kwk / docker-registry-setup Goto Github PK

A demonstration of how you can secure your registry v2 (with LDAP authentication and ACLs)

License: Apache License 2.0

Shell 100.00%

docker-registry-setup's Introduction

Docker Registry Setup

This project is intended for people like me who need to get their hands on a piece of technology before they can fully grasp it.

The purpose of this project is rather educational. I'll show you how you can setup a docker registry v2 and an authorization server with an LDAP backend. In fact, everything is already setup for you to run. There's a docker container for the registry, the JWT auth server and the LDAP server. Feel free to connect to your company LDAP if you want by making adjustments to the auth server's config file (auth/config/config.yml). Just like that you can replace this setup piece by piece to suite your needs.

Here's a graphic showing all the containers and how they talk to each other:

Attempt to begin a push/pull operation with the registry.
If the registry requires authorization it will return a 401 Unauthorized HTTP response with information on how to authenticate.
The registry client makes a request to the authorization service for a Bearer token.
The authorization server makes a request to the LDAP server to check if a user exists. We use a service account to connect to the LDAP server.
The LDAP server returns an answer to the user lookup.
The authorization service returns an opaque Bearer token representing the client's authorized access.
The client retries the original request with the Bearer token embedded in the request's Authorization header.
The Registry authorizes the client by validating the Bearer token and the claim set embedded within it and begins the push/pull session as usual.

Here you can read more about the Docker v2 registry authorization process.

How are authentication and authorization configured

NOTE Remember, that authentication ensures that you are who you claim t be. Authorization on the other hand defines rules of what somebody is (dis)allowed to do.

The auth server is configured to try all authentication methods that have been specified in auth/config/config.yml. Currently LDAP and a static list of users/passwords are configured

These password combinations are defined statically:

admin:badmin (can push and pull)
test:123 (can only pull)

I've included an LDAP server in the docker-compose.yml that is also used for authentication. This is the LDAP hierarchy:

com
  |_example
          |
          |_philosophs
          |         |_schopenhauer
          |         |_kant
          |_musicians
          |         |_mozart
          |         |_bach
          |_it
             |_serviceaccount

(This hierarchy is described here: ldap/setup-ldap-schema.ldif.)

All musicians (mozart and bach) are usernames that are authorized to login using the password password and they can all push and pull images to or from the registry. The philosophs (schopenhauer and kant) are not used and will not function with the current LDAP search base (see base: "ou=musicians,dc=example,dc=com" in auth/config/config.yml).

I use the serviceaccount username to connect to bind to LDAP from the auth server. It

Notice that on a successful second pull or push you won't have to enter your credentials again because they have been saved here: ~/.docker/config.json. Remove this file if you want to force another prompt for username and password.

Preparation

IMPORTANT Read these instructions to get up and running with your own already configured docker registry v2 deployment.

Configure docker deamon

These instructions only need to be executed once. For the purpose of demonstation we will be running a registry on localhost and by default we must inform our docker client about any insecure registry that we want to be using. Here's how it works:

Make sure you have docker > 1.8 as well as docker-compose installed.
Ensure your DOCKER_OPTS contains this option: --insecure-registry 0.0.0.0:5000. On an Ubuntu 14.04 you can find this option in your /etc/default/docker file.
Restart your docker service: service docker restart.

How to run

# Clone the repository
git clone https://github.com/kwk/docker-registry-setup.git

# Navigate inside
cd docker-registry-setup

# Fire up the registry and the auth server as containers
# Notice that the docker registry is configured with a persistent storage volume
# from the docker host, hence --force-recreate will not wipe this storage for you.
docker-compose up -d --force-recreate

# Pull an image from the offical docker hub that we want push to our own secured registry
docker pull busybox

# Tag the image so that it can be pushed to our local registry
docker tag busybox 0.0.0.0:5000/anyuser/busybox

Okay, up until know we haven't pushed or pulled from our local registry. It is now time to change this:

# First ensure we haven't stored any credentials:
mv -b ~/.docker/config.json ~/.docker/config.json.orig

# Push the image
docker push 0.0.0.0:5000/anyuser/busybox

And voila, you'll be prompted for a username and a password. Let's use the username mozart (from the musicians organization unit in LDAP) and the password password. The email address doesn't matter this much.

