github.com/pinepain/ldap-auth-proxy

LDAP Auth proxy

A simple drop-in HTTP proxy for transparent LDAP authorization which is also a HTTP auth backend.

Usage

You can use pinepain/ldap-auth-proxy docker image (see available tags here) or build binary by yourself, Dockerfile and .travis.yml list all necessary steps to build it.

Usage examples could be found in examples folder.

Architecture

LDAP auth proxy could be used in two modes: as an auth backend and as a proxy:

Auth backend

Examples:

• Kubernetes ingress-nginx setup could be found in examples/k8s-ingress-nginx.
• docker-compose setup could be found in examples/auth_backend.

Proxy

and it's variation, proxy behind nginx:

Example docker-compose setup could be found in examples/proxy

Example settings for JumpCloud users:

export LDAP_SERVER='ldaps://ldap.jumpcloud.com'
export LDAP_BASE='o=<oid>,dc=jumpcloud,dc=com'
export LDAP_BIND_DN='uid=<bind user name>,ou=Users,o=<oid>,dc=jumpcloud,dc=com'
export LDAP_BIND_PASSWORD='<bind user password>'
export LDAP_USER_FILTER='(uid=%s)'
export LDAP_GROUP_FILTER='(&(objectClass=groupOfNames)(member=uid=%s,ou=Users,o=<oid>,dc=jumpcloud,dc=com))'
export GROUP_HEADER='X-Ldap-Group'
export HEADERS_MAP='X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn,X-LDAP-DN:dn'

where <oid> is your organisation id.

Notes

A zero length password is always considered invalid since it is, according to the LDAP spec, a request for "unauthenticated authentication." Unauthenticated authentication should not be used for LDAP based authentication. See section 5.1.2 of RFC-4513 <http://tools.ietf.org/html/rfc4513#section-5.1.2>_ for a description of this behavior.

Neither zero length username supported. Anonymous authentication should also not be used for LDAP based authentication. See section 5.1.1 of RFC-4513 <http://tools.ietf.org/html/rfc4513#section-5.1.1>_ for a description of that behavior.

License

ldap-auth-proxy is licensed under the MIT license.