LDAP Login Issue about wg-portal HOT 6 OPEN

+1

from wg-portal.

Actually, acording to this and this, ldap config should be under auth, something like this:

auth:
  ldap:
    - id: 1
      ...

But don't bother, that still doesn't work either.

from wg-portal.

Actually, acording to this and this, ldap config should be under auth, something like this:

auth:
  ldap:
    - id: 1
      ...

But don't bother, that still doesn't work either.

Woops - formatting woes in github hid that line and the callback url. I updated the original comment.

from wg-portal.

Got it to work eventually myself as well, beware ldap_sync_interval is just for show, it's not mapped to anything in code - once you enable syncronize: true, the LDAP service is queried every 10 seconds as per https://github.com/h44z/wg-portal/blob/master/internal/app/auth/auth.go#L39. What a mess...

from wg-portal.

How did you get it to work? What backend are you using for LDAP?

Would you be able to post your configuration? I'm hoping it can help me track down my issues.

from wg-portal.

Here's my working config for v2:

advanced:
  log_level: trace
  ldap_sync_interval: 15m

core:
  admin_user: [email protected]
  admin_password: password
  create_default_peer: true
  create_default_peer_on_creation: false

web:
  external_url: https://example.com
  request_logging: true

auth:
  callback_url_prefix: https://example.com/api/v0
  ldap:
    - id: ldap1
      provider_name: company ldap
      display_name: Login with</br>LDAP
      url: ldap://example.com:389
      start_tls: true
      bind_user: [email protected],ou=users,dc=example,dc=com
      bind_pass: password
      base_dn: ou=users,dc=example,dc=com
      login_filter: (&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com)(mail={{login_identifier}}))
      admin_group: cn=administrators,ou=users,dc=example,dc=com
      synchronize: false
      sync_filter: (&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com))
      registration_enabled: true
      field_map: 
        user_identifier: uid
        email: mail
        memberof: memberOf
        firstname: givenName
        lastname: sn
        phone: mobile
        department: title

Since ldap_sync_interval is useless in v2, and syncronization happens every 10 seconds for some insane reason (hardcoded), I have gone to using v1 which also has a hardcoded value, but at least on that it is 1 minute. Here's my config there (docker-compose.yml):

version: '3.6'
services:
  wg-portal:
    image: wgportal/wg-portal:v1
    container_name: wg-portal
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "host"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data:/app/data
    ports:
      - '8123:8123'
    environment:
      # WireGuard Settings
      - WG_DEVICES=wg0,wg1
      - WG_DEFAULT_DEVICE=wg0
      - WG_CONFIG_PATH=/etc/wireguard
      - SELF_PROVISIONING=true
      # Core Settings
      - EXTERNAL_URL=https://example.com
      - LOGO_URL=https://example.com/logo.png
      - CREATE_DEFAULT_PEER=true
      - WEBSITE_TITLE=Example VPN
      - COMPANY_NAME=Example
      - [email protected]
      - ADMIN_PASS=password
      # Mail Settings
      - MAIL_FROM=Example VPN <[email protected]>
      - EMAIL_HOST=1.1.1.1
      - EMAIL_PORT=25
      # LDAP Settings
      - LDAP_ENABLED=true
      - LDAP_URL=ldap://example.com:389
      - LDAP_STARTTLS=true
      - LDAP_CERT_VALIDATION=false
      - LDAP_BASEDN=ou=users,dc=example,dc=com
      - [email protected],ou=users,dc=example,dc=com
      - LDAP_PASSWORD=password
      - LDAP_LOGIN_FILTER=(&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com)(mail={{login_identifier}}))
      - LDAP_SYNC_FILTER=(&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com))
      - LDAP_SYNC_GROUP_FILTER=(&(objectClass=inetOrgPerson)(ou=groups,dc=example,dc=com))
      - LDAP_ADMIN_GROUP=cn=administrators,ou=groups,dc=example,dc=com
      - LDAP_ATTR_EMAIL=mail
      - LDAP_ATTR_FIRSTNAME=givenName
      - LDAP_ATTR_LASTNAME=sn
      - LDAP_ATTR_PHONE=mobile
      - LDAP_ATTR_GROUPS=memberOf
      - LDAP_CERT_CONN=false
      # Log
      - LOG_LEVEL=trace

Although, to be perfectly honest with you, I don't like the interface of this project at all - it is too complicated for the casual users; I will probably go back to a custom patched wg-easy with an external authenticator. Here is the patch to wg-easy to support the Remote-User header from Authelia (it's in a comment on YouTube):

@WolfgangsChannel Managed to pull it off. It's rather simple actually. The changes are as follows:

1. In file ansible-easy-vpn/roles/bunkerweb/templates/env.j2, add {{ wireguard_host }}_REVERSE_PROXY_HEADERS=Remote-User $user on the last line.
2. docker exec -it wg-easy apk add nano.
3. docker exec -it wg-easy nano lib/Server.js
4. Ctrl + W, type return WireGuard.getClients(, Enter. Replace the line with return WireGuard.getClients(req.header("Remote-User"));.
5. Ctrl + W, type return WireGuard.createClient(, Enter. 2 lines above (where function starts), add [req.body.name](javascript:void(0);) = req.header("Remote-User") + "_" + [req.body.name](javascript:void(0););.
6. Ctrl + W, type return WireGuard.updateClientName(, Enter. 3 lines above (where function starts), add [req.body.name](javascript:void(0);) = req.header("Remote-User") + "_" + [req.body.name](javascript:void(0););.
7. Ctrl+X, y, Enter to exit nano.
8. docker exec -it wg-easy nano lib/WireGuard.js
9. Ctrl + W, type async getClients(remote_user) {. In this method, replace lines 2 and 4 with this, respectively:

• const clients = Object.entries(config.clients).filter(([clientId, client]) => client.name.startsWith(remote_user + "_")).map(([clientId, client]) => ({
• name: client.name.substring((remote_user + "_").length, client.name.length),

10. docker exec -it wg-easy nano www/index.html

11. Ctrl+W, type <span class="text-sm">New</span>, Enter. After 2 lines, where the div closes, add this:

        <div class="flex-shrink-0">
          <button @click="location.replace('[https://auth.example.com/logout?rd=https%3A%2F%2Fwg.example.com%2F');](javascript:void(0);)"
            class="hover:bg-red-800 hover:border-red-800 hover:text-white text-gray-700 border-2 border-gray-100 py-2 px-4 rounded inline-flex items-center transition">
            <svg style="transform-box: fill-box; transform-origin: center; transform: rotate(45deg);" class="w-4 mr-2" inline xmlns="[http://www.w3.org/2000/svg](javascript:void(0);)" fill="none" viewBox="0 0 24 24"
              stroke="currentColor">
              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
                d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
            </svg>
            <span class="text-sm">Log out</span>
          </button>
        </div>
    

12. cd ansible-easy-vpn/

13. ansible-playbook run.yml, enter valut password.

14. reboot

This patch has the effect that the headers sent by Authelia always contain the Remote-User field populated with the LDAP uid of the currently logged in user. On the wg-easy side, what I did was to prefix config files with "username_", and then filter the returned configs to only include those belonging to the currently logged in user. Finally, steps 10-11 add a "Log out" button to the "wg-easy" web page, so users can easily log out. Remember to replace example.com with your actual domain.

I am a bit amazed by the lack of proper options in this area of WireGuard frontend, but I always keep looking since the protocol in itself is SO GOOD compared to anything else I have used.

from wg-portal.