ldap-auth-proxy icon indicating copy to clipboard operation
ldap-auth-proxy copied to clipboard
verified publisher icon pinepain

Connecting to LDAP server without TLS

Open jbperrin88 opened this issue 6 years ago • 13 comments

Hi there ,

Like some other user , i would like to use your project to forward auth to LDAP server from Traefik .

There is STILL few LDAP server without TLS in my environement (I know..... it's a bit dirty)

When i tried to connect to this kind of server , i got "Failed to connect: LDAP Result Code 1 "Operations Error": ldap: cannot StartTLS (00000000: LdapErr: DSID-0C090E6B, comment: TLS or SSL already in effect, data 0, v1db1\x00)"

Can you please,give me some Tips ? Is it possible ? Do you have some special env ?

Thanks !

jbperrin88 avatar Jun 20 '19 09:06 jbperrin88

Hi @jbperrin88, what is ldap connection string you are using? is it ldap:// protocol or ldaps://?

pinepain avatar Jun 20 '19 10:06 pinepain

Woooo , such rapid answer . i'm impress ....

This is my configuration:

environment:
  LOG_LEVEL: "debug"
  LISTEN: ":8888"
  LDAP_SERVER: "ldap://XXX"
  LDAP_BASE: "XXX"
  LDAP_BIND_DN: "XXX"
  LDAP_BIND_PASSWORD: "XXX"
  LDAP_USER_FILTER: "(sAMAccountName=%s)"
  HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:sAMAccountName,X-LDAP-CN:cn"

jbperrin88 avatar Jun 20 '19 10:06 jbperrin88

i've even try to set the port in the connection string LDAP_SERVER: "ldap://XXX:389"

jbperrin88 avatar Jun 20 '19 10:06 jbperrin88

@jbperrin88 thanks, I'll give it a look, a tls connection shall not be initiated when ldap scheme shall not be triggering TLS start:

https://github.com/pinepain/ldap-auth-proxy/blob/master/ldap.go#L50 https://github.com/pinepain/ldap-auth-proxy/blob/master/ldap.go#L56-L59

pinepain avatar Jun 20 '19 12:06 pinepain

So , i try without Scheme in URL . Same error message .

The log say : cannot StartTLS

Is the 'StartTLS' option is set by default (StartTLS is neither TLS or SSL)

And i used you last docker image from docker Hub .

jbperrin88 avatar Jun 20 '19 13:06 jbperrin88

@jbperrin88 thanks, I'll give it a look, the tls shall not be initiated when ldap scheme is not ldaps.

pinepain avatar Jun 24 '19 06:06 pinepain

Hum look like this : https://github.com/jtblin/go-ldap-client/issues/3

jbperrin88 avatar Jun 25 '19 11:06 jbperrin88

Yeah, looks relevant to me. Anyway, I had in mind to migrate to raw LDAP library (v2 or v3), so it may be a good thing to do.

pinepain avatar Jun 25 '19 12:06 pinepain

Another short question , i'm using Ldap to request windows AD .

How can i used the group filtering method .

if i've understood , i need to find a filter to get all groupe the user belong to (only this the %s -> sAMAccountName) and use the GROUP_HEADER in to set the group i want ?

jbperrin88 avatar Jun 25 '19 13:06 jbperrin88

Giving that you have export GROUP_HEADER='X-Ldap-Group', set X-Ldap-Group header value to allowed groups. It could be single group or multiple, comma-separated groups. If multiple groups used, user should be at least in one group.

With nginx proxy block it may be sth like this:

    map $host $ldap_group {
        default "UNKNOWN_GROUP";

        "foo.bar" "group1,group2";
        "example.com" "exampleGroup";
    }

...

        location = /auth-proxy {
            internal;

            proxy_pass http://ldap_auth/auth;

            proxy_pass_request_body off;
            proxy_set_header        Content-Length "";
            proxy_cache             auth_cache;
            proxy_cache_valid       202 15m;

            # The following directive adds the cookie to the cache key
            proxy_cache_key "$target_host$http_authorization";

            proxy_set_header X-Ldap-Group $ldap_group;
        }

It is a bit complex example which I use to have single point of auth for multiple hosts. It should give you a perspective how to use groups filtering.

pinepain avatar Jun 25 '19 14:06 pinepain