Thank you for this awesome project, unfortunately I am having some issues with getting it to run with an LDAP backend:
Describe the issue
An attempt to log in over Caddy Security with an LDAP backend consisting of glauth-ui for management and glauth (https://github.com/glauth/glauth) as the LDAP provider fails with right credentials. The credentials were succesfully used by other means of connecting to glauth
Configuration
Paste full Caddyfile
below:
(Domain names and unrelated services cut out)
{
acme_ca https://acme-v02.api.letsencrypt.org/directory
email [...]
debug
security {
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify [...]
backends {
ldap_backend {
method ldap
realm [...]
servers {
ldap://login_system_glauth_1:389 ignore_cert_errors posix_groups
}
attributes {
name givenname
surname sn
username name
#member_of primarygroup #memberOf
email mail
}
username "CN=[...],DC=[...],DC=[...],OU=[...]"
password "[...]"
search_base_dn "DC=[...],DC=[...],OU=[...]"
search_filter "(|(name=%s)(mail=%s))"
groups {
"CN=people,OU=[...],DC=[...],DC=[...]" people
"CN=5501,OU=[...],DC=[...],DC=[...]" people2
}
}
}
cookie domain [...]
ui {
links {
"My Website (super secret)" [...]/foo
"My Identity" "/whoami"
}
}
}
authorization policy mypolicy {
set auth url /auth/
crypto key sign-verify [...]
allow roles people people2
}
}
}
[...]:443/* {
#Protected super secret part of website
redir /foo /foo/
handle_path /foo/* {
route {
authorize with mypolicy
}
respond * "foobar website" 200
}
handle {
route /auth* {
authenticate * with myportal
}
#unprotected landing page
reverse_proxy nginx:80
}
}
Version Information
Provide output of caddy list-modules -versions | grep git
below:
Caddy version is v2.4.6 running in docker. Above command yields no results with grep git. Without it it looks like
[...]
Standard modules: 83
http.authentication.providers.authorizer v1.0.6
http.handlers.authenticator v1.0.6
security v1.0.6
Non-standard modules: 3
Unknown modules: 0
Expected behavior
A successful login
Additional context
Caddy logs:
[Note: User entry follows]
caddy_1 | {"level":"debug","ts":1643228260.8880885,"logger":"security","msg":"LDAP dialer setup succeeded","server":"ldap://login_system_glauth_1:389"}
caddy_1 | {"level":"debug","ts":1643228260.8909764,"logger":"security","msg":"LDAP binding succeeded","server":"ldap://login_system_glauth_1:389"}
caddy_1 | {"level":"debug","ts":1643228260.8923666,"logger":"security","msg":"LDAP search succeeded","server":"ldap://login_system_glauth_1:389","entry_count":0,"search_base_dn":"DC=[...],DC=DE,OU=[...]","search_user_filter":"(|(name=[foo])(mail=[foo]))","users":[]}
caddy_1 | {"level":"debug","ts":1643228260.9456468,"logger":"security","msg":"user authorization sandbox","sandbox_id":"AGrfuqfC377A6TzZYt6mYPFlKR9gK3YF8b93QH11stXLMh","sandbox_secret":"Edtvxjl3AIukviHXjEjstxPimZRzFRgEdQgjKUPU","sandbox_partition":"","checkpoints":[{"name":"Authenticate with password","type":"password"}]}
caddy_1 | {"level":"debug","ts":1643228260.9464517,"logger":"security","msg":"next user authorization checkpoint","session_id":"pAJ0OR8hQL5NuWH0638JbOpq7JozxxTp6zfjm7","request_id":"5ce045e3-cdb6-4c07-8940-a615318dca25","data":{"action":"auth","title":"Password Authentication","view":"password_auth"}}
[Note: Password entry]
caddy_1 | {"level":"debug","ts":1643228269.0140665,"logger":"security","msg":"user authorization sandbox","sandbox_id":"AGrfuqfC377A6TzZYt6mYPFlKR9gK3YF8b93QH11stXLMh","sandbox_secret":"Edtvxjl3AIukviHXjEjstxPimZRzFRgEdQgjKUPU","sandbox_partition":"password-auth","checkpoints":[{"name":"Authenticate with password","type":"password"}]}
caddy_1 | {"level":"debug","ts":1643228269.0155284,"logger":"security","msg":"LDAP dialer setup succeeded","server":"ldap://login_system_glauth_1:389"}
caddy_1 | {"level":"debug","ts":1643228269.01613,"logger":"security","msg":"LDAP binding succeeded","server":"ldap://login_system_glauth_1:389"}
caddy_1 | {"level":"warn","ts":1643228269.0173078,"logger":"security","msg":"user authorization checkpoint failed","session_id":"pAJ0OR8hQL5NuWH0638JbOpq7JozxxTp6zfjm7","request_id":"3a4848b6-9f80-47c5-bca7-e8bab3a71cf2","error":"Password authentication failed. Please retry"}
Structure of glauth users:
name = "fbar"
givenname = "foo
sn = "bar"
mail = "[email protected]"
unixid = 5003
primarygroup = 5501
passsha256 = "foofoobarbar"
otherGroups = [ 5551 ]
glauth output:
glauth_1 | 19:45:40.200821 Bind ▶ DEBU 025 "level"=6 "msg"="Bind request" "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
glauth_1 | 19:45:40.201705 Bind ▶ DEBU 026 "level"=6 "msg"="Bind success" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
glauth_1 | 19:45:40.202217 Search ▶ DEBU 027 "level"=6 "msg"="Search request" "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "filter"="(|(name=[foo])(mail=[foo]))" "scope"=2 "searchbasedn"="dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
glauth_1 | 19:45:40.203287 Search ▶ DEBU 028 "level"=6 "msg"="AP: Search OK" "filter"="(|(name=[foo])(mail=[foo]))"
glauth_1 | 19:45:44.544377 Bind ▶ DEBU 029 "level"=6 "msg"="Bind request" "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
glauth_1 | 19:45:44.544462 Bind ▶ DEBU 02a "level"=6 "msg"="Bind success" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
glauth_1 | 19:45:44.544891 Search ▶ DEBU 02b "level"=6 "msg"="Search request" "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "filter"="(|(name=nobody)(mail=nobody))" "scope"=2 "searchbasedn"="dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
glauth_1 | 19:45:44.545011 Search ▶ DEBU 02c "level"=6 "msg"="AP: Search OK" "filter"="(|(name=nobody)(mail=nobody))"