The push refers to a repository [0.0.0.0:5000/anyuser/busybox] (len: 1)
d7057cb02084: Image push failed 

Please login prior to push:
Username: mozart
Password: 
Email: [email protected]
WARNING: login credentials saved in /home/YOU/.docker/config.json
Login Succeeded
The push refers to a repository [0.0.0.0:5000/anyuser/busybox] (len: 1)
d7057cb02084: Image successfully pushed 
cfa753dfea5e: Image successfully pushed 
latest: digest: sha256:15eda5ab78f31658ab922650eebe9da9ccc6c16462d5ef0bfd6d9f29b8800569 size: 2743

Test that LDAP auth is working

This will connect to the LDAP and query all information below the base (-b). The user that is used to authenticate is called YOUR_SERVICE_ACCOUNT and the password is taken from the file ./auth/config/ldap_password.txt. But since most editors append a newline (\n) or carriage return (\r) we first remove those characters. The user YOUR_SERVICE_ACCOUNT is a service account, but if you don't have one you can also try to login with your own email address (-D FIRSTNAME.LASTNAME@YOUR_COMPANY.com).

LDAP_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' dockerregistrysetup_ldap_1)
ldapsearch -v \
  -H ldap://$LDAP_IP:389 \
  -x \
  -D "uid=serviceaccount,ou=it,dc=example,dc=com" \
  -b "ou=musicians,dc=example,dc=com" \
  -w password

To find an entry based on a user's email address execute this command:

LDAP_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' dockerregistrysetup_ldap_1)
ldapsearch -v \
  -H ldap://$LDAP_IP:389 \
  -x \
  -D "uid=serviceaccount,ou=it,dc=example,dc=com" \
  -b "ou=musicians,dc=example,dc=com" \
  -w password \
  "(&([email protected])(objectClass=person))"

and appropriately replace FIRSTNAME.LASTNAME@YOUR_COMPANY.com with your own email address.

How to use your own LDAP as your authentication backend...

Chances are that your own LDAP server requires you to have certificates installed on the machine that binds to LDAP. Simply copy those certificates to auth/config/ldap_certificates/. I've modified the auth container a bit by introducing a start script that automatically searches for files in that that directory and updates the cert store of the container on every start.
Copy the auth/config/auth_config.yml to auth/config/auth_config.yml.custom and adjust all the settings inside to match the LDAP configuration that you have validated above. The file auth/config/auth_config.yml.custom will be loaded instead of auth/config/auth_config.yml whenever it is present.
Put the password for the service account in this file: auth/config/ldap_password.txt.
Restart the registry and auth server: docker-compose up -d --force-recreate
Try pushing an image to the registry and login with your LDAP credentials.

Test the auth server

Replace USERNAME and PASSWORD below with credentials of somebody who wants to authenticate against LDAP (eg. mozart and password). You should get an HTTP 200 OK response containing a JSON Web token if everything worked correctly.

curl -H "Authorization: Basic $(echo "USERNAME:PASSWORD" | base64)" -vk "https://127.0.0.1:5001/auth?service=Docker%20registry&scope=registry:catalog:*"

Manual token-based workflow to list repositories

You can skip this section if you're not interested in how a token can be requested manually to list the repositories inside a registry.

# This is the operation we want to perform on the registry
registryURL=https://127.0.0.1:5000/v2/_catalog

# Save the response headers of our first request to the registry to get the Www-Authenticate header
respHeader=$(tempfile);
curl -k --dump-header $respHeader $registryURL

# Extract the realm, the service, and the scope from the Www-Authenticate header
wwwAuth=$(cat $respHeader | grep "Www-Authenticate")
realm=$(echo $wwwAuth | grep -o '\(realm\)="[^"]*"' | cut -d '"' -f 2)
service=$(echo $wwwAuth | grep -o '\(service\)="[^"]*"' | cut -d '"' -f 2)
scope=$(echo $wwwAuth | grep -o '\(scope\)="[^"]*"' | cut -d '"' -f 2)

# Build the URL to query the auth server
authURL="$realm?service=$service&scope=$scope"

# Query the auth server to get a token
token=$(curl -ks -H "Authorization: Basic $(echo -n "mozart:password" | base64)" "$authURL")

# Get the bare token from the JSON string: {"token": "...."}
token=$(echo $token | jq .token | tr -d '"')

# Query the registry again, but this time with a bearer token
curl -vk -H "Authorization: Bearer $token" $registryURL

As a result you should get a list of repositories in your registry. If you have pushed only the busybox image from above to your registry you should see an HTTP body like this:

{"repositories":["anyuser/busybox"]}

Plans

Integrate a frontend

Have fun!

