Open virdb opened 10 months ago
Deployed using the following config-map to match my infra:
--- apiVersion: v1 kind: ConfigMap metadata: name: another-ldap namespace: another-ldap-app data: LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389" LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local" LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local" LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local" LDAP_SEARCH_FILTER: "(uid={username})" LOG_LEVEL: "DEBUG" LOG_FORMAT: "JSON" BRUTE_FORCE_PROTECTION: "False" BRUTE_FORCE_EXPIRATION: "5" BRUTE_FORCE_FAILURES: "3" COOKIE_DOMAIN: "" METADATA_TITLE: "Authentication & Authorization System" METADATA_DESCRIPTION: "" METADATA_FOOTER: "Powered by Another LDAP" PERMANENT_SESSION_LIFETIME: "7"
Then applied the following ingress to my service:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: service-ingress namespace: service-namespace annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header Ldap-Allowed-Groups "storage-admin"; nginx.ingress.kubernetes.io/server-snippet: | error_page 401 = @login; location @login { return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host; } spec: rules: - host: service.mydomain.tld http: paths: - path: / pathType: Prefix backend: service: name: service-frontend port: number: 80 ingressClassName: nginx
Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"} {"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"} {"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."} {"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"} {"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"} {"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."} 10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 -
What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.
Deployed using the following config-map to match my infra:
Then applied the following ingress to my service:
Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:
What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.