Skip to main content

Auth Proxy for LDAP Server

Overview

The RADIUS configurations tab under the Applications menu has been renamed to Auth Proxy. Community administrators can use the Auth Proxy tab in the AdminX interface to authenticate the client server such as Radius or the LDAP, or both. The following are its features:

  • Administrators can configure the behavior of authProxy remotely.
  • The port can be configured via the command line using -P <port>.
  • The new -u <uuid> required parameter uses the configuration from the database.

Supported Authentication Methods

The Auth Proxy server supports the following authentication methods for login and community administrators can configure which methods are permitted:

  • Push Authentication
  • Interactive Voice Response (IVR)
  • Passcodes
    • OTP
    • Password and OTP
    • OTP and Password

Managing Auth Proxy Server

The community administrator can use the Adminx interface to download and configure the Auth Proxy server for managing the LDAP protocols. This section consists of the following topics:

Creating Auth Proxy Configuration

The community administrator can use the new Auth Proxy tab under Applications to create a new auth proxy configuration for LDAP authentications. The Auth Proxy configuration supports the authentication with Push, Interactive Voice Response (IVR), and passcodes.

To create a new auth proxy configuration, follow these steps:

  1. In the AdminX interface, navigate to Applications > Auth Proxy. The 1K Auth Proxy for RADIUS / LDAP page is displayed.

  2. Click + Add New Configuration. The Create new Auth Proxy Configuration page is displayed.

  3. In the Configuration Name field, enter a name for the configuration.

    note

    It is required to remember the config ID as it is required to run the Auth Proxy for LDAP.

  4. In the Supported Login Methods section, select the appropriate authentication methods:

    • Login with Push : When enabled, users can authenticate to their LDAP client by sending a push notification to their mobile device using the BlockID Mobile Application. Instead of entering a password, users enter the keyword push, triggering a push notification to their BlockID mobile. Users will need to authenticate the push notification using their enrolled biometrics, such as a fingerprint or face scan.

      • To enable, check the Login with Push box.
      • To disable, uncheck the Login with Push box.

    • Login with Interactive Voice Response (IVR) : When enabled, users can authenticate their LDAP client using Interactive Voice Response (IVR) on their mobile device. They simply provide their distinguishedName along with the keyword phone in the password field. This initiates a phone call to the user's registered number, where they are prompted to click on a specified button received on the IVR to authorize the authentication process.

    • Login with passcodes : In this section, Administrators can enable and define which One-Time Passcode (OTP) combinations can be used for authentication. Select from the following passcode authentication options:

      • Not supported – Select this option if users must not be allowed to login using passcodes.
      • Prompt for OTP only – When prompted for a password, the user must only provide the 6-digit passcode to log in.
      • Prompt for Password and OTP – When prompted for a password, the user must provide the password with the 6-digit passcode appended to the end of the password.
        Example: MyP@ssw0rd873174
      • Prompt for OTP and Password - When prompted for a password, the user must provide the password with the 6-digit passcode prepended before the password.
        Example: 873174MyP@ssw0rd

  5. Download the Auth Proxy server for LDAP specific to the desired OS: Windows, Linux, or Mac machines.
    The download link contains a zip archive and comes preconfigured with your community license key.

  6. After configuring your Auth Proxy server, click Create to save your configuration in AdminX.

Skipping MFA for Service accounts

With the introduction of the Skip MFA for Service Accounts section in Auth Proxy, community administrators can now specify which LDAP service accounts can bypass MFA. By specifying the accounts that must skip MFA, community administrators can directly grant access to such accounts with just a distinguishedName and password. The following screenshot illustrates the same.

To specify the groups that must skip MFA, follow these steps:

  1. In the Create new Auth Proxy Configuration page, navigate to the Skip MFA for Service Accounts section.
  2. Specify the conditions:
    ConditionOperatorValue
    Groups- is one of
    - is not one of
    - contains
    - does not contain
    		1. Click on the blank text box. The Add Groups window appears.
    2. Specify the group name for which MFA has to be skipped.
    3. Click Save.
  3. After specifying all the required configurations, click Create.

