tiagoapimenta / nginx-ldap-auth Goto Github PK

View Code? Open in Web Editor NEW

61.0 61.0 17.0 39 KB

Nginx authentication backend for LDAP

License: zlib License

Dockerfile 3.05% Go 90.35% Shell 6.61%

nginx-ldap-auth's People

Contributors

Stargazers

Watchers

Forkers

icicimov timer peacedata0 paucampana tlvenn gered givimad cheyilin simkin-git mapsic jarrettprosser jesusro zoloto-runner stan-chen msobecki ilya-skiba

nginx-ldap-auth's Issues

Different endpoints for different groups

Hi,
It's possible to generate different endpoint with different authentication configuration ?

For example.

nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555/config1

nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555/config2

So each endpoint has a different authentication filters.

Start TLS support

Hi,
Thanks for this work. Is LDAP with STARTTLS supported?

Hi,
we have a problem with some characters in our AD, for example in the groups we have member: CN=Username\,Name something like that and the problem is the \ and we got this error log 2019/05/13 14:04:45 Could not validate user <redacted>: LDAP Result Code 201 "Filter Compile Error": ldap: invalid characters for escape in filter.

Maybe would be good to escape these characters (hashicorp/vault#1030 (comment)) using the function ldap.EscapeFilter, I think the problem is on the id variable, but this is because of my groups.

Regards

requiredGroups never checked

Hi,
seems like in the validate function at line 57
if ok || p.required == nil || len(p.required) == 0 { return err == nil, nil }

that "ok ||" causes groups check to be always skipped.

Nginx returns 500

Hi,

I am trying to setup nginx-ldap-auth with nginx ingress 0.21.0 but as soon as I add the annotation to one ingress, Nginx returns a 500. The nginx log does not show any error and the pod log does not show anything either beside:

Loaded config "/etc/nginx-ldap-auth/config.yaml".
Serving...

I can reach the nginx-ldap auth service within the cluster on any pod so the url given to Nginx is correct. Any idea what could be the issue ?

Thanks in advance.

Where to add certificate for ldaps?

I do not find how to add the certificated needed to work with ldaps.

LDAP connection errors seem not to be recovered

Hello,

If LDAP connection is temporary lost, nginx-ldap-auth seems unable to recover.

Steps to reproduce:

Start nginx-ldap-auth

Loaded config "/etc/nginx-ldap-auth/config.yaml".
Serving...

Stop LDAP endpoint
Try to authenticate with a user XXXXXX (this should fail as the LDAP endpoint is stopped)

2018/11/12 08:53:44 Could not validade user XXXXXX: LDAP Result Code 200 "Network Error": ldap: connection closed

Restart the LDAP endpoint
It seems that we are not able to login again with any user

I don't how to recover the ldap connection...

Regards,

Keep up the good job !

OPTIONS requests

Http OPTIONS requests typically skip authorization because credentials are always omitted in CORS requests -- is there a way we can configure this behavior?

Motivation:

I have two apps,
calls.example.com and calls-api.example.com and am trying to share credentials between them. Calls from the web to api fail on OPTIONS requests because auth is required, but not permitted per the specification.

Leaving the password field empty bypasses authentication

I have deployed nginx-ldap-auth with nginx-ingress controller on GKE. I have enabled group validation. When a valid username that is a member of the group is provided, password field can be left empty. This is a security issue and can grant access to anyone who knows a valid username.

how use with kubernetes dashboard

all passwords are accepted if user exists

What could cause a situation like this? I successfully set up nginx-ladp-auth on a kubernetes cluster and everything seemed to work, random madeup usernames and passwords got rejected and existing users can auth and get to the backend-site.
But now I discovered, that any random password is accepted as long as the user exists.
How can I best debug this? Where/How are passwords checked against ldap?

enhancement: selectively LDAP authentication based on label or taint

Hi, this container is working perfectly ! Not sure if this is possible or easy, I was asked to add application that can handle authentication itself. So no need to use LDAP. One solution is to use another nginx-ingress. But I was just wondering if it was possible to onlt use LDAP AUTHENTICATION when label=nginx-ldap-auth in the service definition is et for example ? Oherwise, it works like a charm. Thanks/Frederic

Access denied when required group list is nil or empty

Hello,

When required group list is `nil\ or empty, access is denied even on successful login.

nginx-ldap-auth/rule/service.go

Line 58 in ca6aab5

return err != nil, nil

In my opinion, in that case, the return statement should be the one of the login step :

return err == nil, err

instead of

return err != nil, nil

thanks for the great job !

Regards

Basic auth stop to work after upgrading to kubernetes 1.16

After upgrading to kubernetes 1.16 the system stopped to prompt the basic auth and automatically open the downstream service.

It looks like the nginx-ingress is totally ignoring the nginx.ingress.kubernetes.io/auth-url annotation.