Skip to content

Latest commit

 

History

History
94 lines (60 loc) · 3.25 KB

File metadata and controls

94 lines (60 loc) · 3.25 KB

Overview

This sample provides details on how an on-premise LDAP server can be accessed from an application running on SAP BTP, Kyma runtime.

The sample uses SAP Connectivity Proxy and SAP Cloud Connector to establish connection to the on-premise LDAP server.

In the sample flow, the users details are queried from the on-premise LDAP server via an HTTP GET call /users/{userid}.

flow

Prerequisites

Set up

LDAP Server

In my sample, I have used ApacheDS as an LDAP server and ran it on my laptop. You are free to use any other LDAP Server of your choice. I have added a user which I query via the API.

apache-ds

Kyma configuration

  • Set up environment variables

    • OSX

      export NS={your-namespace}
    • Windows PowerShell

      $NS={your-namespace}
  • Create Connectivity Service Instance in any namespace.

    Note: Only one instance is required for the cluster. If you have deployed it previously, simply skip this step.

    connectivity

  • Wait until the connectivity proxy is deployed. This can take around 10 minutes.

    kubectl -n kyma-system get statefulsets.apps

    You should see one entry for the connectivity-proxy stateful set

    NAME                               READY   AGE
    connectivity-proxy                 1/1     7d20h
  • Expose the LDAP port via a service. Currently, LDAP port is not exposed by default.

    kubectl -n kyma-system apply -f k8s/connectivity-proxy-ldap-service.yaml
  • Create the secret with the required LDAP configuration. You can get these details from the LDAP server or request your admin for the LDAP server.

    kubectl -n $NS create secret generic ldap-config --from-literal=LDAP_URL="ldap://{ldap-virtual-host}:{ldap-virtual-port}" \
     --from-literal=SECURITY_CREDENTIALS="{ldap-secret}" --from-literal SECURITY_PRINCIPAL="{ldap-security-principal}" \
     --from-literal=SECURITY_AUTHENTICATION="{ldap-security-authentication}" \
     --from-literal=SEARCH_CONTEXT="{ldap-search-context-for-users}"  
  • Deploy the Java Application that connects to the on premise LDAP Server via connectivity proxy.

The LdapService.java queries for users with filter "(&(objectClass=account)(uid=" + userName + "))"; in the specified context

# only required once to enable istio sidecar. Ignore if done already
kubectl label namespaces $NS istio-injection=enabled

kubectl -n $NS apply -f k8s/deployment.yaml
  • Expose it over internet using API Rule.

    kubectl -n $NS apply -f k8s/api-rule.yaml

Test

Query the user data https://sample-ldap.{your-cluster-domain}/users/userid