Modifying an Existing Auth Proxy Configuration

You can use the AdminX interface to modify an existing Auth Proxy configuration at any time. To modify your Auth Proxy configuration, follow these steps:

  1. Navigate to the Auth Proxy configuration you want to edit and click the pencil icon, located in the Actions column on the right.

  2. Make any desired changes and click Save. You can also download another copy of the modified configurations of the Auth Proxy server if desired.

    Note: The wait time for these changes to take effect is 10 minutes.

Deleting an Existing Auth Proxy Configuration

The community administrators can use the AdminX interface to delete an existing Auth Proxy configuration.

To delete an existing Auth Proxy configuration, follow these steps:

  1. Navigate to the Auth Proxy configuration that you want to delete and click the trash icon, located in the Actions column on the right pane.
  2. In the Delete Configuration pop-up that is displayed, click Yes, delete.

Note: After removing the configuration, users cannot authenticate using the deleted Config ID.

Configuring Community for LDAP Servers

After downloading the Auth Proxy for LDAP based on your operating system, transfer the archive to your server and extract its contents to a folder of your choice. The folder will include the authProxy application, a license.json file, and several bash scripts.

You can use the license.json file to configure the details required to connect with 1Kosmos services. The structure of the license.json file is as follows:

{ 
  "licenseKey":"xxxxxx-997b-xxxx-81f2-46a02be18b83", 
  "tenantDNS":"acme@1kosmos.net", 
  "communityId": "5f3d8d0cd866fa61019cf969" 
}

The following table provides information on the parameters of the license.json file:

ParameterDescriptionExpected ValueSample Value
licenseKeyContains the license key required to make connection<license key>Xxxxxxx-89d8-xxxx
tenantDNSContains the server to which the connection has to be established<tenant url>acme@1kosmos.net
communityIDContains the name of the community<community name>default
proxyURL(optional)URL of the proxy<proxy url>http://12.12.12.12:8083/proxy.pac
ProxyUser(optional)distinguishedName in case of authenticated proxy<proxy user>proxyuser

Open a terminal window and navigate to the folder containing the bash scripts. Execute the following commands from your terminal to run the LDAP server.

The following examples illustrate how to use the license.json file to configure the tenant details and proxy URLs:

To configure the tenant details:

{
  "licenseKey":"xxx-xxxx-xxxxx-xxxx-xxxx-xxxxxxx",
  "tenantDNS":"acme.1kosmos.net",
  "communityId": "5ffdsnjua61019dww986"
}

To configure the tenant details and a proxy URL:

{
  "licenseKey":"xxxx-xxxxxxxx-xxxxx-xxxxxx",
  "tenantDNS":"acme.1kosmos.net",
  "communityId": "5sxzzzxxxx9879"
  "proxyUrl": "http://proxy.example.com"
}

To configure the tenant details, a proxy url, and a proxy user:

{
  "licenseKey":"xxxxxx-xxxxx-xxxx-xxxxxx",
  "tenantDNS":"acme.1kosmos.net",
  "communityId": "5fewwwjjz444544444sfxxxx"
  "proxyUrl": "http://proxy.example.com",
  "proxyUser": "proxy"
}

Command Line Arguments

Make sure to enter your Config ID from AdminX as your UUID. These strings need to match for the Radius/LDAP server to work.

Common Parameters for Both Radius and LDAP Servers

  • -u <uuid> (required): Set your uuid. Use your Config ID from AdminX.
  • -p <proxy password> (optional): Set your proxy password.

LDAP Server Setup and Configuration

Follow these steps to start the LDAP server and configure its parameters.

Starting the LDAP Server Service

To start the LDAP Server on the default port 389, run the following command. However, if no port number is specified, the default port (389) is considered.

