Another LDAP is a form-based authentication for Active Directory / LDAP server. Provides Authentication and Authorization for your applications running in Kubernetes.
License: MIT License
can you return this env LDAP_HTTPS_SUPPORT?
in repo seems to work fine https://github.com/dignajar/another-ldap-auth/blob/master/files/main.py
Deployed using the following config-map to match my infra:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: another-ldap
namespace: another-ldap-app
data:
LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389"
LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local"
LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local"
LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local"
LDAP_SEARCH_FILTER: "(uid={username})"
LOG_LEVEL: "DEBUG"
LOG_FORMAT: "JSON"
BRUTE_FORCE_PROTECTION: "False"
BRUTE_FORCE_EXPIRATION: "5"
BRUTE_FORCE_FAILURES: "3"
COOKIE_DOMAIN: ""
METADATA_TITLE: "Authentication & Authorization System"
METADATA_DESCRIPTION: ""
METADATA_FOOTER: "Powered by Another LDAP"
PERMANENT_SESSION_LIFETIME: "7"
Then applied the following ingress to my service:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: service-ingress
namespace: service-namespace
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header Ldap-Allowed-Groups "storage-admin";
nginx.ingress.kubernetes.io/server-snippet: |
error_page 401 = @login;
location @login {
return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host;
}
spec:
rules:
- host: service.mydomain.tld
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service-frontend
port:
number: 80
ingressClassName: nginx
Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."}
10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 -
What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.
It works fine with ldap user check but fail to get group list.
Got error message like this
There was an error trying to bind: {'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'}
Thanks for the great library!
Hi people!
Good job with the solution! It was exactly what I was looking for.
I have a doubt, is it possible to configure (I do not see on code) the solution for redirection to other site (once logged in)?
I want to configure reverse proxy to keep the main domain url.
Kind regards.
Tracking issue for:
I'm not able to properly configure LDAP access
It always returns connection error
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.