Skip to content

Fail to get group membership #15

Open
Open
Fail to get group membership#15
@virdb

Description

@virdb
virdb
opened on Nov 13, 2023

Deployed using the following config-map to match my infra:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: another-ldap
  namespace: another-ldap-app
data:
  LDAP_ENDPOINT: "ldap://xxx.xxx.xxx.xx:389"
  LDAP_MANAGER_DN_USERNAME: "uid=admin,ou=people,dc=mydomain,dc=local"
  LDAP_BIND_DN: "uid={username},ou=people,dc=mydomain,dc=local"
  LDAP_SEARCH_BASE: "ou=people,dc=mydomain,dc=local"
  LDAP_SEARCH_FILTER: "(uid={username})"
  LOG_LEVEL: "DEBUG"
  LOG_FORMAT: "JSON"
  BRUTE_FORCE_PROTECTION: "False"
  BRUTE_FORCE_EXPIRATION: "5"
  BRUTE_FORCE_FAILURES: "3"
  COOKIE_DOMAIN: ""
  METADATA_TITLE: "Authentication & Authorization System"
  METADATA_DESCRIPTION: ""
  METADATA_FOOTER: "Powered by Another LDAP"
  PERMANENT_SESSION_LIFETIME: "7"

Then applied the following ingress to my service:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: service-ingress
  namespace: service-namespace
  annotations: 
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-url: https://another-ldap-service.another-ldap-app.svc.cluster.local/auth
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header Ldap-Allowed-Groups "storage-admin";
    nginx.ingress.kubernetes.io/server-snippet: |
      error_page 401 = @login;
      location @login {
        return 302 https://another-ldap.mydomain.tld/?protocol=$pass_access_scheme&callback=$host;
      }
spec:
  rules:
  - host: service.mydomain.tld
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service-frontend
            port:
              number: 80
  ingressClassName: nginx

Logs during the authentication of a valid user (marco) member of "storage-admin" (cn=storge-admin,ou=groups,dc=mydomain,dc=local) group:

{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Before-all."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "/auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth requested."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authenticating user via LDAP.", "username": "marco", "finalUsername": "uid=marco,ou=people,dc=mydomain,dc=local"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Authentication successful via LDAP.", "username": "marco", "elapsedTime": "0.10276222229003906"}
{"date": "2023-11-13 14:19:43", "level": "INFO", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authentication successful."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Getting user's groups."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Connecting to LDAP server."}
{"date": "2023-11-13 14:19:43", "level": "ERROR", "objectName": "Aldap", "ip": "192.168.1.36", "message": "There was an error trying to bind: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': []}"}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Validating AD groups.", "username": "marco", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "Aldap", "ip": "192.168.1.36", "message": "Invalid groups for the user.", "username": "marco", "matchedGroups": "", "allowedGroups": "storage-admin", "conditional": "or"}
{"date": "2023-11-13 14:19:43", "level": "WARNING", "objectName": "main", "ip": "192.168.1.36", "message": "Basic-Auth: Authorization failed."}
{"date": "2023-11-13 14:19:43", "level": "DEBUG", "objectName": "main", "ip": "192.168.1.36", "message": "After-all."}
10.244.3.108 - - [13/Nov/2023 14:19:43] "GET /auth HTTP/1.1" 401 -

What am I doing wrong? Seems the authentication part works fine (I see the "Welcome" screen), but the groups membership check fails.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions