Closed miminar closed 2 years ago
wiltonsr
commented
2 years ago Hello, @miminar
You are trying to bind to a TLS LDAP server.
Unfortunately, this isn't supported yet. See #2
The intermittence is very strange, it should fail in all attempts.
wiltonsr
commented
2 years ago I will try to work on it in the next few days. But, unfortunately, I don't have a TLS LDAP server, so I will try to provide a lab server to simulate the error.
miminar
commented
2 years ago The intermittence is very strange, it should fail in all attempts.
That's strange, wireshark shows just encrypted data being exchanged back and forth. They speak both TLSv1.2
I will try to work on it in the next few days. But, unfortunately, I don't have a TLS LDAP server, so I will try to provide a lab server to simulate the error.
That would be really cool. Highly appreciated. I'll be happy to test.
wiltonsr
commented
2 years ago The backbone of ldapAuth middleware is go-ldap/v3.
That's strange, wireshark shows just encrypted data being exchanged back and forth. They speak both TLSv1.2
The TLS connection is not fully supported yet. We use DialURL to connect:
https://github.com/wiltonsr/ldapAuth/blob/dac711584f972655de2ed8a96e98908e5cbff401/ldapauth.go#L260
If you use production-ready certificates you will be fine, but if you have custom Root CA or self-signed certificates, you won't successfully connect.
But, for the last case, I was expecting to see an error like this in the logs:
LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authorityHowever, the errors that appear in your log point to an issue that ocurrs on ARM https://github.com/go-ldap/ldap/issues/195 and don't should be affecting v3.
wiltonsr
commented
2 years ago Hello, @miminar
I released version v0.0.15 with latest version of go-ldap.
Let me know if the error persists.
miminar
commented
2 years ago Thank you @wiltonsr!
If you use production-ready certificates you will be fine, but if you have custom Root CA or self-signed certificates, you won't successfully connect.
Luckily, we do have a production-ready certificate, not self-signed.
I released version v0.0.15 with latest version of go-ldap. Let me know if the error persists.
Unfortunately, it does persist. Update: although it seems that much less frequently than before (circa once in 35 attempts).
wiltonsr
commented
2 years ago Could you try some attempts from the same server where the error occurs with ldapAuth?
Here, there are some examples. You can also add -d 1 to increase debug level if the same error happens with ldapsearch.
If there isn't any error with ldapsearch too, you can try to compile a simple go example using go-ldap and try to reproduce the problem. There is a complete example in theirs docs. This approach is very similar to what we do in the middleware.
The ldapAuth only use the response from go-ldap to determine if the request will proceed or not. So, let's isolate the problem to try to determine the best solution.
miminar
commented
2 years ago Hi @wiltonsr, I tried to reproduce both with ldapsearch and an ad-hoc go binary using the upstream go-ldap lib. No luck reproducing the issue. I tried the same from both inside and outside of k8s CNI, no luck.
I haven't tried to interpret it with yaegi though. I will give it a shot.
miminar
commented
2 years ago I tried one more time to interpret the same code with yaegi 0.14.2 from inside of CNI network. Couldn't reproduce either :shrug: OTOH, intially I tried with yaegi 0.10.0 and that hanged on trying to Bind. Our traefik is 2.8.7 which is also using yaegi 0.14.2.
wiltonsr
commented
2 years ago Hi, @miminar
intially I tried with yaegi 0.10.0 and that hanged on trying to Bind.
This is expected, yaegi only supported go-ldap in v0.11.1, as described in requirements.
Could you post the error again with LogLevel: DEBUG?
If yaegi and go-ldap aren't the problem, then something is wrong with ldapAuth.
I never ran ldapAuth in k8s. So, if you can provide your k8s's architecture (CNI, Ingress Controller) I can try to reproduce it.
miminar
commented
2 years ago Hi @wiltonsr,
here is the debug log from one failed log-in attempt:
What strikes me is that there seem to be two concurrent requests resulting in one thread receiving no results and the other receiving both. Could that be the case?
ERROR: ldapAuth: 2022/10/14 05:44:58 restricted.go:51: search filter return empty result
ERROR: ldapAuth: 2022/10/14 05:44:58 restricted.go:51: Authentication failed
ERROR: ldapAuth: 2022/10/14 05:44:58 restricted.go:51: search filter return multiple entries (2)
ERROR: ldapAuth: 2022/10/14 05:44:58 restricted.go:51: Authentication failedHello @miminar,
What strikes me is that there seem to be two concurrent requests resulting in one thread receiving no results and the other receiving both. Could that be the case?
Any file requested to traefik will be translated into a new connection to LDAP server, but each of them should be individual.
I created a new branch to solve #20, could you test this and report if a cache layer solves your problem?
miminar
commented
2 years ago Thanks a lot! With that I can't reproduce anymore. I'm closing this.
First of all, thanks a lot for all the work!
Now without further ado: Occasionally - circa once in 6 attempts, the login fails with valid credentials and the user is asked for credential again. The response time is immediate (no timeout).
Middleware configuration:
Errors visible in the log:
These are our helm values (with some obfuscation applied):
We don't see the same problem with grafana which has its own built-in LDAP authentication mechanism, which is configured more or less the same as this plugin.
Any hint/advice would be appreciated.