Error using ldap-auth plugin
599 views
Skip to first unread message
chase...@gmail.com
May 23, 2016, 11:15:13 AM5/23/16
to Kong
I am trying to configure the ldap-auth plugin, and cannot seem to get it configured properly.
I registered it to an api endpoint "token" via:
curl -X POST http://localhost:8001/apis/token/plugins \ --data "name=ldap-auth" \ --data "config.hide_credentials=false" \ --data "config.ldap_host=my.ldap.net" \ --data "config.ldap_port=389" \ --data "config.base_dn=OU=Office,OU=Users,OU=City,DC=company,DC=com" \ --data "config.attribute=sAMAccountName" \ --data "config.cache_ttl=60"When I attempt to authenticate with a request in python:
import requests as rimport base64unpw = 'user.name:p@ssw0rd!'base64string = base64.encodestring(unpw).replace('\n', '')b_uri = 'https://kong.vip:8443'headers = { "Authorization": "LDAP " + base64string, "Host": '9.9.9.9', 'Accept': 'application/json'}
test_get = r.get(url=b_uri, headers=headers, verify=False)the server returns a 500. When I check the kong logs in /usr/local/kong/logs/error.log I'm seeing the following error:
2016/05/23 10:04:49 [error] 2734#0: *63877 lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/kong/plugins/ldap-auth/asn1.lua:320: attempt to call field 'mod' (a nil value)stack traceback:coroutine 0: /usr/local/share/lua/5.1/kong/plugins/ldap-auth/asn1.lua: in function 'encodeLength' /usr/local/share/lua/5.1/kong/plugins/ldap-auth/asn1.lua:225: in function 'encodeLDAPOp' /usr/local/share/lua/5.1/kong/plugins/ldap-auth/ldap.lua:56: in function 'bind_request' /usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:57: in function 'ldap_authenticate' /usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:75: in function 'cb' /usr/local/share/lua/5.1/kong/tools/database_cache.lua:128: in function 'get_or_set' /usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:72: in function 'authenticate' /usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:98: in function 'execute' /usr/local/share/lua/5.1/kong/plugins/ldap-auth/handler.lua:12: in function 'access' /usr/local/share/lua/5.1/kong.lua:188: in function 'access' access_by_lua(nginx.conf:103):2: in function <access_by_lua(nginx.conf:103):1>, client: 10.10.10.10, server: _, request: "GET / HTTP/1.1", host: "9.9.9.9"I'm not sure where its going awry.
Thanks for your time.
shashi ranjan - mashape
May 23, 2016, 2:20:45 PM5/23/16
to chase...@gmail.com, Kong
Seems like its failing while encoding username and password being sent to Kong.
unpw = 'user.name:p@ssw0rd!’
what is user here? a table?
base64string = base64.encodestring(unpw).replace('\n', ‘’) why this replacement?
"config.attribute=sAMAccountName” is sAMAccountName correct attribute type in LDAP server?
to test kong connecting properly to LDAP server 1st try with sending some hardcoded value. You can use this link https://www.base64encode.org/ to encode `username:password`. You can also try to make LDAP bind operation from bash terminal using same DN and attribute to make sure you using correct configuration.
here is how I test LDAP
Nick Curry
May 23, 2016, 5:24:01 PM5/23/16
to Kong, chase...@gmail.com
unpw = 'user.name:p@ssw0rd!’what is user here? a table?
User in this case comes in the form first.last and the unpw string is the "user:password" format specified in the docs
In order to authenticate the user, client must set credentials in
Proxy-AuthorizationorAuthorizationheader in following formatcredentials := [ldap | LDAP] base64(username:password)
why this replacement?
The replacement is just because that python module appends a \n on the end, so that removes it. I get the same value as the website you provided.
I am confused as to what the config.attribute is for exactly. From what I understand about the plugin, it is used to authenticate the user specified in the header
"Authorization": "ldap ..."
