caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard

Published 20 hours ago verified publisher icon greenpau

LDAP Authentication without groups

Open boesr opened this issue 3 years ago • 15 comments

Is it possible to use ldap authentication without assigning groups?

Our ldap does not contain groups for certain users and we want to assign all users the same role via authentication. Can we use a kind of wildcard?

boesr avatar Jun 09 '22 12:06 boesr

Is it possible to use ldap authentication without assigning groups?

what happens if a user is not part of any of the groups you specified? Are they able to login? What does “/whoami” page look like?

greenpau avatar Jun 09 '22 13:06 greenpau

Caddy shows no matched groups error. I am not able to sign in.

boesr avatar Jun 09 '22 14:06 boesr

@boesr , I will add a feature that would grant a default role to a user that does not match any groups. I may have time to work on it this weekend or the next one. Will keep you posted.

greenpau avatar Jun 09 '22 16:06 greenpau

Notes: if a user authenticated successfully, but the group match failed, the following log messages (specifically LDAP authentication failed: no matched groups) gets generates:

2022/06/11 18:20:17.408 DEBUG   security        LDAP search succeeded   {"server": "ldap://ldap.forumsys.com", "entry_count": 1, "search_base_dn": "DC=EXAMPLE,DC=COM", "search_user_filter": "(&(|(uid=riemann)(mail=riemann))(objectClass=inetOrgPerson))", "users": [{"DN":"uid=riemann,dc=example,dc=com","Attributes":[{"Name":"cn","Values":["Bernhard Riemann"],"ByteValues":["QmVybmhhcmQgUmllbWFubg=="]},{"Name":"uid","Values":["riemann"],"ByteValues":["cmllbWFubg=="]},{"Name":"mail","Values":["[email protected]"],"ByteValues":["cmllbWFubkBsZGFwLmZvcnVtc3lzLmNvbQ=="]}]}]}
2022/06/11 18:20:17.418 WARN    security        Bad Request     {"session_id": "1UOKHLTUlBiAD1DCziSd015yDi2tTO5yzzFlE", "request_id": "fd841467-c8be-4e09-b1eb-d534c2745a76", "error": "LDAP authentication failed: no matched groups", "source_address": "10.0.2.2"}

I will be adding a new directive - fallback role <role_name> [<role_name>]

        ldap identity store example.com {
            groups {
                "ou=scientists,dc=example,dc=com" authp/user
            }
            fallback role authp/user
        }

This way, if no matched groups appears, the user will be assigned one or more roles specified via fallback role directive.

greenpau avatar Jun 11 '22 21:06 greenpau

Documentation update issue: https://github.com/authp/authp.github.io/issues/33

greenpau avatar Jun 11 '22 21:06 greenpau

@boesr , please test with the latest release and let me know how it goes,

greenpau avatar Jun 13 '22 03:06 greenpau

@greenpau Thanks for the quick adaption. Just tested it. I built caddy with the latest release (fallback directive gets accepted), but I still get the error

{"level":"warn","ts":1655099192.076458,"logger":"security","msg":"Bad Request","session_id":"XXX","request_id":"XXX","error":"LDAP authentication failed: no matched groups","source_address":"XXX.XX.X.X"}

my LDAP config:

ldap identity store informatics.ldap {
			realm informatics.ldap
			servers {
				ldaps://MY_SERVER:636 ignore_cert_errors
			}
			attributes {
				name givenName
				surname sn
				email mail
			}
			username "BIND_DN"
			password "PASSWORD"
			search_base_dn "BASE_DN"
			search_filter "(&(|(sAMAccountName=%s))(objectclass=user))"
			groups {
				"GROUP_DN_CONTAINING_NO_MATCHING_GROUP" admin
			}
            fallback role admin
}
		```

boesr avatar Jun 13 '22 05:06 boesr

@boesr , instead of latest, please specify exact version https://github.com/greenpau/caddy-security/blob/33bf9abc1e9d7ea2a617d02ce723e9bf3ad2283d/assets/docker/authp/Dockerfile#L11

greenpau avatar Jun 13 '22 09:06 greenpau

@greenpau just tried it, but I still get the same error message as before.

boesr avatar Jun 13 '22 10:06 boesr

@boesr , for troubleshooting please change to:

“fallback roles authp/admin authp/user”

greenpau avatar Jun 13 '22 11:06 greenpau

@greenpau That works. The user gets assigned the second role (in your case user). I can now login.

boesr avatar Jun 13 '22 11:06 boesr

@boesr , i see! Will fix that in the next release.

greenpau avatar Jun 13 '22 12:06 greenpau

Hi, this is still a nice to have. A mention in the doc will be also a nice addition. I stumbled upon this issue by chance.

rizlas avatar Sep 10 '23 21:09 rizlas

@rizlas , please feel free to contribute to the documentation.

greenpau avatar Sep 11 '23 01:09 greenpau

I will.. What's the current behavior of this? I try to recap the current status here:

fallback roles authp/admin

{"level":"warn","ts":1694411713.020804,"logger":"security","msg":"Bad Request","session_id":"2EcSqFPmIMnmpVrQKjODED2yuSwideqJzs532F","request_id":"8b2063b3-b158-4c04-91e8-17bcb9b30b63","error":"LDAP authentication failed: no matched groups","source_address":"*******"}

fallback roles authp/user

{"level":"warn","ts":1694411847.1145182,"logger":"security","msg":"Bad Request","session_id":"2EcSqFPmIMnmpVrQKjODED2yuSwideqJzs532F","request_id":"16bf0eec-c2be-4af4-a585-db62a1611b39","error":"LDAP authentication failed: no matched groups","source_address":"******"}

fallback roles authp/user authp/admin
Login with 

  "roles": [
    "authp/admin"
  ]

fallback roles authp/admin authp/user
Login with 

  "roles": [
    "authp/user"
  ]

Previous mentioned fallback role directive doesn't exists (https://github.com/authp/authp.github.io/issues/33).

Also, with role admin /settings keep saying that the service is not available

rizlas avatar Sep 11 '23 06:09 rizlas