pinepain / ldap-auth-proxy Goto Github PK

sorry if this is not the right place to ask for support.

After a successful login, how can a user logout? By "logout" I mean the user will be asked to enter credentials to browse the protected site. One solution is to clear browser cookie, but it's not that user-friendly.

Due to disturbance with travis and that github actions does the job just right, let's move to GH actions.

Unless ldap-auth-proxy used as a proxy, there is always nginx in front of it which should be used with caching, so reconnect may simplify the overall approach and just make auth backend more reliable.

With this in mind, there is no big deal to use persisten LDAP connection by default.

We may want to check that user present in more than one group. While it's not very common case, sometimes during transient period it's really useful.

I'm trying to protect an application wich load many .js files.

Actual behavior
On first app access, I'm requested to authenticate, then I also need to authenticate for each subsequent file load.

Expected behavior
I should authenticate once, and my authentication reused for next files access.

I can see in FF console that the first request ends with http 200, and all next requests by a 401 while there is effectively the right header in all subsequent requests Authorization:"Basic xxxx".

I can see in the responses headers X-Ldapauth-Trace:"Failed to authenticate: LDAP Result Code 200 "Network Error": ldap: response channel closed". They also appear a lot in ldap-auth-proxy logs.

(How can I send you log traces privately?)

When entering username correctly and password wrong, the client browser gets a "500 Internal Server Error" and the logs show:

time="2021-01-28T01:11:03Z" level=warning msg="Failed to authenticate: LDAP Result Code 49 \"Invalid Credentials\": 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 775, v2580\x00" time="2021-01-28T01:11:03Z" level=debug msg="<<< GET /auth 401"

Shouldn't the client be getting a 401 instead of a 500?

Other login failures where the username is wrong give the client a 401:

time="2021-01-28T00:59:49Z" level=warning msg="Failed to authenticate: User does not exist" time="2021-01-28T00:59:49Z" level=debug msg="<<< GET /auth 401"

I've just installed ldap-auth-proxy in proxy mode, during my tests I've found that while authenticating, if I just give the login without entering a password, the authentication is validated :(

Am I missing something?

Hello, all is in the title ...! Does a env variable exist for that ?

I feel it would help, if the various environment variables which can be set to configure the tool, were better documented in the readme.

Hi there ,

Like some other user , i would like to use your project to forward auth to LDAP server from Traefik .

There is STILL few LDAP server without TLS in my environement (I know..... it's a bit dirty)

When i tried to connect to this kind of server , i got "Failed to connect: LDAP Result Code 1 "Operations Error": ldap: cannot StartTLS (00000000: LdapErr: DSID-0C090E6B, comment: TLS or SSL already in effect, data 0, v1db1\x00)"

Can you please,give me some Tips ? Is it possible ? Do you have some special env ?

Thanks !

For troubleshooting purpose it would be nice to see in response what really went wrong

Does setting favicon content as bas64 string looks ok or it's too weird?