SecureSpan Gateway (SSG) - Default limits on LDAP queries prevent successful authorization
search cancel

SecureSpan Gateway (SSG) - Default limits on LDAP queries prevent successful authorization

book

Article ID: 42948

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

This is a known, yet modifiable, behavior of the Layer 7 Policy Manager and the Layer 7 Gateway. This behavior exists to avoid impacting the performance and availability of the Gateway. By returning an LDAP entry with a very large number of associated groups, the Gateway could be intentionally or incidentally overwhelmed.

To avoid this, the Gateway comes pre-configured with an upper limit of 50 group memberships that are cached and returned for use in the Gateway. This can be an undesirable limitation when 50 groups are returned but the 51st group is the necessary group for authentication, for example.

Environment

CA API Gateway

Cause

You may run into some of the following symptoms which may be due to the cap on group memberships returned in a query.

  • The most obvious symptom is that a user located in an external Identity Provider will not be authorized as the policy or permissions may otherwise indicate.

 

  • Users assigned to administrative roles that are determined by group membership may not be able to access the Layer 7 Policy Manager. 

 

  • Service policy authentication that relies on group membership my fail to authorize an explicitly authorized user or group.


Within the logging mechanisms of the Gateway, a log entry may be encountered that appears as follows:

INFO: Capping group membership for user 'uid=lo,ou=support,dc=layer7tech,dc=com' at 50
Oct 3, 2012 12:08:22 PM 44 com.l7tech.server.identity.ldap.LdapUserManagerImpl?
INFO: User:?uid=lo,ou=support,dc=layer7tech,dc=com?authenticated successfully in provider External Identity Provider
Oct 3, 2012 12:08:22 PM 44 com.l7tech.server.admin.AdminSessionManager?
INFO: Authentication failed on External Identity Provider: lo does not have privilege to access administrative services
Oct 3, 2012 12:08:22 PM 44 com.l7tech.server
WARNING: Failed admin login for login 'lo'


Note in the above that the user is authenticated properly, but does not receive proper authorization.  Additionally, you can see that the group membership for a specific DN was limited to 50. In this circumstance, the 50 cached group memberships did not serve to authorize "License Officer" to access the Layer 7 Policy Manager.

Resolution

To adjust this behavior, you need to adjust the following cluster-wide properties to a higher number than 50:

  • principalSessionCache.maxPrincipalGroups
  • principleSessionCache.cacheSize
  • ldap.group.searchMaxResults
  • ldap.searchMaxResults


You will need to determine, experimentally, what an ideal value is for your environment. Depending on the structure and information within the target LDAP, it is not recommended that you set these values overly large or larger than is necessary.  Additionally, you will need to reboot each Gateway in the cluster after changing these values.

To set this value:

  1. Log into the Layer 7 Policy Manager as an administrative user.
  2. Select the "Manage Cluster-Wide Properties" task.
  3. Add a new cluster-wide property.
  4. Set the values of the cluster-wide property to a higher value. Example: 1000
  5. Restart the Layer 7 Gateway appliance.

Once set and the appliance has restarted, attempt to log in as the user that failed previously. It should succeed without any complications.