search

bugy / script-server

Web UI for your scripts with execution management
Other
1.55k stars 246 forks source link

LDAPS with auth/service account for query #582

Open kirtiazad opened 1 year ago

kirtiazad commented 1 year ago

Hi,

Our current LDAPS server requires a user + pass for a query. How can this be added to the existing configuration? we need to log in to the CN first for the queries.(CN is a service account for the query)

CN=qwert,ou=Applications,dc=xyz,dc=com

if we do the below configuration then only able to login with cn qwert

username:qwert pasworx:XXXX

"auth": { "type": "ldap", "url": "LDAPS://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx636", "username_pattern": "CN=qwert,ou=Applications,dc=xyz,dc=com", "version": 3, "base_dn": "dc=xyz,dc=com" } }

but if we use the below configuration then unable to login with the actual user.

uid=abc,ou=People,ou=Internal,dc=xyz,dc=com

"auth": { "type": "ldap", "url": "LDAPS://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx636", "username_pattern": "uid=$username,ou=People,ou=Internal,dc=xyz,dc=com", "version": 3, "base_dn": "dc=xyz,dc=com" } }

Thanks!

bugy commented 1 year ago

Hi @kirtiazad I'm not ldap expert, but i assume, that a user should be able to query his own data without any extra credentials. Could the problem be with dn=xyz,dn=com In some places you use dn, in others you use dc. I.e. you say, that for abc user it should be dn, but you specify dc in username pattern

kirtiazad commented 1 year ago

@bugy updated the issue. Wrongly mentioned dn instead of dc. If I try direct login with user it throw's error invalid credentials but if I login with the CN it just works.

we implemented LDAP is a JAVA application which has managerDn and manager password there we passed CN username and password.(https://docs.camunda.org/manual/7.8/installation/full/jboss/configuration/#ldap) Does Script Server support any such configuration.

bugy commented 1 year ago

Hi @kirtiazad, script server just performs a simple bind to ldap server. So if credentials are not working, then there is not much, which script server can do. Also, this CN account shouldn't be needed for script server (it might be needed to load groups, but authentication should work without it, since there are no queries performed

You can try 2 things: