gered/nginx-ldap-auth
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Extracted secret

Browse source
This commit is contained in:
Tiago Augusto Pimenta 2018-10-09 09:29:36 -03:00
parent 8bf61afe71
commit 83b51c0bdf
3 changed files with 44 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
README.md
View file

@ -1,7 +1,27 @@
# Nginx LDAP Auth # Nginx LDAP Auth
Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the Secret inside `k8s.yaml` to match your LDAP server and run: Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the Secret inside `config.sample.yaml` to match your LDAP server and run:
kubectl create secret generic nginx-ldap-auth --from-file=config.yaml=config.sample.yaml
kubectl apply -f k8s.yaml kubectl apply -f k8s.yaml
Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/): Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/).
## Config
The actual version choose a random server, in future version it is intended to have a pool of them, that is why it is a list, not a single one, but you can fill only one if you wish.
The prefix tell the program which protocol to use, if `ldaps://` it will try LDAP over SSL, if `ldap://` it will try plain LDAP with STARTTLS, case no prefix is given it will try to guess based on port, 636 for SSL and 389 for plain.
The actual version will fail if neither SSL or STARTTLS is possible, but next version will allow plain LDAP.
If the `user.requiredGroups` list is omited or empty all LDAP users will be allowed regardless the group, if not empty all groups will be required, the next version will have more flexible configuration.
If you are not sure what `filter`, `bindDN` or `baseDN` to use, here is a tip:
ldapsearch -H ${servers[*]} -D ${auth.bindDN} -w ${auth.bindPW} -b ${user.baseDN|group.baseDN} ${user.filter|group.filter}
Replace the values between `${...}` to the ones on `config.yaml`, when you succeed you can fill the final configuration.
Timeouts are configurable, but it is recommended not to use values less than some seconds, it was planned to prevent several identical requests to LDAP servers.

21
config.sample.yaml Normal file
View file

@ -0,0 +1,21 @@
web: 0.0.0.0:5555
path: /
servers:
- ldaps://ldap1.example.com:636
- ldaps://ldap2.example.com:636
- ldaps://ldap3.example.com:636
auth:
bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
bindPW: password
user:
baseDN: ou=users,dc=example,dc=com
filter: "(cn={0})"
requiredGroups:
- appAdmin
group:
baseDN: ou=groups,dc=example,dc=com
groupAttr: cn
filter: "(member={0})"
timeout:
success: 24h
wrong: 5m

31
k8s.yaml
View file

@ -1,32 +1,3 @@
kind: Secret
apiVersion: v1
metadata:
name: nginx-ldap-auth
data:
config.yaml: |
web: 0.0.0.0:5555
path: /
message: "LDAP Login"
servers:
- ldaps://ldap1.example.com:636
- ldaps://ldap2.example.com:636
- ldaps://ldap3.example.com:636
auth:
bindDN: cn=seviceaccount,cn=users,o=company
bindPW: password
user:
baseDN: ou=users,o=company
filter: "(cn={0})"
requiredGroups:
- appAdmin
group:
baseDN: ou=groups,o=company
groupAttr: cn
filter: "(member={0})"
timeout:
success: 24h
wrong: 5m
---
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
@ -36,7 +7,7 @@ spec:
ports: ports:
- name: nginx-ldap-auth - name: nginx-ldap-auth
port: 5555 port: 5555
protocol: TCP: protocol: TCP
targetPort: 5555 targetPort: 5555
selector: selector:
app: nginx-ldap-auth app: nginx-ldap-auth