dignajar / another-ldap Goto Github PK

Another LDAP is a form-based authentication for Active Directory / LDAP server. Provides Authentication and Authorization for your applications running in Kubernetes.

License: MIT License

Dockerfile 1.86% Python 82.33% CSS 4.02% HTML 9.31% Smarty 2.47%

kubernetes ingress authentication ldap ldap-authentication form-based form-based-authentication

another-ldap's Introduction

Another LDAP

Another LDAP is a form-based authentication for Active Directory / LDAP server.

Another LDAP provides Authentication and Authorization for your applications running on Kubernetes.

Another LDAP works perfect with NGINX ingress controller via (External OAUTH Authentication), HAProxy (haproxy-auth-request) or any webserver/reverse proxy with authorization based on the result of a subrequest.

Features

Authentication and Authorization for applications.
Authorization via LDAP groups, supports regex in groups list.
Supports protocols ldap:// and ldaps://.
Enabled by design TLS via self-signed certificate.
Supports configuration via headers or via environment variables.
HTTP response headers with username and matched groups for the backend.
Brute force protection.
Log format in Plain-Text or JSON.

Installation

Clone this repository or download the manifests from the directory kubernetes.
Edit the ingress, config-map and secrets with your configuration.
ALDAP is installed in the namespace another.

git clone https://github.com/dignajar/another-ldap.git
cd another-ldap/kubernetes
kubectl apply -f .

Configuration

Example 1: Authentication

The following example provides authentication for the application my-app.

The authentication validates username and password.

---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: my-app
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-url: https://another-ldap.another.svc.cluster.local/auth
    nginx.ingress.kubernetes.io/server-snippet: |
      error_page 401 = @login;
      location @login {
        return 302 https://another-ldap.testmyldap.com/?protocol=$pass_access_scheme&callback=$host;
      }
spec:
  rules:
  - host: my-app.testmyldap.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app
            port:
              number: 80

Example 2: Authentication and Authorization

The following example provides authentication and authorization for the application my-app.

The authentication validates username and password.
The authorization validates if the user has the LDAP group DevOps production environment.

---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: my-app
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-url: https://another-ldap.another.svc.cluster.local/auth
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header Ldap-Allowed-Groups "DevOps production environment";
    nginx.ingress.kubernetes.io/server-snippet: |
      error_page 401 = @login;
      location @login {
        return 302 https://another-ldap.testmyldap.com/?protocol=$pass_access_scheme&callback=$host;
      }
spec:
  rules:
  - host: my-app.testmyldap.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app
            port:
              number: 80

Example 3: Authentication, Authorization and response headers

The following example provides authentication and authorization for the application my-app and calls the application with the headers x-username and x-groups.

The authentication validates username and password.
The authorization validates if the user has one of the following LDAP groups DevOps production environment or DevOps QA environment.
Nginx will return the header x-username to the application that contains the username authenticated.
Nginx will return the header x-groups to the application that contains the matched groups for the username authenticated.

With the headers you can do increase the authorization in the application or display the user logged.

---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: my-app
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-url: https://another-ldap.another.svc.cluster.local/auth
    nginx.ingress.kubernetes.io/auth-response-headers: "x-username, x-groups"
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header Ldap-Allowed-Groups "DevOps production environment, DevOps QA environment";
    nginx.ingress.kubernetes.io/server-snippet: |
      error_page 401 = @login;
      location @login {
        return 302 https://another-ldap.testmyldap.com/?protocol=$pass_access_scheme&callback=$host;
      }
spec:
  rules:
  - host: my-app.testmyldap.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app
            port:
              number: 80

Available parameters

All parameters are defined in the config-map and secret manifests.

All values type are string.

The parameter LDAP_SEARCH_FILTER supports variable expansion with the username, you can do something like this (sAMAccountName={username}) and {username} is going to be replaced by the username typed in the login form.

The parameter LDAP_BIND_DN supports variable expansion with the username, you can do something like this {username}@TESTMYLDAP.com or UID={username},OU=PEOPLE,DC=TESTMYLDAP,DC=COM and {username} is going to be replaced by the username typed in the login form.

The parameter COOKIE_DOMAIN define the scope of the cookie, for example if you need to authentication/authorizate the domain testmyldap.com you should set the wildcard .testmyldap.com (notice the dot at the beginning).

Supported HTTP request headers

The variables send via HTTP headers take precedence over environment variables.

Ldap-Allowed-Users
Ldap-Allowed-Groups
Ldap-Conditional-Groups: Default="or"
Ldap-Conditional-Users-Groups: Default="or"

HTTP response headers

x-username Contains the authenticated username
x-groups Contains the user's matches groups

another-ldap's People

Contributors

Stargazers

Watchers

Forkers

sandeepk17 luizjr digitalis-io ycyr martin-weiss infonova anthonylavado tinphamtan maxisam shilazi ediplo patsevanton

another-ldap's Issues

Error to get Group

It works fine with ldap user check but fail to get group list.

Got error message like this

There was an error trying to bind: {'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'}

Thanks for the great library!

Configure reverse proxy to other URL

Hi people!

Good job with the solution! It was exactly what I was looking for.

I have a doubt, is it possible to configure (I do not see on code) the solution for redirection to other site (once logged in)?
I want to configure reverse proxy to keep the main domain url.

Kind regards.

I'm not able to properly configure LDAP access

I'm not able to properly configure LDAP access
It always returns connection error

Fix code scanning alert - GHSA-r8wq-qrxc-hmcm

Tracking issue for:

https://github.com/dignajar/another-ldap/security/code-scanning/27

Fail to get group membership

Deployed using the following config-map to match my infra:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: another-ldap
  namespace: another-ldap-app
data:
  LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389"
  LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local"
  LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local"
  LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local"
  LDAP_SEARCH_FILTER: "(uid={username})"
  LOG_LEVEL: "DEBUG"
  LOG_FORMAT: "JSON"
  BRUTE_FORCE_PROTECTION: "False"
  BRUTE_FORCE_EXPIRATION: "5"
  BRUTE_FORCE_FAILURES: "3"
  COOKIE_DOMAIN: ""
  METADATA_TITLE: "Authentication & Authorization System"
  METADATA_DESCRIPTION: ""
  METADATA_FOOTER: "Powered by Another LDAP"
  PERMANENT_SESSION_LIFETIME: "7"

Then applied the following ingress to my service:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: service-ingress
  namespace: service-namespace
  annotations: 
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header Ldap-Allowed-Groups "storage-admin";
    nginx.ingress.kubernetes.io/server-snippet: |
      error_page 401 = @login;
      location @login {
        return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host;
      }
spec:
  rules:
  - host: service.mydomain.tld
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service-frontend
            port:
              number: 80
  ingressClassName: nginx

Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:

{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."}
10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 -

What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.

LDAP_HTTPS_SUPPORT

can you return this env LDAP_HTTPS_SUPPORT?
in repo seems to work fine https://github.com/dignajar/another-ldap-auth/blob/master/files/main.py