LDAP Plugin has no filter

[joaqu...@gmail.com]

Hi Guys

I have seen the LDAP plugin. https://getkong.org/plugins/ldap-authentication/

But actually there is no filter so that means I have to create duplicated users for auth within LDAP.

In my opinion there should be a filter so to the ou=Users I can give them a special objectclass = Kong

If not i need to create a ou=UsersKong which means I have to duplicate users.

BR

Joaquin

[rpap...@fearnothingproductions.net]

Hi,

Could you describe a bit more about your use case, and what specifically you are trying to accomplish? The more detail you can provide the better so we can understand the community's use case and needs. :)

[joaqu...@gmail.com]

There is a need to have an ldap filter when doing a search. This is added in all LDAP integrations in JIRA, REDMINE, Grafana, Zabbix, etc ....

For example in an LDAP command:

ldapsearch -h myServer -p 5201 -D cn=Users,cn=Administratcompanyors,cn=config -w password -b "dc=example,dc=com" "(objectclass=Kong)"

The filter will be the one highlighted in bold red.

What does it do?

It will filter any Users with objectclass Kong. This will avoid having 1 user for Jira 1 user for REDMINE, 1 users for Kong, cause just adding the objectclass Kong to a specific user will do.

BR

Joaquin]

[Cooper Marcus]

Is what you are asking for that Kong, when it interacts with your LDAP server (as described https://getkong.org/plugins/ldap-authentication/#usage), includes "(objectclass=Kong)" when querying your LDAP server? 

--
You received this message because you are subscribed to the Google Groups "Kong" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+unsubscribe@googlegroups.com.
To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.
To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/52e0f075-80c4-4798-a354-082e80e29682%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Thijs Schreijer]

On 31 Jul 2017, at 20:52, joaqu...@gmail.com wrote:

There is a need to have an ldap filter when doing a search. This is added in all LDAP integrations in JIRA, REDMINE, Grafana, Zabbix, etc ....

For example in an LDAP command:

ldapsearch -h myServer -p 5201 -D cn=Users,cn=Administratcompanyors,cn=config -w password -b "dc=example,dc=com" "(objectclass=Kong)"

The filter will be the one highlighted in bold red.

What does it do?

It will filter any Users with objectclass Kong. This will avoid having 1 user for Jira 1 user for REDMINE, 1 users for Kong, cause just adding the objectclass Kong to a specific user will do.

I don’t know the LDAP protocol, but from the code; have you tried with the 

‘attribute’ property of the configuration?

Say you have `config.attribute=cn` in your plugin configuration, then because 

the plugin builds the string in a very simple concatenation way, you could 

try and set it as:

`config.attribute=“(objectclass=Kong),cn”`

Or similarly add it to the `base_dn` property:

`config.base_dn=dc=example,dc=com,(objectclass=Kong)`

Does that work for you?

Thijs

[joaqu...@gmail.com]

Anyway I was able to make it work:

This one works:

curl -X POST http://localhost:8001/apis/example-api/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=localhost" --data "config.ldap_port=389" --data "config.base_dn=ou=People,dc=example,dc=com" --data config.attribute="uid" --data "config.cache_ttl=60"

This one doesn't work:

curl -X POST http://localhost:8001/apis/example-api/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=localhost" --data "config.ldap_port=389" --data "config.base_dn=ou=People,dc=example,dc=com" --data config.attribute="(gidNumber=5000),uid" --data "config.cache_ttl=60"

This one doesn't work:

curl -X POST http://localhost:8001/apis/example-api/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=localhost" --data "config.ldap_port=389" --data "config.base_dn=ou=People,dc=example,dc=com" --data config.attribute="(gidNumber=5000)(uid)" --data "config.cache_ttl=60"

In LDAP you put the filter for example as (&(gidNumber=5000)(uid=john))

ldapsearch -h localhost -p 389 -D cn=admin,dc=example,dc=com -w admin -b dc=example,dc=com '(&(gidNumber=5000)(uid=john))'

So currently there is no filter possible on the LDAP plugin.

I think that when you specify on the config.attribute=cn (or uid) you transfer the search as cn=XXXX,+base_dn which is correct but doesn;t allow to filter users by certain fields on the LDAP (like the ldapsearch sentence above).

[joaqu...@gmail.com]

dn: uid=john,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: john

sn: Doe

givenName: John

cn: John Doe

displayName: John Doe

uidNumber: 10000

gidNumber: 5000

userPassword: johnldap

gecos: John Doe

loginShell: /bin/bash

homeDirectory: /home/john

User:password --> john:johnldap

#curl -i -X GET http://localhost:8000/ip  --header 'Host: example.com' --header 'Authorization: ldap am9objpqb2hubGRhcA=='

Is working fine depending on the config.attribute used.

[joaqu...@gmail.com]

For exmaple for Grafana: http://docs.grafana.org/installation/ldap/

There is a:

search_filter = "(cn=%s)"

This indicates a certain filter you can add to the ldap search send to the ldapserver. This seems trivial but this little thing can cause for me to have duplicated users (double the DB as well and resources).

[Thijs Schreijer]

As I mentioned, I don’t know LDAP. But maybe you can have a look at the source code here https://github.com/Mashape/kong/blob/master/kong/plugins/ldap-auth/access.lua#L38 which is the line that builds the ldap stuff.

[joaqu...@gmail.com]

Check the code and there is not much can be done since you are using:

#59 (access.lua) --> is_authenticated, err = ldap.bind_request(sock, who, given_password)

You are passing, Connection, "uid=john,ou=People,dc=exmaple,dc=com", <password>

There is no filter pass to it.

Checking your ldap plugin: https://github.com/Mashape/lua-ldap/blob/master/src/lua_ldap.c

I see that you have in line #865 a filter option that can be send to the lua_ldap.c

[joaqu...@gmail.com]

Well ... in theory the LDAP plugin i wrongly design.

As I mention the correct config is as Grafana. http://docs.grafana.org/installation/ldap/

Example: https://wiki.wireshark.org/SampleCaptures#Lightweight_Directory_Access_Protocol_.28LDAP.29 (ldap_and_search)

 

There should be:

- User that will bind to the LDAP server

- Then a search will be done to search for the user in hand. Here the filter will be applied.

- Then an unbind will be done.

So we should have an:

bind_dn users (which will trigger the bindRequest) - with its password

A search Filter to perform a searchRequest

I check the process done from the LDAP plugin and actually it only sends the bindrequest and expects back a success.

I personally think thats not the way to go but let me know if it is the final so I will not look for any solution anymore.