Closed kichetof closed 2 years ago
wiltonsr
commented
2 years ago Hi @kichetof, thanks for using this project.
This is already a problem I had mapped out. I'm already working on a new release to make the plugin work closer to the enterprise version of Traefik and this release will already have this problem fixed.
kichetof
commented
2 years ago Hi @wiltonsr, thanks for your quick update! Glad to hear that! I'll be happy to implement it when it'll ready! :)
wiltonsr
commented
2 years ago Hi @kichetof,
I finished the adjustments. Please test and let me know if there were any problems.
Please be aware of the changes that have occurred in the plugin parameters. You can check them here.
kichetof
commented
2 years ago Hi @wiltonsr, Many thanks for this update! Login works very well! Thanks! 😎
Now, I'm looking to solve the username forwarding that seems not working:
[http.middlewares]
[http.middlewares.admin-auth.plugin.ldapAuth]
enabled = "true"
url = "ldap://x.x.x."
debug = "true"
port = "389"
baseDn = "OU=Users,DC=domain,DC=com"
userUniqueID = "sAMAccountname"
bindDN = "user"
bindPassword = "pass"
forwardUsername = "true"
forwardUsernameHeader = "Username" # already tried sAMAccountname instead
forwardAuthorization = "true"And the access log (--> without username for LdapAuth):
BasicAuth
x.x.x.x - kichetof [07/Jan/2022:08:44:53 +0100] "GET /dashboard/ HTTP/2.0" 200 3124 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" 41 "dashboard@file" "-" 6ms
LdapAuth
x.x.x.x - - [07/Jan/2022:10:20:07 +0100] "GET /dashboard/ HTTP/2.0" 200 3124 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" 284 "dashboard-ldap@file" "-" 23msHello @kichetof,
Could you try with nginx container e post the content here, please?
In my tests works as expected.
nginx | 172.20.0.2 - tesla [07/Jan/2022:12:32:14 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "172.20.0.1"Even with traefik/whoami container, works as expected:
Hostname: f426810082e5
IP: 127.0.0.1
IP: 172.20.0.3
RemoteAddr: 172.20.0.2:43010
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/7.74.0
Accept: */*
Accept-Encoding: gzip
Authorization: Basic dGVzbGE6cGFzc3dvcmQ=
Username: tesla
X-Forwarded-For: 172.20.0.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: f526d0e16655
X-Real-Ip: 172.20.0.1Note that, if forwardAuthorization is set to false the Authorization Header will be removed and consequently the other service will not be able to determine the user.
kichetof
commented
2 years ago Hello @wiltonsr,
thanks for your support. Please find info about whoami:
Access log: no username
x.x.x.x - - [07/Jan/2022:15:16:18 +0100] "GET /whoami HTTP/2.0" 200 1559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" 192 "whoami@docker" "http://172.20.13.137:80" 14msHostname: a03035179470
IP: 127.0.0.1
IP: 172.20.13.137
IP: 172.18.0.9
RemoteAddr: 172.20.13.135:44180
GET /whoami HTTP/1.1
Host: domain.com:9000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Basic xxxx
Cache-Control: max-age=0
Cookie: xxx
Elastic-Apm-Traceparent: xxx
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Traceparent: xxx
Tracestate: es=s:1
Upgrade-Insecure-Requests: 1
Username: kichetof
X-Forwarded-For: x.x.x.x
X-Forwarded-Host: domain.com:9000
X-Forwarded-Port: 9000
X-Forwarded-Proto: https
X-Forwarded-Server: 552f6a95872b
X-Real-Ip: x.x.x.xThe middleware used is in my comment above. As you can see, no username appears in the access log but works well in whoami. Any ideas?
wiltonsr
commented
2 years ago Sorry, no idea.
But the plugin is working as expected. Both, Username and Authorization headers are present.
I noted that in you log the request is HTTP/2.0 but in whoami's output is HTTP/1.1. But I dont know if its related.
In any case, I will consider the issue as resolved since the initial problem of login through a bind has already been resolved.
kichetof
commented
2 years ago Exactly, the initial and main issue was solved! If I find the solution, I'll send you an update! Thanks for your great help!
Hello,
Thanks for your great plugin! Unfortunately, I can't use it because my AD doesn't support anonymous connection.
As you can see in the log, authentication failed because no bind was performed (LdapErr: DSID-0C090A71).
My middleware configuration:
In the
go-ldaplibrary, they're the possibility to perform a bind to the server.What do you think about added it to the plugin? (I've no knowledge in Go to create a PR 😅)
Many thanks for your help! Tof