diff --git a/README.md b/README.md index 25d8a4b..3df436c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,27 @@ # Nginx LDAP Auth -Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the Secret inside `k8s.yaml` to match your LDAP server and run: +Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the Secret inside `config.sample.yaml` to match your LDAP server and run: + + kubectl create secret generic nginx-ldap-auth --from-file=config.yaml=config.sample.yaml kubectl apply -f k8s.yaml -Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/): +Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/). + +## Config + +The actual version choose a random server, in future version it is intended to have a pool of them, that is why it is a list, not a single one, but you can fill only one if you wish. + +The prefix tell the program which protocol to use, if `ldaps://` it will try LDAP over SSL, if `ldap://` it will try plain LDAP with STARTTLS, case no prefix is given it will try to guess based on port, 636 for SSL and 389 for plain. + +The actual version will fail if neither SSL or STARTTLS is possible, but next version will allow plain LDAP. + +If the `user.requiredGroups` list is omited or empty all LDAP users will be allowed regardless the group, if not empty all groups will be required, the next version will have more flexible configuration. + +If you are not sure what `filter`, `bindDN` or `baseDN` to use, here is a tip: + + ldapsearch -H ${servers[*]} -D ${auth.bindDN} -w ${auth.bindPW} -b ${user.baseDN|group.baseDN} ${user.filter|group.filter} + +Replace the values between `${...}` to the ones on `config.yaml`, when you succeed you can fill the final configuration. + +Timeouts are configurable, but it is recommended not to use values less than some seconds, it was planned to prevent several identical requests to LDAP servers. diff --git a/config.sample.yaml b/config.sample.yaml new file mode 100644 index 0000000..2478a60 --- /dev/null +++ b/config.sample.yaml @@ -0,0 +1,21 @@ +web: 0.0.0.0:5555 +path: / +servers: +- ldaps://ldap1.example.com:636 +- ldaps://ldap2.example.com:636 +- ldaps://ldap3.example.com:636 +auth: + bindDN: uid=seviceaccount,cn=users,dc=example,dc=com + bindPW: password +user: + baseDN: ou=users,dc=example,dc=com + filter: "(cn={0})" + requiredGroups: + - appAdmin +group: + baseDN: ou=groups,dc=example,dc=com + groupAttr: cn + filter: "(member={0})" +timeout: + success: 24h + wrong: 5m diff --git a/k8s.yaml b/k8s.yaml index 539ad02..c8921bf 100644 --- a/k8s.yaml +++ b/k8s.yaml @@ -1,32 +1,3 @@ -kind: Secret -apiVersion: v1 -metadata: - name: nginx-ldap-auth -data: - config.yaml: | - web: 0.0.0.0:5555 - path: / - message: "LDAP Login" - servers: - - ldaps://ldap1.example.com:636 - - ldaps://ldap2.example.com:636 - - ldaps://ldap3.example.com:636 - auth: - bindDN: cn=seviceaccount,cn=users,o=company - bindPW: password - user: - baseDN: ou=users,o=company - filter: "(cn={0})" - requiredGroups: - - appAdmin - group: - baseDN: ou=groups,o=company - groupAttr: cn - filter: "(member={0})" - timeout: - success: 24h - wrong: 5m ---- kind: Service apiVersion: v1 metadata: @@ -36,7 +7,7 @@ spec: ports: - name: nginx-ldap-auth port: 5555 - protocol: TCP: + protocol: TCP targetPort: 5555 selector: app: nginx-ldap-auth