Example Docker compose with LDAP plugin

Question

Example Docker compose with LDAP plugin

juanpicado opened this issue 7 years ago · comments

I'd great to have an example with LDAP as auth plugin

Dimitri KOPRIWA · Answer 1 · Fri May 11 2018 03:43:53 GMT+0800 (China Standard Time)

I have tried to use the following Dockerfile:

FROM node:10.1.0-alpine

RUN apk --no-cache add openssl && \
    wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 && \
    chmod +x /usr/local/bin/dumb-init && \
    apk del openssl

ENV APPDIR /usr/local/app

WORKDIR $APPDIR

ADD . $APPDIR

ENV NODE_ENV=production

RUN npm config set registry http://registry.npmjs.org/ && \
    npm install -g verdaccio@latest && \
		npm install -g verdaccio-ldap@latest

RUN mkdir -p /verdaccio/storage /verdaccio/conf

ADD ldap/config.yaml /verdaccio/conf/config.yaml

RUN addgroup -S verdaccio && adduser -S -G verdaccio verdaccio && \
    chown -R verdaccio:verdaccio "$APPDIR" && \
    chown -R verdaccio:verdaccio /verdaccio

USER verdaccio

ENV PORT 4873
ENV PROTOCOL http

EXPOSE $PORT

VOLUME ["/verdaccio"]

ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]

CMD verdaccio --config /verdaccio/conf/config.yaml --listen $PROTOCOL://0.0.0.0:${PORT}

This was ldap/config.yaml:

#
# This is the config file used for the docker images.
# It allows all users to do anything, so don't use it on production systems.
#
# Do not configure host and port under `listen` in this file
# as it will be ignored when using docker.
# see https://github.com/verdaccio/verdaccio/blob/master/wiki/docker.md#docker-and-custom-port-configuration
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: /verdaccio/storage

auth:
  ldap:
    type: ldap
    groupNameAttribute: 'cn'
    client_options:
      url: "ldaps://ldap.example.com"
      bindDn: "cn=****,dc=example,dc=com"
      bindCredentials: "********"
      searchBase: "dc=example,dc=com"
      searchFilter: "(uid={{username}})"
      cache: False
      tlsOptions:
        rejectUnauthorized: False

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $all

    # allow all known users to publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# log settings
logs:
  - {type: stdout, format: pretty, level: trace}
  #- {type: file, path: verdaccio.log, level: info}

listen:
  - 0.0.0.0:4873

I have tried to login from the UI but login request is pending.

This is the log:

