Added X-Forwarded-Role header

Author: g0dsCookie

Dockerfile

@@ -24,18 +24,15 @@ ENV LDAPAUTHD_LOGLEVEL=INFO \
     LDAPAUTHD_IP=0.0.0.0 \
     LDAPAUTHD_PORT=80 \
     LDAPAUTHD_REALM=Authorization\ required \
-    LDAP_LOGLEVEL=BASIC \
-    LDAP_ATTRIBUTES='{"cn": "X-Forwarded-FullName", "mail": "X-Forwarded-Email", "sAMAccountName": "X-Forwarded-User"}' \
-    LDAP_ALLOWEDUSERS= \
-    LDAP_ALLOWEDGROUPS= \
+    LDAP_LOGLEVEL=ERROR \
     LDAP_BASEDN=ou=Company,dc=example,dc=org \
     LDAP_BINDDN=cn=bind user,dc=example,dc=org \
     LDAP_BINDPW=password \
-    LDAP_BACKENDS=dc01 \
-    LDAP_DC01_HOST=dc01.example.org \
-    LDAP_DC01_PORT=636 \
-    LDAP_DC01_SSL=True \
-    LDAP_DC01_SSL_VALIDATE=True
+    LDAP_ATTRIBUTES='{"cn": "X-Forwarded-FullName", "mail": "X-Forwarded-Email", "sAMAccountName": "X-Forwarded-User"}' \
+    LDAP_ALLOWEDUSERS= \
+    LDAP_ALLOWEDGROUPS= \
+    LDAP_ROLEHEADER=X-Forwarded-Role \
+    LDAP_BACKENDS=
 
 EXPOSE 80
 

README.md

@@ -3,21 +3,58 @@
 This is a simple HTTP server which allows you to authenticate against ldap with a HTTP GET request. This daemon is designed to run behind a reverse proxy (haproxy, nginx, apache2, ...).
 
 - [ldapauthd](#ldapauthd)
-  - [Usage](#usage)
-    - [Installation](#installation)
-      - [Local](#local)
-      - [Docker](#docker)
-    - [Configuration](#configuration)
-      - [Curl example](#curl-example)
+- [Usage](#usage)
+  - [Examples](#examples)
+    - [Curl](#curl)
+    - [Traefik](#traefik)
+- [Installation](#installation)
+  - [Local](#local)
+  - [Docker](#docker)
+- [Configuration](#configuration)
+  - [Examples](#examples-1)
+    - [LDAP_ALLOWEDUSERS](#ldapallowedusers)
+    - [LDAP_ALLOWEDGROUPS](#ldapallowedgroups)
 - [Special Thanks](#special-thanks)
 
-## Usage
+# Usage
 
 To authenticate against this daemon you only need to fire a GET request with base64 encoded **Authentication** HTTP header.
 
