We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deployed using the following config-map to match my infra:
--- apiVersion: v1 kind: ConfigMap metadata: name: another-ldap namespace: another-ldap-app data: LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389" LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local" LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local" LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local" LDAP_SEARCH_FILTER: "(uid={username})" LOG_LEVEL: "DEBUG" LOG_FORMAT: "JSON" BRUTE_FORCE_PROTECTION: "False" BRUTE_FORCE_EXPIRATION: "5" BRUTE_FORCE_FAILURES: "3" COOKIE_DOMAIN: "" METADATA_TITLE: "Authentication & Authorization System" METADATA_DESCRIPTION: "" METADATA_FOOTER: "Powered by Another LDAP" PERMANENT_SESSION_LIFETIME: "7"
Then applied the following ingress to my service:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: service-ingress namespace: service-namespace annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header Ldap-Allowed-Groups "storage-admin"; nginx.ingress.kubernetes.io/server-snippet: | error_page 401 = @login; location @login { return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host; } spec: rules: - host: service.mydomain.tld http: paths: - path: / pathType: Prefix backend: service: name: service-frontend port: number: 80 ingressClassName: nginx
Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"} {"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"} {"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."} {"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"} {"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"} {"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."} {"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."} 10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 -
What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Deployed using the following config-map to match my infra:
Then applied the following ingress to my service:
Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:
What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.
The text was updated successfully, but these errors were encountered: