Configuring an LDAP server in OpenDaylight (by Icaro Camelo)

Posted · Add Comment

OpenDaylight uses a security framework called Apache Shiro to provide security features to software-defined networking (SDN) infrastructure. Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. The AAA OpenDaylight project provides a flexible, pluggable framework with the following three out-of-the-box capabilities:

  • Authentication: To authenticate the identity of both human and machine users (direct or federated).
  • Authorization: To authorize human or machine user access to resources including RPCs, notification subscriptions, and subsets of the datatree.
  • Accountability: To record and access the records of human or machine users that access resources including RPCs, notifications, and subsets of the datatree.

OpenDaylight provides this highly-configurable AAA by having pluggable infrastructure that has different types of Realms. Realms are different methods for providing AAA. Moreover, TokenAuthRealm is enabled out of the box (which bridges to the existing AAA mechanisms).

Although OpenDaylight provides a few LDAP implementations, they are disabled out of the box. However, it is very straightforward to set then up, since it provides a INI configuration file that can customize your security configuration.

In order to setup LDAP configuration you have to edit this file: {KARAF_HOME}/etc/shiro.ini, according to your LDAP server configuration (shown below).

ldapRealm =
ldapRealm.userDnTemplate = uid={0},ou=<PEOPLE>,dc=<DOMAIN>,dc=<TLD>
ldapRealm.contextFactory.url = ldap://<URL>:<PORT>
ldapRealm.searchBase = dc=<DOMAIN>,dc=<TLD>
ldapRealm.ldapAttributeForComparison = <OBJECTCLASS>

ODLJndiLdapRealm includes authorization functionality based on LDAP elements that are extracted through an LDAP search. This requires a bit of knowledge about how your LDAP system is setup. In addition, OpenDaylight provides ODLJndiLdapRealmAuthNOnly allowing access through AAAFilter to any user that can authenticate against the provided LDAP server.


Leave a Reply