Is it specifying which ldap field is being used for the username? (e.g. If you are authenticating username "John.Smith", and that value is stored in the 'name' attribute, you would use 'config.attribute=name')
Lastly, after some testing I noticed that I can get a 403 to return if I encode a string that is less or equal to 15 characters including the colon. Anything over 15 characters will return a 500 and cause the lua error. Anything under will throw an LDAP error saying the credentials aren't correct, which is a correct response.
shashi ranjan - mashape
May 24, 2016, 1:46:00 PM5/24/16
to Nick Curry, Kong
Attribute is field name which is used to identify user, like in following image
To bind Bob, we will look into `dc=example,dc=com` base DN, and search for attribute `cn`
So config.attribute = cn
and
config.base_dn = dc=example,dc=com
Regarding 15 character base64 limit, I ll check further and let you know.
Thanks
Shashi
--
You received this message because you are subscribed to the Google Groups "Kong" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+...@googlegroups.com.
To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.
To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/f17ec7ed-8380-4432-a8d5-71e8d4c603b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
shashi ranjan - mashape
May 24, 2016, 2:04:52 PM5/24/16
to Nick Curry, Kong
I tested with long username and it gave me right `403` status response
base64.encode("einstein1234567890111.ddd1:password12345678.ddd") i.e `ZWluc3RlaW4xMjM0NTY3ODkwMTExLmRkZDE6cGFzc3dvcmQxMjM0NTY3OC5kZGQ=`
On May 24, 2016, at 10:45 AM, shashi ranjan - mashape <sha...@mashape.com> wrote:
Attribute is field name which is used to identify user, like in following image
<Screenshot 2016-05-24 10.39.15.png>
Nick Curry
May 24, 2016, 4:51:40 PM5/24/16
to Kong, chase...@gmail.com
Thanks so much for your time on this.
Hmm very strange. Here is a dump of my configuration. I'm not sure whats going wrong.... I am consistently getting this behavior.
I have tried with
requests package in Python
curl
postman plugin for chrome
Kong Server:
curl -i -X GET http://localhost:8001/apis
{
"data": [
{
"upstream_url": "http:\/\/10.10.10.10:8080",
"strip_request_path": false,
"request_path": "\/token",
"id": "468adb1a-195e-4eab-a9a1-423d57ed99b9",
"created_at": 1464017703000,
"preserve_host": false,
"name": "token"
}
],
"total": 1
}
curl -i -X GET http://localhost:8001/plugins
{
"data": [
{
"api_id": "468adb1a-195e-4eab-a9a1-423d57ed99b9",
"id": "281a8305-fe21-4287-870e-650533457860",
"created_at": 1464024725000,
"enabled": true,
"name": "ldap-auth",
"config": {
"base_dn": "OU=StandardSecurity,OU=Users,OU=First,OU=Second,OU=Third,DC=company,DC=com",
"cache_ttl": 60,
"timeout": 10000,
"start_tls": false,
"hide_credentials": false,
"ldap_host": "ldap.company.com",
"ldap_port": 389,
"attribute": "cn",
"keepalive": 60000,
"verify_ldap_host": false
}
}
],
"total": 1
}
Request:
base64 string = username:password
GET http://kong.vip:8443/token headers = {"Authorization": "ldap dXNlcm5hbWU6cGFzc3dvcmQ="}
Response:
500
/usr/local/kong/logs/error.log
2016/05/24 15:37:27 [error] 2735#0: *92538 lua entry thread aborted: runtime errasn1.lua:320: attempt to call field 'mod' (a nil value)
stack traceback:
coroutine 0:
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/asn1.lua: in function 'e
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/asn1.lua:259: in functio
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/ldap.lua:55: in function
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:57: in functi
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:75: in functi
/usr/local/share/lua/5.1/kong/tools/database_cache.lua:128: in function
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:72: in functi
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/access.lua:98: in functi
/usr/local/share/lua/5.1/kong/plugins/ldap-auth/handler.lua:12: in funct
/usr/local/share/lua/5.1/kong.lua:188: in function 'access'
access_by_lua(nginx.conf:103):2: in function <access_by_lua(nginx.conf:1 /token HTTP/1.1", host: "kong.vip:8443"
Request:
base64 string = usee:pas
GET http://kong.vip:8443/token headers = {"Authorization": "ldap dXNlZTpwYXM="}
Response:
403
Reply all
Reply to author
Forward
0 new messages