Ldap authentication#369
Conversation
Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca>
|
Hi, Interesting feature! The documentation about how to use this could also be made more clear:
I've added some comments about the above mentioned improvements in your code. |
|
@jpillora Can you merge this please? Thanks! |
jpillora
left a comment
jpillora
left a comment
There was a problem hiding this comment.
Looks reasonable from a quick glance
Would be great if we could flatten the 5 deep if-else blocks
Also what’s the binary size difference after importing ldap v3?
|
binary size difference: 12214.113 KB (master) -> 12397.106 KB (ldap-authentication) |
… to both rely on local or LDAP authentication
|
@jpillora could you please have a look at the bit improved version of the password validation ? |
|
|
||
| <!--tmpl,code=plain:echo "$ chisel client --help" && go run main.go client --help | sed 's#0.0.0-src (go1\..*)#X.Y.Z#' --> | ||
| ``` plain | ||
| ``` plain |
There was a problem hiding this comment.
these spacing edits come from your IDE i think,
can we revert them to reduce the size of the change set
easiest way is to execute the markdown template https://github.com/jpillora/md-tmpl
| } | ||
|
|
||
| // Ldap Connection with TLS | ||
| func ConnectTLS(ldapconfig LdapConfig) (*ldap.Conn, error) { |
There was a problem hiding this comment.
can we unexport ConnectTLS and any other functions that arent used
| if !found || user.Pass != string(password) { | ||
| s.Debugf("Login failed for user: %s", n) | ||
| return nil, errors.New("Invalid authentication for username: %s") | ||
| if (found && string(password) != "") { |
There was a problem hiding this comment.
although the users config file acts as a nice whitelist and access control, its not technically required - ldap can tell us both, if a user exists, and if the password is correct. should it work no users defined?
There was a problem hiding this comment.
My opinion on this is the following:
if we want to use LDAP to only authenticate and forget about authorization, I think it should be explicitly mentioned with an additional flag to avoid confusion.
Now from the enterprise perspective (which was coming with the LDAP authentication) I am not seeing the only authentication and no authorization as a use-case and if I may I would deal with this as a separate change.
Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca>
… to both rely on local or LDAP authentication
|
@jpillora thanks for the review you did and I tried to follow what you said. |
|
Sorry @jdoucerain I was going to merge a bunch of PRs and release though tests are broken for latest versions of Go and I haven't had time to fix them #390 |
|
Hi @jpillora would you have some time to check if you could merge this branch ? |
…-authentication
Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca>
|
Hi @jpillora could you please check if you could merge this branch ? Thanks |
Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca>
|
Looks pretty good, will try take a look toknight I think the server config should only have the ldap config, the path string should be in main (cli code) - settings can export a LoadLDAP(path) LDAPConfig which is used my main, and by server package consumers I’m happy to do this change if you’d like |
|
@jpillora please go ahead if you have some bandwidth. Thanks |
|
looking at the is PR now. it appears you still have to define users in the --auth or --authfile, and the "local" password still works. ldap just adds an additional password that will now work. can you confirm this is correct and intended? |
|
IMO, i think ldap should work in either one of two ways:
|
commit 8786463 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Jul 7 19:16:27 2023 -0400 fix unreachable code Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca> commit 3a6f13c Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Jul 7 17:22:12 2023 -0400 update README.md with features from master upstream branch Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca> commit 3f92a77 Merge: 6b87e3f ce307e5 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Jul 7 16:45:51 2023 -0400 Merge branch 'master' of https://github.com/jpillora/chisel into LDAP-authentication commit 6b87e3f Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 16:52:56 2022 -0500 MD again commit b66e317 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 16:50:20 2022 -0500 markdown adjustments commit 62920af Merge: 3e05ec5 8f96052 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 16:34:44 2022 -0500 Merge branch 'LDAP-authentication' of https://github.com/jdoucerain/chisel into LDAP-authentication commit 3e05ec5 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 16:14:53 2022 -0500 markdown adjustments commit 