Open lakwarus opened 8 years ago
I got this too.
Not sure if this helps you, but I got my setup working. Things I discovered:
In the docker registry config.yml, the rootcertbundle is not the CA cert, but the server crt used by the auth service.
rootcertbundle: "/etc/docker/registry/server.crt
The following configurations of the auth service failed:
addr: "ldap://ipa1.my.domain.com/cn=users,cn=accounts,dc=gsc,dc=wustl,dc=edu?uid?sub?(objectClass=posixAccount)"
You can't use a URL in the "addr" attribute, fails with unknown port "tcp///ipa1.my.domain.com/cn"
addr: "ipa1.my.domain.com"
You need to add port, fails with "missing port".
addr: "ipa1.my.domain.com:389"
tls: none
The above config worked, but was unencrypted.
addr: "ipa1.my.domain.com:389"
tls: "always"
The above failed with: "tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config"
addr: "ipa1.my.domain.com:636"
tls: "none"
The above times out.
addr: "ipa1.my.domain.com:389"
tls: "always"
insecure_tls_skip_verify: true
I found that config option in the sources, but it fails with: "authn #2 returned error: LDAP Result Code 200 "": EOF"
Finally, the following worked:
addr: "ipa1.my.domain.com:389"
tls: "starttls"
insecure_tls_skip_verify: true
closed by #89
Its works for me :) . Thanks!
Hi @rojer cc @lakwarus
I tried using this docker image to setup private registry with authentication enabled using LDAP. I passed my cert and key to to docker run command that was mentioned in README file.
docker run --rm -it --name docker_auth -p 5001:5001 -v /home/ubuntu/docker_auth/config:/config:ro -v /var/log/docker_auth:/logs cesanta/docker_auth:stable --v=2 --alsologtostderr /config/auth_config.yml
Files in the Config directory
/home/ubuntu/docker_auth/config.
auth_config.yml
server.crt
server.key
I have copied auth_config file to container, also cert and key.
I am Unable to figure out which URL to pass to docker login corresponding to the certificate domain. Could you help me the location where i can specify the domain for my registry.
Thanks
@nagarjung docker login URL
where URL is the registry. The docker_auth must be resolvable to the docker cli as defined in the registry config.yml
auth:
token:
realm: "https://example.com:5001/auth" # or REGISTRY_AUTH_TOKEN_REALM
service: "Docker registry"
The cert and key in docker_auth's auth_config.yml
must be for that realm url (https://example.com
)
I think this issue can be closed, right?
Hi ,
I tried with ldap auth and getting following error. I used cesanta/docker_auth:stable. My config are bellow. Any idea?
ldap_auth: addr: "ldap://ldap.xxx.com:389" tls: true
In case bind DN and password is required for querying user information,
specify them here. Plain text password is read from the file.
bind_dn: "uid=docker,ou=staff,dc=xxx,dc=com" bind_password_file: "config/pass.txt"
User query settings. ${account} is expanded from auth request
base: "ou=staff,dc=xxx,dc=com" filter: "(&(uid=${account})(objectClass=person))"
Error :
I0318 05:19:09.615764 1 server.go:1934] http: panic serving 192.168.56.190:53095: runtime error: invalid memory address or nil pointer dereference goroutine 33 [running]: net/http.(_conn).serve.func1(0xc820216000, 0x7f2bb0bed060, 0xc820214000) /usr/local/go/src/net/http/server.go:1287 +0xb5 github.com/go-ldap/ldap.(_Conn).Close(0x0) /go/src/github.com/cesanta/docker_auth/auth_server/Godeps/_workspace/src/github.com/go-ldap/ldap/conn.go:132 +0x6d github.com/go-ldap/ldap.(_Conn).Bind(0x0, 0xc82005b950, 0x22, 0xc8202e5560, 0x14, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/Godeps/_workspace/src/github.com/go-ldap/ldap/bind.go:94 +0x3c github.com/cesanta/docker_auth/auth_server/authn.(_LDAPAuth).bindReadOnlyUser(0xc82002a090, 0x0, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/authn/ldap_auth.go:101 +0x266 github.com/cesanta/docker_auth/auth_server/authn.(_LDAPAuth).Authenticate(0xc82002a090, 0xc8202f0152, 0x6, 0xc820218547, 0x9, 0x0, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/authn/ldap_auth.go:67 +0x11d github.com/cesanta/docker_auth/auth_server/server.(_AuthServer).Authenticate(0xc8201449c0, 0xc8202d2f00, 0x11, 0x0, 0x0) /go/src/github.com/cesanta/docker_auth/auth_server/server/server.go:167 +0x11e github.com/cesanta/docker_auth/auth_server/server.(_AuthServer).doAuth(0xc8201449c0, 0x7f2bb0bed690, 0xc8202c1b80, 0xc8202a5180) /go/src/github.com/cesanta/docker_auth/auth_server/server/server.go:314 +0x3b3 github.com/cesanta/docker_auth/auth_server/server.(_AuthServer).ServeHTTP(0xc8201449c0, 0x7f2bb0bed690, 0xc8202c1b80, 0xc8202a5180) /go/src/github.com/cesanta/docker_auth/auth_server/server/server.go:286 +0x1ef net/http.serverHandler.ServeHTTP(0xc8201b5b00, 0x7f2bb0bed690, 0xc8202c1b80, 0xc8202a5180) /usr/local/go/src/net/http/server.go:1862 +0x19e net/http.(_conn).serve(0xc820216000) /usr/local/go/src/net/http/server.go:1361 +0xbee created by net/http.(_Server).Serve /usr/local/go/src/net/http/server.go:1910 +0x3f6