Create a Glauth LDAP Server on Oracle Cloud Compute and Authenticate with APEX

Create a Glauth LDAP Server on Oracle Cloud Compute and Authenticate with APEX

Matt Mulvaney's photo
Matt Mulvaney
·

5 min read

On occasion, you may require a test LDAP server for whatever reason to test authentication.

In this blog, we'll configure Glauth, have this running on a compute box on the Oracle cloud, and have this accessible anywhere

In the second part of this blog (which is completely optional to follow), we'll configure Glauth to the OKTA Agent to have LDAP as an OKTA Directory Integration.

Setup Glauth

  1. In OCI, view your Compute Instance, Right-click the VCN hyperlink and open the link in a new tab

  2. Click on Security Lists

  3. Click on Default Security List

  4. Click Add Ingress Rule using the following details:

    Source: 0.0.0.0/0
    Destination Port Range: 3893

    The picture below is for illustration only

    Click Add Ingress Rule at the bottom

  5. Repeat the step above using the following details:

    Source: 0.0.0.0/0
    Destination Port Range: 5555

    Click Add Ingress Rule at the bottom

  6. In a terminal box, open ports 3893 & 5555 in the firewall

         YOURPORT=3893
     PERM="--permanent"
     SERV="$PERM --service=Glauthldap"

     sudo firewall-cmd $PERM --new-service=Glauthldap
     sudo firewall-cmd $SERV --set-short="Glauthldap ports"
     sudo firewall-cmd $SERV --set-description="Glauthldap port exceptions"
     sudo firewall-cmd $SERV --add-port=$YOURPORT/tcp
     sudo firewall-cmd $PERM --add-service=Glauthldap
     sudo firewall-cmd --zone=public --add-service=http --permanent
     sudo firewall-cmd --reload

     YOURPORT=5555
     PERM="--permanent"
     SERV="$PERM --service=Glauthldapweb"

     sudo firewall-cmd $PERM --new-service=Glauthldapweb
     sudo firewall-cmd $SERV --set-short="Glauthldapweb ports"
     sudo firewall-cmd $SERV --set-description="Glauthldapweb port exceptions"
     sudo firewall-cmd $SERV --add-port=$YOURPORT/tcp
     sudo firewall-cmd $PERM --add-service=Glauthldapweb
     sudo firewall-cmd --zone=public --add-service=http --permanent
     sudo firewall-cmd --reload

  7. Setup Glauth using the commands below

     wget https://github.com/glauth/glauth/releases/download/v2.2.0/glauth-linux-amd64
 https://raw.githubusercontent.com/glauth/glauth/master/v2/sample-simple.cfg
 chmod +x glauth-linux-amd64
 sudo mv glauth-linux-amd64 /usr/local/bin/glauth

    full instructions are here https://github.com/glauth/glauth

  8. Create a start_glauth.sh file

     nano start_glauth.sh

    then type in

     LOGFILE=glauth-`date +"%Y""%m""%d"`.log
 nohup glauth -c sample-simple.cfg >> $LOGFILE 2>&1 & echo "View log file with : tail -f $LOGFILE"

    then Ctrl+X to Save. Then type the following to make it executable

     chmod +x start_glauth.sh

  9. Create a stop_glauth.sh file

     nano stop_glauth.sh

    Then paste in

     kill $(pgrep -f glauth)

    then Ctrl+X to Save. Then type the following to make it executable

     chmod +x stop_glauth.sh

  10. Run it

    ./start_glauth.sh
# ./stop_glauth.sh

  11. It will say something like...

    View log file with : tail -f glauth-20230710.log

  12. Type this command into the console to see the activity.

    Since this now runs as a background job, you can exit with Ctrl+C and it will still run the Glauth service.