659c06d Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 16:10:52 2022 -0500 markdown adjustments commit cfb1d00 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 15:58:32 2022 -0500 Changes as recommended by J.Pillora commit 69a8ce0 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Oct 19 12:04:33 2022 -0400 a bit improved version of the password validation keeping the ability to both rely on local or LDAP authentication commit 40da157 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Tue Oct 18 10:59:02 2022 -0400 allow combination of both LDAP and local authentication and give ldap-config example commit 4708fe1 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 19:33:27 2022 -0400 ca file debug commit 92b20ba Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:51:14 2022 -0400 add user in debugging log when too many entries commit ba54e8d Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:43:24 2022 -0400 remove comments in ldap.go commit 505ba02 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:39:23 2022 -0400 new --ldap-config in README.md commit 111b545 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:33:57 2022 -0400 ldap authentication Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca> commit 8f96052 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 16:14:53 2022 -0500 markdown adjustments commit 2d7c977 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 16:10:52 2022 -0500 markdown adjustments commit 7c0e741 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Fri Nov 25 15:58:32 2022 -0500 Changes as recommended by J.Pillora commit f7cdb96 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Oct 19 12:04:33 2022 -0400 a bit improved version of the password validation keeping the ability to both rely on local or LDAP authentication commit 00836b1 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Tue Oct 18 10:59:02 2022 -0400 allow combination of both LDAP and local authentication and give ldap-config example commit 6f7bc5d Merge: 79c0a67 bea4540 Author: jdoucerain <jerome.doucerain@bell.ca> Date: Tue Oct 18 09:53:06 2022 -0400 Merge branch 'jpillora:master' into LDAP-authentication commit 79c0a67 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 19:33:27 2022 -0400 ca file debug commit 5b77520 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:51:14 2022 -0400 add user in debugging log when too many entries commit 6c50813 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:43:24 2022 -0400 remove comments in ldap.go commit 4bc9fc4 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:39:23 2022 -0400 new --ldap-config in README.md commit 6c1f269 Author: Jerome Doucerain <jerome.doucerain@bell.ca> Date: Wed Jun 29 18:33:57 2022 -0400 ldap authentication Signed-off-by: Jerome Doucerain <jerome.doucerain@bell.ca>
|
|
Yes this is intentional. We have to cover case where the users could or could not be in the enterprise directory. |
|
And the presence in the directory is not enough for us to allow anyone to use chisel. This is why we are maintaining the authfile for each individual. This is our use case. |
|
I think using ldap as authentication only and applying a default parameterized remote is another use case to be developed. |
|
gotcha, would you prefer option 2? I’m finding it hard to see a good use case for two passwords |
|
Yes I agree with option 2 |
|
@jpillora option 2 (using ldap should force all "local" passwords to be blank. must be --auth foo if --auth foo:bar then fails to start. similarly with --authfile) is implemented. |
|
Thanks! Hopefully will get some more time soon
…On Wed, 12 Jul 2023 at 12:24 am jdoucerain ***@***.***> wrote:
@jpillora <https://github.com/jpillora> option 2 (using ldap should force
all "local" passwords to be blank. must be --auth foo if --auth foo:bar
then fails to start. similarly with --authfile) is implemented.
—
Reply to this email directly, view it on GitHub
<#369 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAE2X4YXRVOQFGEFJUDMOBTXPVO23ANCNFSM52HPYV4Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
3 participants
This PR is to allow LDAP authentication of chisel client.
The chisel server ldap configuration is maintained in a file pointed by the --ldap-config option
The ldap-config file structure is as follow:
BindDN for non anonymous search
BindPassword for non anonymous search
Url ldap server url
BaseDN for search
Filter ldap objects filter
IDMapTo ldap attribute used as id
CA file containing the PEM formatted certificates to trust when connecting to ldap server
Insecure true if we skip the certificates validation
The users are authentication against the ldap server.
The authorization pattern is unchanged (in authfile)
In the auth file we maintain the userid and the remotes. The password is left to an empty string