Closed kichetof closed 2 years ago
Hi @kichetof, thanks for using this project.
This is already a problem I had mapped out. I'm already working on a new release to make the plugin work closer to the enterprise version of Traefik and this release will already have this problem fixed.
Hi @wiltonsr, thanks for your quick update! Glad to hear that! I'll be happy to implement it when it'll ready! :)
Hi @kichetof,
I finished the adjustments. Please test and let me know if there were any problems.
Please be aware of the changes that have occurred in the plugin parameters. You can check them here.
Hi @wiltonsr, Many thanks for this update! Login works very well! Thanks! 😎
Now, I'm looking to solve the username forwarding that seems not working:
[http.middlewares]
[http.middlewares.admin-auth.plugin.ldapAuth]
enabled = "true"
url = "ldap://x.x.x."
debug = "true"
port = "389"
baseDn = "OU=Users,DC=domain,DC=com"
userUniqueID = "sAMAccountname"
bindDN = "user"
bindPassword = "pass"
forwardUsername = "true"
forwardUsernameHeader = "Username" # already tried sAMAccountname instead
forwardAuthorization = "true"
And the access log (--> without username for LdapAuth):
BasicAuth
x.x.x.x - kichetof [07/Jan/2022:08:44:53 +0100] "GET /dashboard/ HTTP/2.0" 200 3124 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" 41 "dashboard@file" "-" 6ms
LdapAuth
x.x.x.x - - [07/Jan/2022:10:20:07 +0100] "GET /dashboard/ HTTP/2.0" 200 3124 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" 284 "dashboard-ldap@file" "-" 23ms
Hello @kichetof,
Could you try with nginx
container e post the content here, please?
In my tests works as expected.
nginx | 172.20.0.2 - tesla [07/Jan/2022:12:32:14 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "172.20.0.1"
Even with traefik/whoami
container, works as expected:
Hostname: f426810082e5
IP: 127.0.0.1
IP: 172.20.0.3
RemoteAddr: 172.20.0.2:43010
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/7.74.0
Accept: */*
Accept-Encoding: gzip
Authorization: Basic dGVzbGE6cGFzc3dvcmQ=
Username: tesla
X-Forwarded-For: 172.20.0.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: f526d0e16655
X-Real-Ip: 172.20.0.1
Note that, if forwardAuthorization
is set to false
the Authorization
Header will be removed and consequently the other service will not be able to determine the user.
Hello @wiltonsr,
thanks for your support. Please find info about whoami:
Access log: no username
x.x.x.x - - [07/Jan/2022:15:16:18 +0100] "GET /whoami HTTP/2.0" 200 1559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" 192 "whoami@docker" "http://172.20.13.137:80" 14ms
Hostname: a03035179470
IP: 127.0.0.1
IP: 172.20.13.137
IP: 172.18.0.9
RemoteAddr: 172.20.13.135:44180
GET /whoami HTTP/1.1
Host: domain.com:9000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Basic xxxx
Cache-Control: max-age=0
Cookie: xxx
Elastic-Apm-Traceparent: xxx
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Traceparent: xxx
Tracestate: es=s:1
Upgrade-Insecure-Requests: 1
Username: kichetof
X-Forwarded-For: x.x.x.x
X-Forwarded-Host: domain.com:9000
X-Forwarded-Port: 9000
X-Forwarded-Proto: https
X-Forwarded-Server: 552f6a95872b
X-Real-Ip: x.x.x.x
The middleware used is in my comment above. As you can see, no username appears in the access log but works well in whoami. Any ideas?
Sorry, no idea.
But the plugin is working as expected. Both, Username
and Authorization
headers are present.
I noted that in you log the request is HTTP/2.0
but in whoami
's output is HTTP/1.1
. But I dont know if its related.
In any case, I will consider the issue as resolved since the initial problem of login through a bind has already been resolved.
Exactly, the initial and main issue was solved! If I find the solution, I'll send you an update! Thanks for your great help!
Hello,
Thanks for your great plugin! Unfortunately, I can't use it because my AD doesn't support anonymous connection.
As you can see in the log, authentication failed because no bind was performed (LdapErr: DSID-0C090A71).
My middleware configuration:
In the
go-ldap
library, they're the possibility to perform a bind to the server.What do you think about added it to the plugin? (I've no knowledge in Go to create a PR 😅)
Many thanks for your help! Tof