Support AllowedGroups

[wiltonsr]

Create a allowedGroups option.

Optional, Default=""

It will be a list of LDAP group DNs that users could be members of to be granted access. If a user is in any one of the listed groups, then that user is granted access.

If setted to an empty list or nil will allow all users that have an LDAP account to log in, without performing any group membership checks.

Unfortunately, traefik's option parser does not work with elements containing commas, which is the case with LDAP groups. So this issue will be suspended until we have a definition of the issue.

[TechnicallyCyber]

Awesome feature. The linked issue was marked as closed and fixed merged a few days ago.

[wiltonsr]

Unfortunately, the traefik paerser still doesn't understand options with commas.

So, this feature will need to wait a little bit more.

[XarkaOfMahrak]

Hi ! Do we still have a blocking issue on Traefik side, or should we create one ?

[wiltonsr]

Hello everyone,

Thank you for being so interested in ldapAuth.

Even after the fix of traefik/paerser's issue the read of attributes with comma in middleware still doesn't works.

Traefik v2.6.2 bump paerser with corrections v0.1.5.

You can reproduce the problem with:

git clone https://github.com/wiltonsr/ldapAuth.git
git checkout test-paerser-issue-9
docker-compose -f examples/conf-from-yml-file.yml up

You will get:

whoami   | 2022/06/09 16:29:22 Starting up on port 80
traefik  | time="2022-06-09T16:29:22Z" level=info msg="Configuration loaded from flags."
traefik  | INFO: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: Starting my-ldapAuth@file Middleware...
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: Enabled => 'true'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: LogLevel => 'DEBUG'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: URL => 'ldap://ldap.forumsys.com'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: Port => '389'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: Attribute => 'uid'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: SearchFilter => ''
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: BaseDN => 'dc=example,dc=com'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: BindDN => ''
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: BindPassword => ''
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: ForwardUsername => 'true'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: ForwardUsernameHeader => 'Username'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: ForwardAuthorization => 'false'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: ForwardExtraLdapHeaders => 'false'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: WWWAuthenticateHeader => 'true'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: WWWAuthenticateHeaderRealm => ''
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: AllowedGroups => '[ou=mathematicians dc=example dc=com║ou=italians ou=scientists dc=example dc=com]'
traefik  | DEBUG: ldapAuth: 2022/06/09 16:29:22 restricted.go:51: Username => ''

The line:

AllowedGroups => '[ou=mathematicians dc=example dc=com║ou=italians ou=scientists dc=example dc=com]'

Now has the separator ║ from here. But all commas still was removed.

[XarkaOfMahrak]

Hi !

Seems they merged a new fix https://github.com/traefik/paerser/pull/11 (ref : https://github.com/traefik/paerser/issues/9#issuecomment-1200993983)

[wiltonsr]

Hello, everyone.

I'm waiting for a traefik's release with paerser's fix to start adding this functionality.

As soon as possible I will come back with news.

[wiltonsr]

Confirmed that traefik v2.8.2 with paerser v0.1.6 works as expected.

traefik  | DEBUG: ldapAuth: 2022/08/12 18:06:09 restricted.go:51: AllowedGroups => '[ou=mathematicians,dc=example,dc=com ou=italians,ou=scientists,dc=example,dc=com ou=new italians,ou=scientists,dc=example,dc=com]'

I will start to work on this functionality now.

[wiltonsr]

@github-479 @XarkaOfMahrak

Let me know if there is any problem with this functionality.

[XarkaOfMahrak]

Hey,

I completely forgot to say, but yep, this fix the issue !

Many thanks !