-### Installation
+## Examples
 
-#### Local
+### Curl
+
+`$ curl -v --user 'username:password' localhost`
+
+### Traefik
+
+```yaml
+version: "3.7"
+services:
+  traefik:
+    image: traefik
+    network:
+      - internal
+    [...]
+  auth:
+    image: g0dscookie/ldapauthd
+    network:
+      - internal
+    [...]
+  backend:
+    image: mybackend
+    network:
+      - internal
+    deploy:
+      labels:
+        traefik.enable: "true"
+        traefik.frontend.auth.forward.address: "http://auth"
+        traefik.frontend.auth.forward.authResponseHeaders: "X-Forwarded-FullName,X-Forwarded-User,X-Forwarded-Email,X-Forwarded-Role"
+```
+
+# Installation
+
+## Local
 
 ```sh
 git clone https://github.com/g0dsCookie/ldapauthd.git
@@ -27,11 +64,11 @@ pip install -r requirements.txt
 
 Now you may run with `./ldapauthd.py` but I highly recommend reading [Configuration](#configuration).
 
-#### Docker
+## Docker
 
 Docker image **g0dscookie/ldapauthd** is available. See **docker-compose.yml** for configuration and usage of this container.
 
-### Configuration
+# Configuration
 
 Configuration for this daemon is read from the current environment. Available configuration parameters are:
 
@@ -43,10 +80,11 @@ Configuration for this daemon is read from the current environment. Available co
 | LDAPAUTHD_IP                | IP address the daemon should listen on.          | 0.0.0.0                |
 | LDAPAUTHD_PORT              | Port the daemon should listen on.                | 80                     |
 | LDAPAUTHD_REALM             | String to set in WWW-Authenticate                | Authorization required |
-| LDAP_LOGLEVEL               | https://ldap3.readthedocs.io/logging.html#logging-detail-level | BASIC    |
+| LDAP_LOGLEVEL               | https://ldap3.readthedocs.io/logging.html#logging-detail-level | ERROR    |
 | LDAP_ATTRIBUTES             | Attributes to get from ldap and report to client | {"cn": "X-Forwarded-FullName", "mail": "X-Forwarded-Email", "sAMAccountName": "X-Forwarded-User"} |
-| LDAP_ALLOWEDUSERS           | Allow specific users. Others will be denied      |                        |
-| LDAP_ALLOWEDGROUPS          | Allow specific groups. Others will be denied     |                        |
+| LDAP_ALLOWEDUSERS           | Allow specific users. Will be matched with given username |               |
+| LDAP_ALLOWEDGROUPS          | Allow specific groups. Will be matched with full group dn |               |
+| LDAP_ROLEHEADER             | The header name where the associated role should be stored   |               |
 | LDAP_BASEDN                 | Base DN every search request will be based on.   |                        |
 | LDAP_BINDDN                 | Bind user to use for querying your ldap server.  |                        |
 | LDAP_BINDPW                 | Bind users password.                             |                        |
@@ -56,9 +94,25 @@ Configuration for this daemon is read from the current environment. Available co
 | LDAP_\<NAME\>_SSL           | Use SSL for ldap connection.                     | True                   |
 | LDAP_\<NAME\>_SSL_VALIDATE  | Verify remote SSL certificate.                   | True                   |
 
-#### Curl example
+## Examples
 
-`$ curl -v --user 'username:password' localhost`
+### LDAP_ALLOWEDUSERS
+
+Used to allow specific users and assign specific roles to them. Always overwrites **LDAP_ALLOWEDGROUPS**.
+
+Users are matched case-insensitive.
+
+`LDAP_ALLOWEDUSERS={"username": "admin", "foobar": "nobody"}`
+
+### LDAP_ALLOWEDGROUPS
+
+Used to allow groups and assign appropriate role to the user. May be overwritten by **LDAP_ALLOWEDUSERS**.
+
+First matched group will be used to allow access and assign the role.
+
+Groups are matched case-insensitive.
+
+`LDAP_ALLOWEDGROUPS={"cn=admins,dc=example,dc=org": "admin", "cn=domain users,dc=example,dc=org": "users"}`
 
 # Special Thanks
 

docker-compose.yml

@@ -17,10 +17,16 @@ services:
       #- LDAPAUTHD_PORT=80
       # String to set in WWW-Authenticate
       #- LDAPAUTHD_REALM=Authorization required
-      # Response HTTP-Header for full username.
-      #- LDAPAUTHD_FORWARD_USER=X-Forwarded-User
-      # Response HTTP-Header for email.
