"cn": [
"Foo Bar"
],
"sn": [
"Bar"
],
"uid": [
"fbar"
],
"objectClass": [
"inetOrgPerson"
],
"dn": {
"cn": [
"Foo Bar"
],
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
}
},
{
"cn": [
"IT"
],
"member": [
"cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
],
"objectClass": [
"groupOfNames"
],
"dn": {
"cn": [
"IT"
],
"ou": [
"Users"
],
"dc": [
"test",
"styra",
"com"
],
"_raw": "cn=IT,ou=Users,dc=test,dc=styra,dc=com"
}
}
]

Policy Bundle

package tmp.policy

import input

users[record] {
in := input[_]
in.objectClass[_] == "inetOrgPerson"

record := {
"dn": in.dn._raw,
"name": concat(" ", in.cn),
"id": concat(" ", in.uid),
"units": in.dn.ou
}
}

groups[record] {
in := input[_]
in.objectClass[_] == "groupOfNames"

record := {
"dn": in.dn._raw,
"name": in.cn[_],
"members": in.member,
}
}

units[record] {
in := input[_]
in.objectClass[_] == "organizationalUnit"

record := {
"dn": in.dn._raw,
"name": concat(" ", in.ou),
}
}

Output

The following shows the final result after applying the Rego Bundle.

{
"groups": [
{
"dn": "cn=IT,ou=Users,dc=test,dc=styra,dc=com",
"members": [
"cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com"
],
"name": "IT"
}
],
"units": [
{
"dn": "ou=Users,dc=test,dc=styra,dc=com",
"name": "Users"
}
],
"users": [
{
"dn": "cn=Foo Bar,ou=Users,dc=test,dc=styra,dc=com",
"id": "fbar",
"name": "Foo Bar",
"units": [
"Users"
]
}
]
}