Skip to content

Trying to authenticate API calls with LDAP #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
EdOro126 opened this issue Oct 27, 2023 · 3 comments
Closed

Trying to authenticate API calls with LDAP #292

EdOro126 opened this issue Oct 27, 2023 · 3 comments
Assignees
@greenpau
Labels
api key auth ldap question Further information is requested

Comments

@EdOro126
Copy link

EdOro126 commented Oct 27, 2023
edited
Loading

Hi, I have a setup that is using LDAP to authenticate users attempting to access a site that hosts API calls, this is working.

authorization policy mypolicy { set auth url https://example.com/auth allow roles authp/admin authp/user crypto key verify {env.JWT_SHARED_KEY} }

I am also trying to use the with basic auth directive against specific API endpoints to require user authentication to restrict any
API calls on those endpoints, though it does not seem to want to work when I have it check against the LDAP realm.

authorization policy myApiPolicy { with basic auth portal myportal realm ldap-realm allow roles authp/admin authp/user crypto key verify {env.JWT_SHARED_KEY} }
I can see that the syntax is
with basic auth portal <PORTAL_NAME> realm <REALM_NAME>

Is if fair to assume that we should be able to use any realm for REALM_NAME, regardless of identity store, or does it have to be one that resolves to a local backend?

To help clarify, when I do a REST API call, using LDAP credentials, I receive the following:
{"level":"warn","ts":1698414427.114379,"logger":"security","msg":"user authentication failed","source_address":"10.141.0.110","custom_auth":"basicauth","realm":"local","error":"local backed authentication failed: user authentication failed: user not found"}

I also tried changing the portal to one that does not have a local identity store included and I get the following error:
{"level":"warn","ts":1698414617.9613304,"logger":"security","msg":"realm backend not found","source_address":"10.141.0.110","custom_auth":"basicauth","realm":"local"}
{"level":"debug","ts":1698414617.9613986,"logger":"security","msg":"token validation error","session_id":"ax0chgucutKE5JL75jNRgAblbPMb0LdEa0ArS","request_id":"51ef5cb8-d0ba-4d53-8947-45b9959138bc","error":"basic authentication via authproxy failed"}
@EdOro126 EdOro126 changed the title Trying to authenticate LDAP with Basic Auth Trying to authenticate API calls with LDAP Oct 27, 2023
@stereocarnyx
Copy link

Hey @EdOro126

If I'm reading your message correctly it looks like I have a very similar issue with the basic auth credentials validation via LDAP backend.

Here's the link to my issue opened: #291

Does that look similar for you as well?

@EdOro126
Copy link
Author

EdOro126 commented Nov 1, 2023

Hi @stereocarnyx,

It looks like a similar issue. I essentially want to know if I'm reading the syntax correctly or if the feature in question is not working as expected.

@greenpau greenpau added question Further information is requested ldap api key auth and removed need triage breakfix labels Dec 2, 2023
@greenpau
Copy link
Owner

greenpau commented Dec 2, 2023

@EdOro126 , @stereocarnyx , this API key auth is not available with LDAP, because LDAP does not have the authentication material. Currently, this functionality is not available.

@greenpau greenpau closed this as completed Dec 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
api key auth ldap question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stereocarnyx @greenpau @EdOro126