智能家居>> ldapauthd>> 返回
项目作者: g0dsCookie

项目描述 :
Simple HTTP ldap auth daemon
高级语言: Python
项目地址: git://github.com/g0dsCookie/ldapauthd.git
创建时间: 2019-01-29T06:12:14Z
项目社区:https://github.com/g0dsCookie/ldapauthd
开源协议:MIT License
下载


ldapauthd

This is a simple HTTP server which allows you to authenticate against ldap with a HTTP GET request. This daemon is designed to run behind a reverse proxy (haproxy, nginx, apache2, …).

Usage

To authenticate against this daemon you only need to fire a GET request with base64 encoded Authentication HTTP header.

Examples

Curl

$ curl -v --user 'username:password' localhost

Traefik

  1. version: "3.7"
  2. services:
  3.   traefik:
  4.     image: traefik
  5.     network:
  6.       - internal
  7.     [...]
  8.   auth:
  9.     image: g0dscookie/ldapauthd
  10.     network:
  11.       - internal
  12.     [...]
  13.   backend:
  14.     image: mybackend
  15.     network:
  16.       - internal
  17.     deploy:
  18.       labels:
  19.         traefik.enable: "true"
  20.         traefik.frontend.auth.forward.address: "http://auth"
  21.         traefik.frontend.auth.forward.authResponseHeaders: "X-Forwarded-FullName,X-Forwarded-User,X-Forwarded-Email,X-Forwarded-Role"

Installation

Local

  1. git clone https://github.com/g0dsCookie/ldapauthd.git
  2. cd ldapauthd
  3. pip install -r requirements.txt

Now you may run with ./ldapauthd.py but I highly recommend reading Configuration.

Docker

Docker image g0dscookie/ldapauthd is available. See docker-compose.yml for configuration and usage of this container.

Configuration

Configuration for this daemon is read from the current environment. Available configuration parameters are:

Environment Variable Description Default
LDAPAUTHD_IP IP address the daemon should listen on. 0.0.0.0
LDAPAUTHD_PORT Port the daemon should listen on. 80
LDAPAUTHD_LOGLEVEL Loglevel the daemon should run on. INFO
LDAPAUTHD_USER User the daemon should be run with. nobody
LDAPAUTHD_REALM String to set in WWW-Authenticate. Authorization required
LDAPAUTHD_SESSION_STORAGE Choose session storage backend. Available: memcached memcached
LDAPAUTHD_SESSION_PREFIX Key prefix to avoid collisions inside memcache when running multiple ldapauthd instances
LDAPAUTHD_SESSION_DOMAIN Set domain for your session cookie.
LDAPAUTHD_SESSION_HOST Host address of your session storage. localhost:11211
LDAPAUTHD_SESSION_TTL Maximum TTL for sessions in seconds. 900
LDAPAUTHD_SESSION_RETRY How many times to retry session connection 1
LDAP_LOGLEVEL https://ldap3.readthedocs.io/logging.html#logging-detail-level ERROR
LDAP_ATTRIBUTES Attributes to get from ldap and report to client {“cn”: “X-Forwarded-FullName”, “mail”: “X-Forwarded-Email”, “sAMAccountName”: “X-Forwarded-User”}
LDAP_ROLEHEADER The header name where the associated role should be stored X-Forwarded-Role
LDAP_ALLOWEDUSERS Allow specific users. Will be matched with given username
LDAP_ALLOWEDGROUPS Allow specific groups. Will be matched with full group dn
LDAP_BASEDN Base DN every search request will be based on.
LDAP_BINDDN Bind user to use for querying your ldap server.
LDAP_BINDPW Bind users password.
LDAP_BACKENDS Comma seperated list of ldap backend names.
LDAP_\_HOST Hostname of your domain controller.
LDAP_\_PORT Port on your domain controller to connect to. 636
LDAP_\_SSL Use SSL for ldap connection. True
LDAP_\_SSL_VALIDATE Verify remote SSL certificate. True

Examples

LDAP_ALLOWEDUSERS

Used to allow specific users and assign specific roles to them. Always overwrites LDAP_ALLOWEDGROUPS.

Users are matched case-insensitive.

LDAP_ALLOWEDUSERS={"username": "admin", "foobar": "nobody"}

LDAP_ALLOWEDGROUPS

Used to allow groups and assign appropriate role to the user. May be overwritten by LDAP_ALLOWEDUSERS.

First matched group will be used to allow access and assign the role.

Groups are matched case-insensitive.

LDAP_ALLOWEDGROUPS={"cn=admins,dc=example,dc=org": "admin", "cn=domain users,dc=example,dc=org": "users"}