-      #- LDAPAUTHD_FORWARD_EMAIL=X-Forwarded-Email
+      # https://ldap3.readthedocs.io/logging.html#logging-detail-level
+      #- LDAP_LOGLEVEL=ERROR
+      # Attributes to get from ldap and report to client
+      #- LDAP_ATTRIBUTES
+      # Allow specific users. Will be matched with given username
+      #- LDAP_ALLOWEDUSERS
+      # Allow specific groups. Will be matched with full group dn
+      #- LDAP_ALLOWEDGROUPS
+      # The header name where the associated role should be stored
+      #- LDAP_ROLEHEADER
       # Base DN every search request will be based on.
       #- LDAP_BASEDN=ou=Company,dc=example,dc=org
       # Bind user to use for querying your ldap server.

ldapauthd.py

@@ -52,11 +52,16 @@ def check_auth(username, passwd):
     cfg = config["ldap"]
     allowusers = cfg["allowedUsers"]
     allowgroups = cfg["allowedGroups"]
+    attributes = {}
+    allowed = not bool(allowusers or allowgroups)
 
-    if allowusers and username.lower() not in allowusers:
-        # we don't need to ask ldap if the user will be rejected anyway
-        log.debug("User %s not in allowed users [%s]", username, ", ".join(allowusers))
-        return False
+    if not allowed and allowusers:
+        username_lower = username.lower()
+        log.debug("Checking if user %s is explicitly allowed...", username)
+        if username_lower in allowusers:
+            attributes[cfg["roleHeader"]] = allowusers[username_lower]
+            log.debug("User %s is explicitly allowed, Role %s will be assigned", username, allowusers[username_lower])
+            allowed = True
 
     # fetch user info
     with ldap3.Connection(cfg["backends"], user=cfg["binddn"], password=cfg["bindpw"]) as conn:
@@ -72,11 +77,17 @@ def check_auth(username, passwd):
             return False
         user = conn.entries[0]
 
-    if allowgroups and not in_group(allowgroups, user.memberOf):
-        # we don't need to authenticate the user if the user is not
-        # a member of one of the groups
-        log.debug("User %s is not member of any group from [%s]",
-                  user.entry_dn, ", ".join(allowgroups))
+    if not allowed and allowgroups:
+        log.debug("Checking if user %s is allowed by group...", username)
+        for user_group in [x.lower() for x in user.memberOf]:
+            if user_group in allowgroups:
+                attributes[cfg["roleHeader"]] = allowgroups[user_group]
+                log.debug("User %s is allowed, Role %s will be assigned", username, allowgroups[user_group])
+                allowed = True
+                break
+
+    if not allowed:
+        log.debug("User %s is not member of any allowed group and not explicitly allowed.", user.entry_dn)
         return False
 
     # check users password
@@ -85,10 +96,10 @@ def check_auth(username, passwd):
             log.debug("Could not bind to ldap with user %s: %s | %s",
                       user.entry_dn, conn.result["description"], conn.result["message"])
             return False
-
-    attributes = {}
+    
     for attr_name, header_name in cfg["attributes"].items():
         attributes[header_name] = user[attr_name]
+
     # Return user informations for latter use
     return attributes
 
@@ -152,30 +163,13 @@ def load_backend_config(name):
 
 def get_ldap_srv(backend_cfg):
     if backend_cfg["ssl"]:
-
         tls = ldap3.Tls(validate=ssl.CERT_REQUIRED if backend_cfg["ssl_validate"] else ssl.CERT_NONE,
                         version=ssl.PROTOCOL_TLSv1)
         return ldap3.Server(host=backend_cfg["host"], port=backend_cfg["port"], use_ssl=True, tls=tls, get_info=False)
     else:
         return ldap3.Server(host=backend_cfg["host"], port=backend_cfg["port"], use_ssl=False, get_info=False)
 
 
-def populate_groups():
-    cfg = config["ldap"]
-    if not cfg["allowedGroups"]:
-        log.debug("No groups to lookup")
-        return
-
-    groups = []
-    for group_name in cfg["allowedGroups"]:
-        with ldap3.Connection(cfg["backends"], user=cfg["binddn"], password=cfg["bindpw"]) as conn:
-            if not conn.search(cfg["basedn"], "(&(objectClass=group)(cn=%s))" % group_name, search_scope=ldap3.SUBTREE) or len(conn.entries) == 0:
