LDAP Authentication for Nginx, Kubernetes ingress controller (Nginx), HAProxy (haproxy-auth-request) or any webserver/reverse proxy with authorization based on the result of a subrequest.
Another LDAP Authentication is an implementation of the ldap-auth-daemon services described in the official blog from Nginx in the following article.
Another LDAP Authentication it's prepared to run inside a Docker container, also you can run the Python script without the Docker container. Supports ldap and ldaps and provide a simple cache.
The parameters can be sent via environment variables or via HTTP headers, also you can combine them.
The parameter LDAP_SEARCH_FILTER support variable expansion with the username, you can do something like this (sAMAccountName={username}) and {username} is going to be replaced by the username typed in the login form.
All values type are string.
| Key | Default | Values | Description | Example |
|---|---|---|---|---|
| LDAP_ENDPOINT | LDAP URL with the protocol and the port number. | ldaps://testmyldap.com:636 |
||
| LDAP_MANAGER_DN_USERNAME | Username to bind and search in the LDAP tree. | CN=john,OU=Administrators,DC=TESTMYLDAP,DC=COM |
||
| LDAP_MANAGER_PASSWORD | Password for the bind user. | |||
| LDAP_SEARCH_BASE | DC=TESTMYLDAP,DC=COM |
|||
| LDAP_SEARCH_FILTER | Filter for search, for Microsoft Active Directory usually you can use sAMAccountName. |
(sAMAccountName={username}) |
||
| LDAP_SERVER_DOMAIN (Optional) | Microsoft Active Directory usually need the domain name for authenticate the user. | TESTMYLDAP.COM |
||
| LDAP_REQUIRED_GROUPS (Optional) | Required groups, supports regular expressions, you can send a list separated by commas. | 'DevOps production environment', 'Developers .* environment' |
||
| LDAP_REQUIRED_GROUPS_CONDITIONAL | and |
and, or |
Conditional to match all the groups in the list or just one of them. | or |
| LDAP_REQUIRED_GROUPS_CASE_SENSITIVE | enabled |
enabled, disabled |
Enabled or disabled case sensitive groups matches. | disabled |
| CACHE_EXPIRATION | 5 |
Cache expiration time in minutes. | 10 |
|
| LOG_LEVEL | INFO |
DEBUG, INFO, WARN, ERROR |
Logger level. | DEBUG |
| LOG_FORMAT | TEXT |
TEXT, JSON |
Output format of the logger. | JSON |
The variables send via HTTP headers take precedence over environment variables.
Ldap-EndpointLdap-Manager-Dn-UsernameLdap-Manager-PasswordLdap-Search-BaseLdap-Search-FilterLdap-Server-DomainLdap-Required-GroupsLdap-Required-Groups-Case-SensitiveLdap-Required-Groups-Conditional
x-usernameContains the authenticated usernamex-groupsContains the username matches groups
The easy way to use Another LDAP Authentication is running as a Docker container and set the parameters via environment variables.
Change the environment variables with your setup.
docker run -d \
-e LDAP_ENDPOINT='ldaps://testmyldap.com:636' \
-e LDAP_MANAGER_DN_USERNAME='CN=john-service-user,OU=Administrators,DC=TESTMYLDAP,DC=COM' \
-e LDAP_MANAGER_PASSWORD='MasterpasswordNoHack123' \
-e LDAP_SERVER_DOMAIN='TESTMYLDAP.COM' \
-e LDAP_SEARCH_BASE='DC=TESTMYLDAP,DC=COM' \
-e LDAP_SEARCH_FILTER='(sAMAccountName={username})' \
-p 9000:9000 \
--name another_ldap_auth \
dignajar/another-ldap-auth:latest
Another LDAP Authentication now is running on http://localhost:9000.
Nginx use the module ngx_http_auth_request_module to do the subrequest.
The following example shows how to configure Nginx which is running in the same machine as Another LDAP Authentication. The backend /private/ includes the authentication request to /another_ldap_auth.
location /private/ {
auth_request /another_ldap_auth;
# ...
# Here you private site
}
location = /another_ldap_auth {
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_pass http://localhost:9000;
}
Now you can access to your website wich is going to be something like this http://myserver.com/private/ and Nginx will request you to write the username and password.
Get the K8s manifest from the folder /kubernetes from this repository.
The manifests for K8s helps to deploy Another LDAP Authentication in the namespace ingress-nginx and expose the service in the cluster at the following address http://another-ldap-auth.ingress-nginx.
Please change the environment variables from the manifest and the secret for the bind username.
After you have running Another LDAP Authentication in your Kubernetes, you can modify the ingress manifest for the application you want to protect.
You can remove the comment # and send headers as variables such as Required groups.
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-webserver
namespace: demo
annotations:
nginx.ingress.kubernetes.io/auth-url: http://another-ldap-auth.ingress-nginx
# nginx.ingress.kubernetes.io/auth-snippet: |
# proxy_set_header Ldap-Required-Groups "<SOME GROUP>";
# proxy_set_header Ldap-Required-Groups-Conditional "or";
spec:
rules:
- host: demo.local
http:
paths:
- path: /
backend:
serviceName: demo-webserver
servicePort: 80
- Parameters via headers need to be escaped, for example, you can not send parameters such as
$1or$testbecause Nginx is applying variable expansion.