verdaccio_1  |  info <-- 172.17.0.1 requested 'POST /-/verdaccio/login'
verdaccio_1  |  debug--- connected after 1 attempt(s)
verdaccio_1  |  trace--- sending request {"messageID":1,"protocolOp":"BindRequest","version":3,"name":"cn=readonly,dc=kopaxgroup,dc=com","authenticationType":"Simple","credentials":"XyztK0p4x","controls":[]}
verdaccio_1  |  debug--- connected after 1 attempt(s)
verdaccio_1  |  trace--- data event: <Buffer 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00>
verdaccio_1  |  trace--- parse: data=<Buffer 0a 01 00 04 00 04 00>
verdaccio_1  |  trace--- Parsing done: {"messageID":1,"protocolOp":"LDAPResult","status":0,"matchedDN":"","errorMessage":"","referrals":[],"controls":[]}
verdaccio_1  |  trace--- response received
verdaccio_1  |  trace--- sending request {"messageID":2,"protocolOp":"SearchRequest","baseObject":{"rdns":[{"attrs":{"dc":{"value":"kopaxgroup","name":"dc","order":0}},"spLead":0,"spTrail":0},{"attrs":{"dc":{"value":"com","name":"dc","order":0}},"spLead":0,"spTrail":0}],"_format":{}},"scope":"sub","derefAliases":0,"sizeLimit":0,"timeLimit":10,"typesOnly":false,"filter":"(uid=dka)","attributes":[],"controls":[]}
verdaccio_1  |  trace--- data event: <Buffer 30 82 01 9e 02 01 02 64 82 01 97 04 40 75 69 64 3d 64 6b 61 2c 63 3d 56 4e 2c 6f 75 3d 75 73 65 72 73 2c 6f 75 3d 64 65 76 65 6c 6f 70 65 72 73 2c 6f ... >
verdaccio_1  |  trace--- parse: data=<Buffer 04 40 75 69 64 3d 64 6b 61 2c 63 3d 56 4e 2c 6f 75 3d 75 73 65 72 73 2c 6f 75 3d 64 65 76 65 6c 6f 70 65 72 73 2c 6f 3d 6b 6f 70 61 78 2c 64 63 3d 6b ... >
verdaccio_1  |  trace--- Parsing done: {"messageID":2,"protocolOp":"SearchEntry","objectName":"uid=me,ou=users,dc=example,dc=com","attributes":[{"type":"cn","vals":["Me"]},{"type":"employeeType","vals":["developer"]},{"type":"gecos","vals":["Me"]},{"type":"gidNumber","vals":["1454101"]},{"type":"givenName","vals":["Me"]},{"type":"homeDirectory","vals":["/home/me"]},{"type":"loginShell","vals":["/bin/bash"]},{"type":"sn","vals":["Me"]},{"type":"uid","vals":["me"]},{"type":"uidNumber","vals":["1458302"]},{"type":"mail","vals":["me@example.com"]},{"type":"objectClass","vals":["top","posixAccount","inetOrgPerson"]}],"controls":[]}
verdaccio_1  |  trace--- response received
verdaccio_1  |  trace--- data event: <Buffer 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00>
verdaccio_1  |  trace--- parse: data=<Buffer 0a 01 00 04 00 04 00>
verdaccio_1  |  trace--- Parsing done: {"messageID":2,"protocolOp":"LDAPResult","status":0,"matchedDN":"","errorMessage":"","referrals":[],"controls":[]}
verdaccio_1  |  trace--- response received
verdaccio_1  |  trace--- sending request {"messageID":1,"protocolOp":"BindRequest","version":3,"name":"uid=me,ou=users,dc=example,dc=com","authenticationType":"Simple","credentials":"*******","controls":[]}
verdaccio_1  |  trace--- data event: <Buffer 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00>
verdaccio_1  |  trace--- parse: data=<Buffer 0a 01 00 04 00 04 00>
verdaccio_1  |  trace--- Parsing done: {"messageID":1,"protocolOp":"LDAPResult","status":0,"matchedDN":"","errorMessage":"","referrals":[],"controls":[]}
verdaccio_1  |  trace--- response received
verdaccio_1  |  trace--- sending request {"messageID":3,"protocolOp":"UnbindRequest","controls":[]}
verdaccio_1  |  trace--- end event
verdaccio_1  |  http <-- 200, user: undefined(172.17.0.1), req: 'POST /-/verdaccio/login', bytes: 41/0

Is LDAP supposed to work ?

I see a warning in here https://github.com/verdaccio/docker-examples/tree/master/ldap-verdaccio#verdaccio-and-ldap-server saying it is experimental.

Juan Picado · Answer 2 · Fri May 11 2018 05:18:10 GMT+0800 (China Standard Time)

No. I never managed to make it work. I have a bit experience with LDAP unfortunately 😢

Dimitri KOPRIWA · Answer 3 · Thu May 17 2018 15:03:21 GMT+0800 (China Standard Time)

@juanpicado I managed to make everything work using 2.0.0 of the ldap plugin.
If you still can't make it work after doing the upgrade, can you post your version of both the plugin and verdaccio.
if you use Docker, the Dockerfile, your config.yaml, and the ldap permissions strategy ? Maybe I can help.

Juan Picado · Answer 4 · Fri May 18 2018 01:59:12 GMT+0800 (China Standard Time)

We have something already, https://github.com/verdaccio/docker-examples/tree/master/ldap-verdaccio. Could you check?

Dimitri KOPRIWA · Answer 5 · Fri May 18 2018 03:47:27 GMT+0800 (China Standard Time)

@juanpicado I am opening an issue as it appear I still have issue with my group. I will come back asap when I'll confirm my configuration is working for you.

Dimitri KOPRIWA · Answer 6 · Fri May 18 2018 16:55:02 GMT+0800 (China Standard Time)

@juanpicado I finally manage to make it work.

All the details for reproduction are given here: Alexandre-io/verdaccio-ldap#29

I am using a front SSL proxy and verdaccio in http. Without this, with the version used, there is no reason it does not work for ya.

let me know if you still encounter issue after that, and giving the complete reproduction, I may help