Oauth service for LDAP authentication

Question

We have a scenario where we have to authenticate the user with LDAP server

Flow 1:

client --> application server --> LDAP server

In above flow the client enters LDAP credentials which comes to application server and then using python-ldap we can authenticate the user, straight forward. Since the user LDAP credentials comes to application server an organisation may not be willing for such flow for obvious reasons.

Flow 2:

client --> oauth2 --> LDAP server

Oauth scenario suites best here, since authentication of the user is responsibility of the oauth and application server do not need to know the user credentials.

Have anyone encountered such case, if yes, how you tackled it? Is there are any Oauth client for LDAP free and paid ?

Answer 1

If you don't want user credentials to reach the Application server then what you need is a perimeter authentication. You need to have an external authentication provider , say Oracle Access Manager, that will perform the authentication and set a certain token in the request. The application server can assert this token and let user access resources. This model enables SSO as well.

1. The resources that require authorized access are configured as protected URLs in OAM.

2. When a user tries to access a protected resource he is challenged for credentials.

3. OAM authenticates the user against an LDAP directory(that is configured in OAM).

4. A token corresponding to the authenticated user is set in the request. Also an SSO cookie is set.

5. Application server (Weblogic) can assert (verify) this token and let the user access the resource.

Note: Oracle Access Manager supports oAuth as well.