docker-registry-setup's People

Contributors

Stargazers

Watchers

Forkers

chenjun3092 hantan1016 jonatanblue tunnyblock jjboooom cpcerrato goidor bwits rainee007 fanfanbj xucaiyong lawliet89 williamthiago markfredchen sorididim11 wildone andreasabdi gopal-gemini otamachan ianamunoz embeddedenterprises solyuan richardyicai werty1st ffaoudi endymion-yzx chenfengldw zhwei820 jaredballou rowdyelectron bkbonde duwo jijeesh kennetanti jchanut hadirsa irytacja cawa0505 polomskibartlomiej longhronshen pingf liquibrium leojonathanoh hopoluicha np43 jhuehara hallicarnassus jhh37 yunkunrao bradleya laashub-soa amezioud bachka syllogy doytsujin ohmydevops claudpizzaro wishmastersystem

docker-registry-setup's Issues

some errors I got

I have successfully docker-compose three containers:

$ docker-compose ps
             Name                           Command               State           Ports
------------------------------------------------------------------------------------------------
dockerregistrysetup_auth_1       /start.sh                        Up      0.0.0.0:5001->5001/tcp
dockerregistrysetup_ldap_1       /usr/bin/supervisord -c /e ...   Up      389/tcp
dockerregistrysetup_registry_1   /bin/registry serve /etc/d ...   Up      0.0.0.0:5000->5000/tcp

But when I try to push the image, it doesn't ask for login:

docker push 0.0.0.0:5000/anyuser/busybox
The push refers to a repository [0.0.0.0:5000/anyuser/busybox]
Get https://0.0.0.0:5000/v1/_ping: x509: cannot validate certificate for 0.0.0.0 because it doesn't contain any IP SANs

LDAP Configuration help

Hi @kwk , thanks for sharing this!

I have a production docker registry v2 server where I use htaccess authentication behind nginx https reverse and public proxy.

I want to replace htpasswd authentication with ldap authentication. We use docker registry image.

I don't see any Dockerfile on your repo nor any client installation for ldap on the registry server.

How did you manage to configure it? Is there any tutorial you have followed?

Thanks and best

Test the auth server via curl

Currently I got docker_auth server running properly with docker-registry v2 and openldap. I can login and set limitation to pull/push for different openldap users.

I'd like to set automation kitchen test which need test the auth server via curl access.

I follow Test the auth server , but can't make it work

It always reports auth failed. Then check the log, I found the key generated via command echo "USERNAME:PASSWORD" | base64 is different as the key i see in log

curl -H "Authorization: Basic $(echo "USERNAME:PASSWORD" | base64)" -vk "https://127.0.0.1:5001/auth?service=Docker%20registry&scope=registry:catalog:*"

If I replace the key which I got from log as below, I got token successfully.

curl -H "Authorization: Basic <KEY_IN_DOCKER_AUTH_LOG>" -vk "https://127.0.0.1:5001/auth?service=Docker%20registry&scope=registry:catalog:*"

Any hints for me to fix the curl command?

connect the ldap error:authn #2 returned error: open /tmp/ldap_password.txt: no such file or directory

the following is my config:

auth:

token:

realm: "https://127.0.0.1:5001/auth"

service: "Docker registry"

issuer: "Acme auth server"

rootcertbundle: "/path/to/server.pem"

server:
addr: ":5001"
certificate: "/ssl/server.pem"
key: "/ssl/server.key"

token:
issuer: "Acme auth server" # Must match issuer in the Registry config.
expiration: 900

LDAP authentication.

Authentication is performed by first binding to the server, looking up the user entry

by using the specified filter, and then re-binding using the matched DN and the password provided.

ldap_auth:
addr: "ldap:389"
#tls: true

In case bind DN and password is required for querying user information,

specify them here. Plain text password is read from the file.

bind_dn: "uid=chenlp,ou=infocenter,dc=xxx,dc=com"

Make sure you remove newlines and carriage returns from the password file.

bind_password_file: /tmp/ldap_password.txt

User query settings. ${account} is expanded from auth request

base: "ou=infocenter,dc=xxxx,dc=com"
filter: "(&(uid=${account})(objectClass=organizationalPerson))"

users:

Password is specified as a BCrypt hash. Use htpasswd -B to generate.

