search

freman / caddy-reauth

Auth your Caddyserver requests against another server
MIT License
27 stars 15 forks source link

unable to connect to Ldap #33

Closed imran-baig-se closed 4 years ago

imran-baig-se commented 4 years ago

am trying to enable reauth to my existing application

Error: 06/Nov/2019:13:13:53 +0000 [ERROR 500 /login] Get http://localhost:5650: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

my Caddyfile

kibana-test.xxx.io:5000 { tls /root/config/star_tajawal_io.crt /root/config/XXXX-io-sub-domain-private-key.pem

basicauth / kibana-test kibana-test

jwt { path / redirect /login } reauth { path / upstream url=http://localhost:5650 ldap url=ldap://prod-devops-freeipa-ldap-public-xxxx.eu-west-1.elb.amazonaws.com:389,timeout=5s,username=qa.xxx,password=xxxx,base="OU=Users,OU=tajawal,DC=tajawal,DC=io" } log stdout errors visible }

am running in container..

Logs from Caddy:

$ sudo docker-compose up Starting caddy_kibana_test ... done Attaching to caddy_kibana_test caddy_kibana_test | 2019/11/06 13:13:47 [INFO] Successfully loaded TLS assets from /root/config/star_tajawal_io.crt and /root/config/xxxx-io-sub-domain-private-key.pem caddy_kibana_test | Activating privacy features... done. caddy_kibana_test | JWT middleware is initiated caddy_kibana_test | caddy_kibana_test | Serving HTTPS on port 5000 caddy_kibana_test | https://kibana-test.XXXX.io:5000 caddy_kibana_test | caddy_kibana_test | 2019/11/06 13:13:47 [INFO] Serving https://kibana-test.xxxx.io:5000 caddy_kibana_test | 2019/11/06 13:13:47 [INFO][cache:0xc000186f00] Started certificate maintenance routine caddy_kibana_test | 2019/11/06 13:13:47 [NOTICE] Sending telemetry: we were too early; waiting 19h27m31.015992392s before trying again caddy_kibana_test | 5.195.224.30 - - [06/Nov/2019:13:13:49 +0000] "GET /login HTTP/2.0" 500 172 caddy_kibana_test | 5.195.224.30 - - [06/Nov/2019:13:13:49 +0000] "GET /favicon.ico HTTP/2.0" 500 178 caddy_kibana_test | 5.19

Please advise @freman

freman commented 4 years ago

Hi

It would appear to be your upstream is HTTPS and you are requesting as HTTP

\x15\x03\x01\x00\x02\x02 is basically the start of HTTPS (It's funny, I have written a transport that is capable of handling http and https automatically and I wonder why it was never done before)

It's basically midnight here so I'm a bit tired but if you just want ldap you don't need upstream url=http://localhost:5650

if you do need that for other reasons then try upstream url=https://localhost:5650

imran-baig-se commented 4 years ago

Hello @freman

Thanks for quick help, I have removed the upstream.. already now its says invalid credintals though i tried with many other all are good credintals

error : +0000 [ERROR 500 /] bind with "xxx.xx": LDAP Result Code 49 "Invalid Credentials":

just a quick question.

My ladap string is correct.?? am doing with freeipa.

ldap url=ldap://prod-devops-freeipa-ldap-public-xxx.eu-west-1.elb.amazonaws.com:389,timeout=5s,username=imran.xxx,password="imxran.xxx",base="CN=Users,CN=tajawal,DC=tajawal,DC=io",filter="(&(memberOf=CN=group,CN=accounts,DC=xxx,DC=io)(uid=%s)(objectClass=user)(sAMAccountName=%s))"

Thanks in adavance

freman commented 4 years ago

I ran that through the config parser, it parses ok.

I have spotted one more issue, the filter is limited to only one %s parameter

"(&(memberOf=CN=group,CN=accounts,DC=xxx,DC=io)(uid=%s)(objectClass=user)(sAMAccountName=%s))"

all tho you can cheat and use %[1]s to repeatedly use that one parameter (I'm lazy, I used the default sprintf)

Should your ldap not be using ssl/tls? I imagine that'd be something aws would enforce? ldaps://

But beyond that, the everything after the : (LDAP Result Code 49 "Invalid Credentials") is actually coming from LDAP so unless one of your passwords is incorrect the module appears to be working

If you can get your hands on the ldapsearch tool on a box that has access to the ldap host you can test your parameters with that much easier and quicker, if you find a set up that works for you let me know what it is and I"ll help you with a config line for caddy-reauth

ldapsearch -h prod-devops-freeipa-ldap-public-xxxx.eu-west-1.elb.amazonaws.com -D qa.xxx -w xxxx -b "OU=Users,OU=tajawal,DC=tajawal,DC=io" "(&(memberOf=CN=group,CN=accounts,DC=xxx,DC=io)(objectClass=user)(sAMAccountName=username))" "cn"