    [opc@lufpod ~]$  tail -f glauth-20230710.log
Mon, 10 Jul 2023 09:46:32 +0000 INF Web API enabled
Mon, 10 Jul 2023 09:46:32 +0000 INF Loading backend datastore=config position=0
Mon, 10 Jul 2023 09:46:32 +0000 INF LDAP server listening address=0.0.0.0:3893
Mon, 10 Jul 2023 09:46:32 +0000 INF Starting HTTP server address=0.0.0.0:5555
Mon, 10 Jul 2023 09:47:06 +0000 INF Debugging enabled
Mon, 10 Jul 2023 09:47:06 +0000 INF AP start
Mon, 10 Jul 2023 09:47:06 +0000 INF Web API enabled
Mon, 10 Jul 2023 09:47:06 +0000 INF Loading backend datastore=config position=0
Mon, 10 Jul 2023 09:47:06 +0000 INF LDAP server listening address=0.0.0.0:3893
Mon, 10 Jul 2023 09:47:06 +0000 INF Starting HTTP server address=0.0.0.0:5555

  13. For APEX use the following Authentication Scheme Settings

    Name = LDAP
    Scheme Type = LDAP Directory
    Host = <your Compute IP Address>
    Port = 3893
    Distinguished Name (DN) String = cn=%LDAP_USER%,dc=glauth,dc=com

  14. Run the APEX application and log in with the following user/passwords

    User: johndoe
Pass: TestAppPw1
Pass: TestAppPw2
Pass: TestAppPw3

User: serviceuser
Pass: mysecret

User: otpuser <-- Needs 2 factor auth authentication
Pass: mysecret

User: uberhackers
Pass: dogood

  15. You can also run the following to get the groups for user johndoe for example

    below is the SQL Used

    SELECT *
  FROM table(apex_ldap.search (
           p_username => 'cn=serviceuser,dc=glauth,dc=com',
           p_pass => 'mysecret',
           p_host            => '<your Compute IP Address>',
           p_port            => '3893',
           p_use_ssl         => 'N',
           p_search_base     => 'dc=glauth,dc=com',
           p_search_filter   => '&(cn=johndoe)',
           p_attribute_names => 'memberof' ));

    Configure an OKTA Agent

    There are two approaches here Unix or Windows (there is a Linux installer, but not covered in this blog).

    First, follow the Agent steps, then follow the field mapping guides

    Unix Agent

  16. In OKTA, go to Directory > Directory Integrations > Add LDAP Directory > Setup LDAP > Download Agent > Download RPM Installer > Copy Link address e.g

    https://trial-xxxxxxxx-admin.okta.com/artifacts/JAVA_LDAP/05.16.00/OktaLDAPAgent-05.16.00-xxxxxxxxx86_64.rpm

  17. In Compute type

    wget <pasted URL>

  18. Install it

    sudo yum localinstall OktaLDAPAgent*.rpm -y

  19. Configure it

    sudo /opt/Okta/OktaLDAPAgent/scripts/configure_agent.sh

    Use the following settings
    base URL = trial-xxxxxxxx-admin.okta.com
    LDAP Server Hostname = <your Compute IP Address>
    LDAP ADmin DN= cn=serviceuser,dc=glauth,dc=com
    LDAP Admin Password = mysecret
    Base DN= dc=glauth,dc=com
    Use SSL = n
    LDAP Port = 3893
    Use Proxy = n

  20. Use the tail log to see the URL, it'll say something like

    Please visit the URL: https://trial-xxx.okta.com/oauth2/auth?code=abcdef

  21. Paste that URL into a new browser tab and hit enter

  22. Click Allow Access and then Continue.

  23. The agent has now installed itself as a service.

    To Check the OktaLDAPAgent Service status run service OktaLDAPAgent status

    To start the OktaLDAPAgent Service run service OktaLDAPAgent start

    To stop the OktaLDAPAgent Service run service OktaLDAPAgent stop

  24. Back in OKTA, you can check that the agent is installed

    Windows Agent

  25. If you are using a Windows agent, configure it in this way.

  26. LDAP Server = <your Compute IP Address>
    RootDN = dc=glauth,dc=com
    BindDN = cn=serviceuser,dc=glauth,dc=com
    Bind Password = mysecret

  27. Click next and next again

  28. Register your OKTA Domain URL e.g. trial-xxxxxxxx-admin.okta.com

Map Glauth fields to OKTA fields

In this next step, we have to configure the Glauth fields to OKTA fields.

  1. Select OpenLDAP

  2. TODO

oktaOCIorclapex