starred/another-ldap
1
0
Fork 0
mirror of https://github.com/dignajar/another-ldap.git synced 2026-04-26 05:45:47 +03:00
Code Issues 6 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #15] Fail to get group membership #4

New issue
Open
opened 2026-03-02 03:44:34 +03:00 by kerem · 0 comments
kerem commented 2026-03-02 03:44:34 +03:00
Owner
Copy link

Originally created by @virdb on GitHub (Nov 13, 2023).
Original GitHub issue: https://github.com/dignajar/another-ldap/issues/15

Deployed using the following config-map to match my infra:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: another-ldap
  namespace: another-ldap-app
data:
  LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389"
  LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local"
  LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local"
  LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local"
  LDAP_SEARCH_FILTER: "(uid={username})"
  LOG_LEVEL: "DEBUG"
  LOG_FORMAT: "JSON"
  BRUTE_FORCE_PROTECTION: "False"
  BRUTE_FORCE_EXPIRATION: "5"
  BRUTE_FORCE_FAILURES: "3"
  COOKIE_DOMAIN: ""
  METADATA_TITLE: "Authentication & Authorization System"
  METADATA_DESCRIPTION: ""
  METADATA_FOOTER: "Powered by Another LDAP"
  PERMANENT_SESSION_LIFETIME: "7"

Then applied the following ingress to my service:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: service-ingress
  namespace: service-namespace
  annotations: 
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header Ldap-Allowed-Groups "storage-admin";
    nginx.ingress.kubernetes.io/server-snippet: |
      error_page 401 = @login;
      location @login {
        return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host;
      }
spec:
  rules:
  - host: service.mydomain.tld
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service-frontend
            port:
              number: 80
  ingressClassName: nginx

Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:

{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."}
10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 -

What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.

Originally created by @virdb on GitHub (Nov 13, 2023). Original GitHub issue: https://github.com/dignajar/another-ldap/issues/15 Deployed using the following config-map to match my infra: ``` --- apiVersion: v1 kind: ConfigMap metadata: name: another-ldap namespace: another-ldap-app data: LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389" LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local" LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local" LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local" LDAP_SEARCH_FILTER: "(uid={username})" LOG_LEVEL: "DEBUG" LOG_FORMAT: "JSON" BRUTE_FORCE_PROTECTION: "False" BRUTE_FORCE_EXPIRATION: "5" BRUTE_FORCE_FAILURES: "3" COOKIE_DOMAIN: "" METADATA_TITLE: "Authentication & Authorization System" METADATA_DESCRIPTION: "" METADATA_FOOTER: "Powered by Another LDAP" PERMANENT_SESSION_LIFETIME: "7" ``` Then applied the following ingress to my service: ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: service-ingress namespace: service-namespace annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header Ldap-Allowed-Groups "storage-admin"; nginx.ingress.kubernetes.io/server-snippet: | error_page 401 = @login; location @login { return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host; } spec: rules: - host: service.mydomain.tld http: paths: - path: / pathType: Prefix backend: service: name: service-frontend port: number: 80 ingressClassName: nginx ``` Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group: ``` {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"} {"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"} {"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."} {"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"} {"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"} {"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."} 10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 - ``` What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/pip/files/flask-2.3.2
dependabot/pip/files/redis-4.4.4
update/update-alpine-version315
JIRA-3733/prometheus-last-connection
0.11
0.10
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/another-ldap#4
No description provided.