./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l "ldap" -b "ou=People,dc=example,dc=com"

To start the LDAP Server on the custom port 1389, run the following command:

./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l "ldaps:1389" -b "ou=People,dc=example,dc=com"

LDAP/LDAPS Server Configuration Parameters

  • The -l <ldap configuration> option is required to start the LDAP/LDAP server. You must specify either ldap:<port> or ldaps:<port> (protocol is mandatory, and the port is optional).

    You can configure the go-authproxy authentication server using the following LDAP parameters. The default LDAP ports: 389 and 636. However, you can also specify the custom LDAP port:1389 or ldaps:2333.

    note
    • On Linux and macOS, you need root access to run servers on ports below 1024, including LDAP on port 389 and LDAPS on port 636.
    • Currently, a single GoAuthProxy instance does not support multiple LDAP/LDAPS servers simultaneously.

  • The -b baseDN option is required when the -l option is specified. If the baseDN contains special bash characters, it may need to be escaped. Additionally, the bind password may also need to be escaped if it contains bash special characters.

    You can use the Bind DN to find the user entry from the user-management endpoint. The Bind DN must be subordinate to both:

    • The baseDN specified on the command line (-b baseDN), and
    • The authmodule baseDN attribute.

    Example Bind DN: cn=johnwick,ou=People,dc=example,dc=com

Following are the examples of both successful and unsuccessful LDAP bind DN (-D) operations using ldapsearch:

Bind success: DN CN=testuser,ou=People,dc=example,dc=com is subordinate to ou=People,dc=example,dc=com 
ldapsearch -Z  -x  -H ldaps://test.example.com:1389 -D "CN=testuser,ou=People,dc=example,dc=com" -w "push" ... 
Bind fail: DN CN=testuser,ou=People,dc=foo,dc=com is NOT subordinate to ou=People,dc=example,dc=com 
ldapsearch -Z  -x  -H ldaps://test.example.com:1389 -D "CN=testuser,ou=People,dc=foo,dc=com" -w "push" ... 
ldapsearch example escaping password (-w) 
ldapsearch -Z  -x  -H ldaps://test.example.com:1389 -D "CN=testuser,ou=People,dc=foo,dc=com" -w "testPassword123\$238915" ...

LDAP Certificate Configuration Parameters

These are the LDAPS-specific parameters for configuring the certificate.

  • -c \<common name> - Use this parameter to specify the certificate's common name. However, this is an optional parameter that is not directly used but is included for correctness. If not specified, it defaults to "Server".
  • -d \<dns list> - Use this parameter to specify a list of domain names or DNS names (used as the GOLANG Certificate Subject Alternative Name value). DNS names may include wildcards (*), which are used for client-side domain validation. If not provided, the certificate will have an empty DNS list. However, you can ignore this option if the certificate and private key are loaded from a file.

Stopping the LDAP Servers

To stop the LDAP server, execute the stopGoAuthProxy.bsh command.

The following table outlines the command required to stop the server:

PortCommand
1636(ldap)./stopGoAuthProxy.bsh -P 1636

Managing Logs and PID Directories

The logs for LDAP/LDAPS servers are written to a single log file. Each server instance has its log file located in the port-<port>/logs directory. The log directory is referenced when the server starts.

For example, if the directory /work1/gosrc/github/go-authproxy/staging/acme-dev/port-1389 does not exist, then when the server starts, it gets created.

Sample Log File:

/work1/gosrc/github/go-authproxy/staging/acme-dev/port-1389/logs/default_20240718T140842.log

Sample PID Location:

/work1/gosrc/github/go-authproxy/staging/acme-dev/port-1389/pid/pidFile.pid
GoAuthProxy server started (pid=3327817)

To create a directory for logs and PIDs using LDAP ports, use the following syntax. The following table provides sample syntax illustrating the same.

PortExample
389./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l ldap -b "ou=People,dc=example,dc=com"
636./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l ldaps -b "ou=People,dc=example,dc=com"
1389./startGoAuthProxy.bsh -u 20783f4d-fc7a-4133-b379-1224f1e3c92e -l ldap:1389 -b "ou=People,dc=example,dc=com"