Does plugin have some form for auth

wiltonsr / ldapAuth

An open source Traefik Middleware that enables authentication via LDAP in a similar way to Traefik Enterprise

https://plugins.traefik.io/plugins/628c9eb7ffc0cd18356a979c/ldap-auth

Apache License 2.0

117 stars 10 forks source link

Does plugin have some form for auth #11

Closed mfominov closed 2 years ago

mfominov commented 2 years ago

Does plugin have some for for auth?

Or maybe we can configure basic auth to pass data to plugin?

wiltonsr commented 2 years ago

Hi,

This plugin is exclusive to LDAP Auth.

For basicAuth, you could use official Traefik plugin.

mfominov commented 2 years ago

Does it have some form for authentication?

wiltonsr commented 2 years ago

Yes, it uses default user and password form from basicAuth, but uses this data to bind to an LDAP Server.

https://github.com/wiltonsr/ldapAuth/blob/5422bd3125730812c1a7316b363e3017dc091554/ldapauth.go#L104

mfominov commented 2 years ago

Ok. it seams a have miss configuration and i don't see basic auth form with ldap Auth.

mfominov commented 2 years ago

This is my ldap middleware configuration for ldap

    ldap-auth:
      plugin:
        ldapAuth:
          searchFilter: (&(objectClass=inetOrgPerson)(uid=%s))
          Attribute: uid
          BaseDn: dc=os,dc=novalocal
          Enabled: "true"
          Host: ldap://ldap-server
          bindDN: uid=traefik,cn=users,cn=accounts,dc=gostech,dc=novalocal
          bindPassword: password
          LogLevel: DEBUG
          Port: "389"

wiltonsr commented 2 years ago

Check examples and test with curl.

mfominov commented 2 years ago

I've only see this on page 401 Unauthorized Error: [no valid 'Authentication: Basic xxxx' header found in request]

wiltonsr commented 2 years ago

curl --user tesla:password \
  -H "Host: whoami.localhost" \
  http://0.0.0.0

Test with this command. Adapt user, password, host and url to your environment.

mfominov commented 2 years ago

Some strange error LDAP Result Code 200 "Network Error": parse ":389": missing protocol scheme

wiltonsr commented 2 years ago

This line:

Host: ldap://ldap-server

Should be:

Url: "ldap://ldap-server"

Check yml file example.

mfominov commented 2 years ago

Ok. curl works fine. But i don't see any form to pass credentials. Maybe i need add something more?

wiltonsr commented 2 years ago

Try again in an incognito tab.

mfominov commented 2 years ago

Same error in another browser and in incognito

wiltonsr commented 2 years ago

Try access http://logout:logout@your-url.com to see if works.

Otherwise, try to run an example.

mfominov commented 2 years ago

Found the answer. on start i see this

...
traefik[14295]: DEBUG: ldapAuth: 2022/03/21 17:11:36 restricted.go:51: WWWAuthenticateHeader => 'false'

then i passed

wwwAuthenticateHeader: true

and see the basic auth form

https://github.com/wiltonsr/ldapAuth/blob/bde264ed5ec5b7cbdd4440aee71d4ab888df2bba/ldapauth.go#L187-L188

wiltonsr commented 2 years ago

Glad to know that works.

wwwAuthenticateHeader is true by default.

https://github.com/wiltonsr/ldapAuth/blob/bde264ed5ec5b7cbdd4440aee71d4ab888df2bba/ldapauth.go#L68

So, unless you explicitly set it to false this problem shouldn't happen.

mfominov commented 2 years ago

I've not pass false in wwwAuthenticateHeader. I've even don't have it in my config.

wiltonsr commented 2 years ago

Check if you are running the latest plugin version.

mfominov commented 2 years ago

yeap latest

experimental:
  plugins:
    ldapAuth:
      moduleName: "github.com/wiltonsr/ldapAuth"
      version: "v0.0.13"

wiltonsr commented 2 years ago

I will investigate this problem further.

But for now, since the issue is solved, I'll close it