cesanta / docker_auth

Authentication server for Docker Registry 2
Apache License 2.0
1.28k stars 305 forks source link

Auth with LDAP error #73

Open lakwarus opened 8 years ago

lakwarus commented 8 years ago

Hi ,

I tried with ldap auth and getting following error. I used cesanta/docker_auth:stable. My config are bellow. Any idea?

ldap_auth: addr: "ldap://ldap.xxx.com:389" tls: true

In case bind DN and password is required for querying user information,

specify them here. Plain text password is read from the file.

bind_dn: "uid=docker,ou=staff,dc=xxx,dc=com" bind_password_file: "config/pass.txt"

User query settings. ${account} is expanded from auth request

base: "ou=staff,dc=xxx,dc=com" filter: "(&(uid=${account})(objectClass=person))"

Error :

I0318 05:19:09.615764 1 server.go:1934] http: panic serving 192.168.56.190:53095: runtime error: invalid memory address or nil pointer dereference goroutine 33 [running]: net/http.(_conn).serve.func1(0xc820216000, 0x7f2bb0bed060, 0xc820214000) /usr/local/go/src/net/http/server.go:1287 +0xb5 github.com/go-ldap/ldap.(_Conn).Close(0x0) /go/src/github.com/cesanta/docker_auth/auth_server/Godeps/_workspace/src/github.com/go-ldap/ldap/conn.go:132 +0x6d github.com/go-ldap/ldap.(_Conn).Bind(0x0, 0xc82005b950, 0x22, 0xc8202e5560, 0x14, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/Godeps/_workspace/src/github.com/go-ldap/ldap/bind.go:94 +0x3c github.com/cesanta/docker_auth/auth_server/authn.(_LDAPAuth).bindReadOnlyUser(0xc82002a090, 0x0, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/authn/ldap_auth.go:101 +0x266 github.com/cesanta/docker_auth/auth_server/authn.(_LDAPAuth).Authenticate(0xc82002a090, 0xc8202f0152, 0x6, 0xc820218547, 0x9, 0x0, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/authn/ldap_auth.go:67 +0x11d github.com/cesanta/docker_auth/auth_server/server.(_AuthServer).Authenticate(0xc8201449c0, 0xc8202d2f00, 0x11, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/server/server.go:167 +0x11e github.com/cesanta/docker_auth/auth_server/server.(_AuthServer).doAuth(0xc8201449c0, 0x7f2bb0bed690, 0xc8202c1b80, 0xc8202a5180) /go/src/github.com/cesanta/docker_auth/auth_server/server/server.go:314 +0x3b3 github.com/cesanta/docker_auth/auth_server/server.(_AuthServer).ServeHTTP(0xc8201449c0, 0x7f2bb0bed690, 0xc8202c1b80, 0xc8202a5180) /go/src/github.com/cesanta/docker_auth/auth_server/server/server.go:286 +0x1ef net/http.serverHandler.ServeHTTP(0xc8201b5b00, 0x7f2bb0bed690, 0xc8202c1b80, 0xc8202a5180) /usr/local/go/src/net/http/server.go:1862 +0x19e net/http.(_conn).serve(0xc820216000) /usr/local/go/src/net/http/server.go:1361 +0xbee created by net/http.(_Server).Serve /usr/local/go/src/net/http/server.go:1910 +0x3f6

mcallaway commented 8 years ago

I got this too.

mcallaway commented 8 years ago

Not sure if this helps you, but I got my setup working. Things I discovered:

In the docker registry config.yml, the rootcertbundle is not the CA cert, but the server crt used by the auth service.

rootcertbundle: "/etc/docker/registry/server.crt

The following configurations of the auth service failed:

addr: "ldap://ipa1.my.domain.com/cn=users,cn=accounts,dc=gsc,dc=wustl,dc=edu?uid?sub?(objectClass=posixAccount)"

You can't use a URL in the "addr" attribute, fails with unknown port "tcp///ipa1.my.domain.com/cn"

addr: "ipa1.my.domain.com"

You need to add port, fails with "missing port".

addr: "ipa1.my.domain.com:389"
tls: none

The above config worked, but was unencrypted.

addr: "ipa1.my.domain.com:389"
tls: "always"

The above failed with: "tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config"

addr: "ipa1.my.domain.com:636"
tls: "none"

The above times out.

addr: "ipa1.my.domain.com:389"
tls: "always"
insecure_tls_skip_verify: true

I found that config option in the sources, but it fails with: "authn #2 returned error: LDAP Result Code 200 "": EOF"

Finally, the following worked:

addr: "ipa1.my.domain.com:389"
tls: "starttls"
insecure_tls_skip_verify: true
carsonoid commented 8 years ago

closed by #89

lakwarus commented 8 years ago

Its works for me :) . Thanks!

nagarjung commented 8 years ago

Hi @rojer cc @lakwarus

I tried using this docker image to setup private registry with authentication enabled using LDAP. I passed my cert and key to to docker run command that was mentioned in README file.

docker run --rm -it --name docker_auth -p 5001:5001 -v /home/ubuntu/docker_auth/config:/config:ro -v /var/log/docker_auth:/logs cesanta/docker_auth:stable --v=2 --alsologtostderr /config/auth_config.yml

Files in the Config directory /home/ubuntu/docker_auth/config. auth_config.yml
server.crt
server.key

I have copied auth_config file to container, also cert and key.

I am Unable to figure out which URL to pass to docker login corresponding to the certificate domain. Could you help me the location where i can specify the domain for my registry.

Thanks

kcd83 commented 7 years ago

@nagarjung docker login URL where URL is the registry. The docker_auth must be resolvable to the docker cli as defined in the registry config.yml

auth:
  token:
     realm: "https://example.com:5001/auth" # or REGISTRY_AUTH_TOKEN_REALM
     service: "Docker registry"

The cert and key in docker_auth's auth_config.yml must be for that realm url (https://example.com)

zapp42 commented 11 months ago

I think this issue can be closed, right?