-                log.error("Could not find group %s", group_name)
-                continue
-            groups.append(conn.entries[0].entry_dn)
-    log.debug("Found groups [%s]", " | ".join(groups))
-    cfg["allowedGroups"] = groups
-
 ldap3_level_to_detail = {
     "OFF": ldap3.utils.log.OFF,
     "ERROR": ldap3.utils.log.ERROR,
@@ -185,12 +179,26 @@ def populate_groups():
     "EXTENDED": ldap3.utils.log.EXTENDED,
 }
 
+
 def ldap3_level_name_to_detail(level_name):
     if level_name in ldap3_level_to_detail:
         return ldap3_level_to_detail[level_name]
     raise ValueError("unknown detail level")
 
 
+def load_json_env(name, env_default=None, default=None):
+    try:
+        data = os.getenv(name, env_default)
+        return json.loads(data) if data else default
+    except json.decoder.JSONDecodeError as err:
+        log.error("Failed to load %s: %s", name, err)
+        sys.exit(2)
+
+
+def to_lower_dict(data):
+    return {k.lower():v for k, v in data.items()} if data else data
+
+
 def read_env():
     global config
     config = {
@@ -203,14 +211,17 @@ def read_env():
             "realm": os.getenv("LDAPAUTHD_REALM", "Authorization required"),
         },
         "ldap": {
-            "loglevel": os.getenv("LDAP_LOGLEVEL", "BASIC"),
+            "loglevel": os.getenv("LDAP_LOGLEVEL", "ERROR"),
             "backends": ldap3.ServerPool(None, ldap3.ROUND_ROBIN, active=True, exhaust=False),
-            "allowedUsers": os.getenv("LDAP_ALLOWEDUSERS", "").lower().split(","),
-            "allowedGroups": os.getenv("LDAP_ALLOWEDGROUPS", "").split(","),
+            "allowedUsers": to_lower_dict(load_json_env("LDAP_ALLOWEDUSERS")),
+            "allowedGroups": to_lower_dict(load_json_env("LDAP_ALLOWEDGROUPS")),
             "basedn": os.getenv("LDAP_BASEDN"),
             "binddn": os.getenv("LDAP_BINDDN"),
             "bindpw": os.getenv("LDAP_BINDPW"),
-            "attributes": {},
+            "attributes": load_json_env("LDAP_ATTRIBUTES",
+                                        env_default='{"cn": "X-Forwarded-FullName", "mail": "X-Forwarded-Email", "sAMAccountName": "X-Forwarded-User"}',
+                                        default={}),
+            "roleHeader": os.getenv("LDAP_ROLEHEADER", "X-Forwarded-Role"),
         }
     }
     log.setLevel(config["ldapauthd"]["loglevel"])
@@ -221,33 +232,24 @@ def read_env():
         log.error("Invalid loglevel for LDAP_LOGLEVEL: %s. Possible values are %s", config["ldap"]["loglevel"], ", ".join(ldap3_level_to_detail.keys()))
         sys.exit(2)
 
-    try:
-        data = os.getenv("LDAP_ATTRIBUTES", '{"cn": "X-Forwarded-FullName", "mail": "X-Forwarded-Email", "sAMAccountName": "X-Forwarded-User"}')
-        config["ldap"]["attributes"] = json.loads(data) if data else {}
-    except json.decoder.JSONDecodeError as err:
-        log.error("Failed to load LDAP_ATTRIBUTES: %s", err)
-        sys.exit(2)
-
     for key, item in {"basedn": "LDAP_BASEDN",
                       "binddn": "LDAP_BINDDN",
                       "bindpw": "LDAP_BINDPW"}.items():
         if key not in config["ldap"] or not config["ldap"][key]:
             log.error("%s not defined.", item)
             sys.exit(2)
 
-    if len(config["ldap"]["allowedUsers"]) == 1 and not config["ldap"]["allowedUsers"][0]:
-        config["ldap"]["allowedUsers"] = None
-    if len(config["ldap"]["allowedGroups"]) == 1 and not config["ldap"]["allowedGroups"][0]:
-        config["ldap"]["allowedGroups"] = None
-
     backends = os.getenv("LDAP_BACKENDS", "").split(",")
     if len(backends) > 1:
         config["ldap"]["backends"] = ldap3.ServerPool([get_ldap_srv(load_backend_config(x)) for x in backends],
                                                       ldap3.ROUND_ROBIN, active=True, exhaust=False)
     else:
         config["ldap"]["backends"] = get_ldap_srv(load_backend_config(backends[0]))
 
-    populate_groups()    
+    if config["ldap"]["allowedUsers"]:
+        log.debug("Users explicitly allowed to authenticate: %s", ", ".join(config["ldap"]["allowedUsers"].keys()))
+    if config["ldap"]["allowedGroups"]:
+        log.debug("Groups allowed to authenticate: %s", ", ".join(config["ldap"]["allowedGroups"].keys()))
 
 
 if __name__ == "__main__":