"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"test":
password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123

acl:

Admin has full access to everything.

match: {account: "admin"}
actions: ["*"]

2,the command
docker run -d --name docker_auth -p 5001:5001
-v /data/192.168.111.128/config:/config:ro
--restart=always
-v /data/192.168.111.128/ssl:/ssl cesanta/docker_auth /config/docker_auth.yml
3,when i login my private registry,then occur an error:authn #2 returned error: open /tmp/ldap_password.txt: no such file or directory,my system has the file,why it occur this problem?and how to write the password file?
4,by the way ,after docker ps -a
137c2b765f2e cesanta/docker_auth "/docker_auth/auth..." 15 seconds ago Up 14 seconds 0.0.0.0:5001->5001/tcp docker_auth

example of auth_config.yml configuration for own LDAP

Pls provide example of correct setup.
LDAP IP: 192.168.0.1
Domain: Mydomain

ldap_auth:
addr: "192.168.0.1:389"
bind_dn: "uid=mydomain.com\serviceaccount,ou=Users,dc=mydomain,dc=com "
bind_password_file: ldap_password.txt
base: "ou=Users,dc=mydomain,dc=com"
filter: "(&(uid=${account})(objectClass=organizationalPerson))"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}

Hey,i used ldap_auth.yml connect to registry,when i enter http://192.168.111.131:5000/v2/_catalog url in the address bar,that ocuured {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]},do you have any idea?I want to see these images in the browser

Do not log plain text password when binding

With the commit in

cesanta/docker_auth@5ea722c

Seems this image cesanta/docker_auth supports hash password. Could you please show me the usage on how to change from plain text to encrypt password in password.txt?

Should I replace the hash directly? Will it work?

/usr/sbin/slappasswd -h {SSHA}

update " start.sh "

you must update " start.sh " like below to start "dockerregistrysetup_auth_1" container.

#!/bin/sh
# Copy over certificates to correct place and update certificate storage
#find "/config/ldap_certificates" -type f -exec cp -fv {} /usr/local/share/ca-certificates/ \;
find "/config/ldap_certificates" -type f -exec cp -fv {} /etc/ssl/certs/ \;
#update-ca-certificates

# Replace newline and carriage returns in password file
cat /config/ldap_password.txt | tr -d '\r\n' > /tmp/ldap_password.txt.clean

# If we see a custom config file, we load that instead of the default one
CONF_PATH=/config/auth_config.yml
if [ -f $CONF_PATH.custom ]; then
  CONF_PATH=$CONF_PATH.custom
fi

# Start the auth server
#/auth_server -v=5 -alsologtostderr=true -log_dir=/logs $CONF_PATH
/docker_auth/auth_server -v=5 -alsologtostderr=true -log_dir=/logs $CONF_PATH

can't pull or push

I set up everything like you, but I can't push and pull, ti results in an EOF error. I inspected, that the error occurs because the auth is crashing when push/pull is requested:

docker_auth log after pull:


    | I1006 13:04:11.008054       1 server.go:3012] http: panic serving 10.255.0.2:24057: runtime error: invalid memory address or nil pointer dereference
    | goroutine 74 [running]:
    | net/http.(*conn).serve.func1(0xc00026e000)
    | 	/usr/local/go/src/net/http/server.go:1769 +0x139
    | panic(0xb55080, 0x1266c80)
    | 	/usr/local/go/src/runtime/panic.go:522 +0x1b5
    | github.com/cesanta/docker_auth/auth_server/authz.(*aclAuthorizer).Authorize(0xc0002de4a0, 0xc0000f2280, 0x8, 0xc0004d7848, 0xc0000f2280, 0xc00001a270, 0xc00000cf40)
    | 	/src/auth_server/authz/acl.go:118 +0x1d3
    | github.com/cesanta/docker_auth/auth_server/server.(*AuthServer).authorizeScope(0xc000093400, 0xc0000f2280, 0x0, 0x1000000000001, 0x400, 0x0, 0x0)
    | 	/src/auth_server/server/server.go:254 +0x9e
    | github.com/cesanta/docker_auth/auth_server/server.(*AuthServer).Authorize(0xc000093400, 0xc00026e140, 0xc00026e101, 0xc00001ebd0, 0x0, 0x0, 0xc00009c6c0)
    | 	/src/auth_server/server/server.go:283 +0x23b
    | github.com/cesanta/docker_auth/auth_server/server.(*AuthServer).doAuth(0xc000093400, 0xd4bae0, 0xc0003b0000, 0xc0003a4400)
    | 	/src/auth_server/server/server.go:407 +0x7ef
    | github.com/cesanta/docker_auth/auth_server/server.(*AuthServer).ServeHTTP(0xc000093400, 0xd4bae0, 0xc0003b0000, 0xc0003a4400)
    | 	/src/auth_server/server/server.go:356 +0x3da
    | net/http.serverHandler.ServeHTTP(0xc000073ee0, 0xd4bae0, 0xc0003b0000, 0xc0003a4400)
    | 	/usr/local/go/src/net/http/server.go:2774 +0xa8
    | net/http.(*conn).serve(0xc00026e000, 0xd4d260, 0xc00009c240)
    | 	/usr/local/go/src/net/http/server.go:1878 +0x851
    | created by net/http.(*Server).Serve
    | 	/usr/local/go/src/net/http/server.go:2884 +0x2f4

What to do?

