LDAP Plugin has no filter

254 views
Skip to first unread message

joaqu...@gmail.com

unread,
Jul 30, 2017, 7:36:30 PM7/30/17
to Kong
Hi Guys

But actually there is no filter so that means I have to create duplicated users for auth within LDAP.

In my opinion there should be a filter so to the ou=Users I can give them a special objectclass = Kong

If not i need to create a ou=UsersKong which means I have to duplicate users.

BR

Joaquin

rpap...@fearnothingproductions.net

unread,
Jul 31, 2017, 12:13:39 PM7/31/17
to Kong
Hi,
Could you describe a bit more about your use case, and what specifically you are trying to accomplish? The more detail you can provide the better so we can understand the community's use case and needs. :)

joaqu...@gmail.com

unread,
Jul 31, 2017, 2:52:54 PM7/31/17
to Kong
There is a need to have an ldap filter when doing a search. This is added in all LDAP integrations in JIRA, REDMINE, Grafana, Zabbix, etc ....

For example in an LDAP command:
ldapsearch -h myServer -p 5201 -D cn=Users,cn=Administratcompanyors,cn=config -w password -b "dc=example,dc=com" "(objectclass=Kong)"

The filter will be the one highlighted in bold red.
What does it do?
It will filter any Users with objectclass Kong. This will avoid having 1 user for Jira 1 user for REDMINE, 1 users for Kong, cause just adding the objectclass Kong to a specific user will do.

BR

Joaquin]

Cooper Marcus

unread,
Jul 31, 2017, 4:25:03 PM7/31/17
to joaqu...@gmail.com, Kong
Is what you are asking for that Kong, when it interacts with your LDAP server (as described https://getkong.org/plugins/ldap-authentication/#usage), includes "(objectclass=Kong)" when querying your LDAP server? 

--
You received this message because you are subscribed to the Google Groups "Kong" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+unsubscribe@googlegroups.com.
To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.
To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/52e0f075-80c4-4798-a354-082e80e29682%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Thijs Schreijer

unread,
Jul 31, 2017, 4:43:19 PM7/31/17
to joaqu...@gmail.com, Kong

On 31 Jul 2017, at 20:52, joaqu...@gmail.com wrote:

There is a need to have an ldap filter when doing a search. This is added in all LDAP integrations in JIRA, REDMINE, Grafana, Zabbix, etc ....

For example in an LDAP command:
ldapsearch -h myServer -p 5201 -D cn=Users,cn=Administratcompanyors,cn=config -w password -b "dc=example,dc=com" "(objectclass=Kong)"

The filter will be the one highlighted in bold red.
What does it do?
It will filter any Users with objectclass Kong. This will avoid having 1 user for Jira 1 user for REDMINE, 1 users for Kong, cause just adding the objectclass Kong to a specific user will do.


I don’t know the LDAP protocol, but from the code; have you tried with the 
‘attribute’ property of the configuration?

Say you have `config.attribute=cn` in your plugin configuration, then because 
the plugin builds the string in a very simple concatenation way, you could 
try and set it as:

`config.attribute=“(objectclass=Kong),cn”`

Or similarly add it to the `base_dn` property:

`config.base_dn=dc=example,dc=com,(objectclass=Kong)`

Does that work for you?
Thijs

Message has been deleted

joaqu...@gmail.com

unread,
Jul 31, 2017, 7:31:00 PM7/31/17
to Kong, joaqu...@gmail.com
Anyway I was able to make it work:
This one works:
curl -X POST http://localhost:8001/apis/example-api/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=localhost" --data "config.ldap_port=389" --data "config.base_dn=ou=People,dc=example,dc=com" --data config.attribute="uid" --data "config.cache_ttl=60"

This one doesn't work:
curl -X POST http://localhost:8001/apis/example-api/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=localhost" --data "config.ldap_port=389" --data "config.base_dn=ou=People,dc=example,dc=com" --data config.attribute="(gidNumber=5000),uid" --data "config.cache_ttl=60"

This one doesn't work:
curl -X POST http://localhost:8001/apis/example-api/plugins --data "name=ldap-auth" --data "config.hide_credentials=true" --data "config.ldap_host=localhost" --data "config.ldap_port=389" --data "config.base_dn=ou=People,dc=example,dc=com" --data config.attribute="(gidNumber=5000)(uid)" --data "config.cache_ttl=60"


In LDAP you put the filter for example as (&(gidNumber=5000)(uid=john))
ldapsearch -h localhost -p 389 -D cn=admin,dc=example,dc=com -w admin -b dc=example,dc=com '(&(gidNumber=5000)(uid=john))'

So currently there is no filter possible on the LDAP plugin.

I think that when you specify on the config.attribute=cn (or uid) you transfer the search as cn=XXXX,+base_dn which is correct but doesn;t allow to filter users by certain fields on the LDAP (like the ldapsearch sentence above).
Message has been deleted

joaqu...@gmail.com

unread,
Jul 31, 2017, 7:34:37 PM7/31/17
to Kong, joaqu...@gmail.com
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john

User:password --> john:johnldap

#curl -i -X GET http://localhost:8000/ip  --header 'Host: example.com' --header 'Authorization: ldap am9objpqb2hubGRhcA=='
Is working fine depending on the config.attribute used.

joaqu...@gmail.com

unread,
Aug 1, 2017, 2:40:26 PM8/1/17
to Kong, joaqu...@gmail.com
For exmaple for Grafana: http://docs.grafana.org/installation/ldap/
There is a:
search_filter = "(cn=%s)"

This indicates a certain filter you can add to the ldap search send to the ldapserver. This seems trivial but this little thing can cause for me to have duplicated users (double the DB as well and resources).

Thijs Schreijer

unread,
Aug 1, 2017, 2:46:33 PM8/1/17
to joaqu...@gmail.com, Kong
As I mentioned, I don’t know LDAP. But maybe you can have a look at the source code here https://github.com/Mashape/kong/blob/master/kong/plugins/ldap-auth/access.lua#L38 which is the line that builds the ldap stuff.



joaqu...@gmail.com

unread,
Aug 1, 2017, 5:36:45 PM8/1/17
to Kong, joaqu...@gmail.com
Check the code and there is not much can be done since you are using:
#59 (access.lua) --> is_authenticated, err = ldap.bind_request(sock, who, given_password)
You are passing, Connection, "uid=john,ou=People,dc=exmaple,dc=com", <password>

There is no filter pass to it.

I see that you have in line #865 a filter option that can be send to the lua_ldap.c

joaqu...@gmail.com

unread,
Aug 3, 2017, 7:18:53 PM8/3/17
to Kong, joaqu...@gmail.com
Well ... in theory the LDAP plugin i wrongly design.
As I mention the correct config is as Grafana. http://docs.grafana.org/installation/ldap/
 
There should be:
- User that will bind to the LDAP server
- Then a search will be done to search for the user in hand. Here the filter will be applied.
- Then an unbind will be done.

So we should have an:
bind_dn users (which will trigger the bindRequest) - with its password
A search Filter to perform a searchRequest

I check the process done from the LDAP plugin and actually it only sends the bindrequest and expects back a success.

I personally think thats not the way to go but let me know if it is the final so I will not look for any solution anymore.
Reply all
Reply to author
Forward
0 new messages