Skip to content

A simple drop-in HTTP proxy for transparent LDAP authentication which is also a HTTP auth backend.

License

Notifications You must be signed in to change notification settings

pinepain/ldap-auth-proxy

Repository files navigation

LDAP Auth proxy

Build Status Go Report Card

A simple drop-in HTTP proxy for transparent LDAP authorization which is also a HTTP auth backend.

Usage

You can use pinepain/ldap-auth-proxy docker image (see available tags here) or build binary by yourself, Dockerfile and .travis.yml list all necessary steps to build it.

Usage examples could be found in examples folder.

Architecture

LDAP auth proxy could be used in two modes: as an auth backend and as a proxy:

Auth backend

auth backend

Examples:

Proxy

proxy

and it's variation, proxy behind nginx:

proxy behind nginx

Example docker-compose setup could be found in examples/proxy

Example settings for JumpCloud users:

export LDAP_SERVER='ldaps://ldap.jumpcloud.com'
export LDAP_BASE='o=<oid>,dc=jumpcloud,dc=com'
export LDAP_BIND_DN='uid=<bind user name>,ou=Users,o=<oid>,dc=jumpcloud,dc=com'
export LDAP_BIND_PASSWORD='<bind user password>'
export LDAP_USER_FILTER='(uid=%s)'
export LDAP_GROUP_FILTER='(&(objectClass=groupOfNames)(member=uid=%s,ou=Users,o=<oid>,dc=jumpcloud,dc=com))'
export GROUP_HEADER='X-Ldap-Group'
export HEADERS_MAP='X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn,X-LDAP-DN:dn'

where <oid> is your organisation id.

Notes

A zero length password is always considered invalid since it is, according to the LDAP spec, a request for "unauthenticated authentication." Unauthenticated authentication should not be used for LDAP based authentication. See section 5.1.2 of RFC-4513 <http://tools.ietf.org/html/rfc4513#section-5.1.2>_ for a description of this behavior.

Neither zero length username supported. Anonymous authentication should also not be used for LDAP based authentication. See section 5.1.1 of RFC-4513 <http://tools.ietf.org/html/rfc4513#section-5.1.1>_ for a description of that behavior.

License

ldap-auth-proxy is licensed under the MIT license.

About

A simple drop-in HTTP proxy for transparent LDAP authentication which is also a HTTP auth backend.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published