Error! Can't up auth container.

Hi,I follow the Readme--How to run.I encounter an error,when I execute docker-compose up cmd.

docker-compose up -d

Creating dockerregistrysetup_registry_1
Creating dockerregistrysetup_ldap_1
Creating dockerregistrysetup_auth_1
ERROR: Cannot start container 7755d459381e54dc7173f80afc00aba2a488a38adc8a8a43a11c0b67a5425974: [8] System error: no such file or directory

docker logs dockerregistrysetup_auth_1

no such file or directory

I have replace the auth/config/ldap_certificates/ directory file

ls auth/config/ldap_certificates/

ldap.crt ldap.key

Anything wrong? Or I need config something?
Thank you very much!

cannot setup local ldap server

good day
i try to setup registry with company ldap server:

ldap_auth:
  addr: "192.168.0.10:389"
  tls: false
  bind_dn: "CN=Administrator,CN=Users,DC=company,DC=local"
  bind_password_file: /tmp/ldap_password.txt.clean
  base: "CN=Users,DC=singularis,DC=local"
  filter: "(&(sAMAccountName=${account})(objectClass=user))"

also i put password for account into /tmp/ldap_password.txt.clean

but when i try to login to registry i get following output:

registry_1  | 172.17.0.1 - - [05/Dec/2019:13:07:33 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/19.03.0-rc2 go/go1.12.5 git-commit/f97efcc kernel/4.9.125-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.0-rc2 \\(windows\\))"
registry_1  | time="2019-12-05T13:07:33.1161369Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.11.2 http.request.host="0.0.0.0:5000" http.request.id=ba5b30c2-7f18-401f-ac17-178235ec7258 http.request.method=GET http.request.remoteaddr="172.17.0.1:45954" http.request.uri="/v2/" http.request.useragent="docker/19.03.0-rc2 go/go1.12.5 git-commit/f97efcc kernel/4.9.125-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.0-rc2 \(windows\))"
auth_1      | I1205 13:07:33.134897      11 server.go:358] Request: &{Method:GET URL:/auth?account=testuser&client_id=docker&offline_token=true&service=my.docker.registry Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept-Encoding:[gzip] Authorization:[Basic dGVzdHVzZXI6cGFzc3BocmFzZQ==] Connection:[close] User-Agent:[docker/19.03.0-rc2 go/go1.12.5 git-commit/f97efcc kernel/4.9.125-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.0-rc2 \(windows\))]] Body:{} GetBody:<nil> ContentLength:0 TransferEncoding:[] Close:true Host:0.0.0.0:5001 Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr:172.17.0.1:40550 RequestURI:/auth?account=testuser&client_id=docker&offline_token=true&service=my.docker.registry TLS:0xc0003a22c0 Cancel:<nil> Response:<nil> ctx:0xc0000782c0}
auth_1      | I1205 13:07:33.134995      11 server.go:402] Auth request: {testuser:***@172.17.0.1:40550 []}
auth_1      | I1205 13:07:33.135008      11 server.go:241] Authn static testuser -> false, map[], did not match any rule
auth_1      | I1205 13:07:33.135062      11 ldap_auth.go:126] Bind read-only user (DN = CN=Administrator,CN=Users,DC=company,DC=local)
auth_1      | I1205 13:07:33.135155      11 server.go:3055] http: panic serving 172.17.0.1:40550: runtime error: invalid memory address or nil pointer dereference
auth_1      | goroutine 36 [running]:
auth_1      | net/http.(*conn).serve.func1(0xc0000981e0)
auth_1      |   /usr/local/go/src/net/http/server.go:1767 +0x139
auth_1      | panic(0xb66aa0, 0x122a490)
auth_1      |   /usr/local/go/src/runtime/panic.go:679 +0x1b2
auth_1      | sync.(*Mutex).Lock(...)
auth_1      |   /usr/local/go/src/sync/mutex.go:74
auth_1      | github.com/go-ldap/ldap.(*Conn).Close(0x0)
auth_1      |   /go/pkg/mod/github.com/go-ldap/[email protected]+incompatible/conn.go:207 +0x3e
