---
apiVersion: v1
kind: ConfigMap
metadata:
name: another-ldap
namespace: another-ldap-app
data:
LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389"
LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local"
LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local"
LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local"
LDAP_SEARCH_FILTER: "(uid={username})"
LOG_LEVEL: "DEBUG"
LOG_FORMAT: "JSON"
BRUTE_FORCE_PROTECTION: "False"
BRUTE_FORCE_EXPIRATION: "5"
BRUTE_FORCE_FAILURES: "3"
COOKIE_DOMAIN: ""
METADATA_TITLE: "Authentication & Authorization System"
METADATA_DESCRIPTION: ""
METADATA_FOOTER: "Powered by Another LDAP"
PERMANENT_SESSION_LIFETIME: "7"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: service-ingress
namespace: service-namespace
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header Ldap-Allowed-Groups "storage-admin";
nginx.ingress.kubernetes.io/server-snippet: |
error_page 401 = @login;
location @login {
return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host;
}
spec:
rules:
- host: service.mydomain.tld
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service-frontend
port:
number: 80
ingressClassName: nginx
Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."}
10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 -
What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.