auth_1      | panic(0xb66aa0, 0x122a490)
auth_1      |   /usr/local/go/src/runtime/panic.go:679 +0x1b2
auth_1      | github.com/go-ldap/ldap.(*Conn).nextMessageID(...)
auth_1      |   /go/pkg/mod/github.com/go-ldap/[email protected]+incompatible/conn.go:235
auth_1      | github.com/go-ldap/ldap.(*Conn).SimpleBind(0x0, 0xc00039b6e0, 0x0, 0x0, 0x0)
auth_1      |   /go/pkg/mod/github.com/go-ldap/[email protected]+incompatible/bind.go:54 +0xa5
auth_1      | github.com/go-ldap/ldap.(*Conn).Bind(...)
auth_1      |   /go/pkg/mod/github.com/go-ldap/[email protected]+incompatible/bind.go:116
auth_1      | github.com/cesanta/docker_auth/auth_server/authn.(*LDAPAuth).bindReadOnlyUser(0xc0000a41c0, 0x0, 0x0, 0x0)
auth_1      |   /src/auth_server/authn/ldap_auth.go:127 +0x1c0
auth_1      | github.com/cesanta/docker_auth/auth_server/authn.(*LDAPAuth).Authenticate(0xc0000a41c0, 0xc000358660, 0x1f, 0xc00009c4d0, 0xa, 0x0, 0x0, 0x0, 0x0)
auth_1      |   /src/auth_server/authn/ldap_auth.go:74 +0x134
auth_1      | github.com/cesanta/docker_auth/auth_server/server.(*AuthServer).Authenticate(0xc0000ad2c0, 0xc000098280, 0xc65ae3, 0x11, 0xc00039ba98, 0x1)
auth_1      |   /src/auth_server/server/server.go:240 +0xbd
auth_1      | github.com/cesanta/docker_auth/auth_server/server.(*AuthServer).doAuth(0xc0000ad2c0, 0xd706a0, 0xc0003f20e0, 0xc000390300)
auth_1      |   /src/auth_server/server/server.go:404 +0x201
auth_1      | github.com/cesanta/docker_auth/auth_server/server.(*AuthServer).ServeHTTP(0xc0000ad2c0, 0xd706a0, 0xc0003f20e0, 0xc000390300)
auth_1      |   /src/auth_server/server/server.go:367 +0x3e6
auth_1      | net/http.serverHandler.ServeHTTP(0xc0002fc2a0, 0xd706a0, 0xc0003f20e0, 0xc000390300)
auth_1      |   /usr/local/go/src/net/http/server.go:2802 +0xa4
auth_1      | net/http.(*conn).serve(0xc0000981e0, 0xd722e0, 0xc000078240)
auth_1      |   /usr/local/go/src/net/http/server.go:1890 +0x875
auth_1      | created by net/http.(*Server).Serve
auth_1      |   /usr/local/go/src/net/http/server.go:2927 +0x38e

i'm also try to specify user as company\testuser but the result is same
i try to use specified dn in ldap browser and can successfully obtain user

my ldap base on win 2008 r2 active directory controller

Certificate update does not work

update-ca-certificates in auth/start.sh does not work
/start.sh: line 5: update-ca-certificates: not found

also
/auth_server -v=5 -alsologtostderr=true -log_dir=/logs $CONF_PATH
does not work, you need
/docker_auth/auth_server -v=5 -alsologtostderr=true -log_dir=/logs $CONF_PATH

so now I have a running cesanta/docker_auth but I can not install the certificate for my certificate authority for my ldap server, I get a lot of
authn #2 returned error: LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority

Which is true, because it is self-signed.

as far as I can tell
cesanta/docker_auth
is based on busybox, which doesn't have update-ca-certificates and... never has. So perhaps this was tested against an earlier version, if so, which?

Question: Is it possible to take a docker image like the latest for grafana, and make it so grafana can reach out to AD to authenticate users for logon go the inteface?

Question: Is it possible to take a docker image like the latest for grafana, and make it so grafana can reach out to AD to authenticate users for logon go the inteface? I was able to ssh to my grafana docker image and install open ldap, I could reach out and test connect to AD via ldap, however, the authentication was not working through back to the image. Any ideas?