Same Rate Limit counting is used by two different LDAP users

[ivangfr]

Hi, it's about LDAP Authentication plugin together with Rate Limiting plugin set in a same Route. Rest API calls bellow

curl -i -X POST http://localhost:8001/routes/$PRIVATE_ROUTE_ID/plugins \
  -d "name=ldap-auth" \
  -d "config.hide_credentials=true" \
  -d "config.ldap_host=ldap-host" \
  -d "config.ldap_port=389" \
  -d "config.start_tls=false" \
  -d "config.base_dn=ou=users,dc=mycompany,dc=com" \
  -d "config.verify_ldap_host=false" \
  -d "config.attribute=cn" \
  -d "config.cache_ttl=60" \
  -d "config.header_type=ldap"

curl -i -X POST http://localhost:8001/routes/$PRIVATE_ROUTE_ID/plugins \
  -d "name=rate-limiting"  \
  -d "config.minute=5"

The LDAP Authentication plugin configuration is working fine, authenticating correctly the users. The problem is: the same Rate Limit counting is used by two different LDAP users.

For instance, let's suppose we have two LDAP users, user A and B; and a rate limiting configuration for route R of maximum 5 request in a minute. So, if user A calls R for the 1st time, the rate limit headers returned will be

X-RateLimit-Limit-Minute: 5
X-RateLimit-Remaining-Minute: 4

Then, if user B calls route R (in the same minute), the headers returned are

X-RateLimit-Limit-Minute: 5
X-RateLimit-Remaining-Minute: 3

So, they are sharing the same limits.

According to Rate Limiting plugin documentation (https://docs.konghq.com/hub/kong-inc/rate-limiting/), it says

"Rate limit how many HTTP requests a developer can make in a given period of seconds, minutes, hours, days, months or years. If the underlying Service/Route (or deprecated API entity) has no authentication layer, the Client IP address will be used, otherwise the Consumer will be used if an authentication plugin has been configured."

Is it a correct behaviour? Two or more LDAP users are seeing as a same consumer?

Best regards,

• Kong version (0.14.1 and 1.0.0)

[p0pr0ck5]

Hi @ivangfr,

Are you able to observe the same behavior on Kong 1.0?

[ivangfr]

Hi @p0pr0ck5, I've just updated Kong version to 1.0.0 in my project (https://github.com/ivangfr/springboot-kong), but it has the same behaviour.

[ramzioueslati]

Hi

Try config.limit_by=credential in your rate limiting configuration.

By default it limits by consumer and ldap-auth does not set ngx.ctx.authenticated_consumer though it does set ngx.ctx.authenticated_credential.

HTH,
Ramzi

[ivangfr]

Hi @ramzioueslati ,

Thanks for our suggestion! I changed the rate limiting configuration as you suggested

curl -i -X POST http://localhost:8001/routes/$PRIVATE_ROUTE_ID/plugins \
  -d "name=rate-limiting"  \
  -d "config.limit_by=credential" \
  -d "config.minute=5"

However, I continue facing the same problem.

The configuration of the two plugins set to $PRIVATE_ROUTE_ID, rate-limiting and ldap-auth is shown below

$ curl -i http://localhost:8001/routes/$PRIVATE_ROUTE_ID/plugins

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 976
Content-Type: application/json; charset=utf-8
Date: Mon, 14 Jan 2019 15:58:27 GMT
Server: kong/1.0.0

{
    "data": [
        {
            "config": {
                "day": null,
                "fault_tolerant": true,
                "hide_client_headers": false,
                "hour": null,
                "limit_by": "credential",
                "minute": 5,
                "month": null,
                "policy": "cluster",
                "redis_database": 0,
                "redis_host": null,
                "redis_password": null,
                "redis_port": 6379,
                "redis_timeout": 2000,
                "second": null,
                "year": null
            },
            "consumer": null,
            "created_at": 1547481139,
            "enabled": true,
            "id": "b41b1748-a264-419d-8d0b-43c2a3ca117b",
            "name": "rate-limiting",
            "route": {
                "id": "a31dfaaf-3b32-43f4-947a-a9d9b6a4ad48"
            },
            "run_on": "first",
            "service": null
        },
        {
            "config": {
                "anonymous": null,
                "attribute": "cn",
                "base_dn": "ou=users,dc=mycompany,dc=com",
                "cache_ttl": 60,
                "header_type": "ldap",
                "hide_credentials": true,
                "keepalive": 60000,
                "ldap_host": "ldap-host",
                "ldap_port": 389,
                "start_tls": false,
                "timeout": 10000,
                "verify_ldap_host": false
            },
            "consumer": null,
            "created_at": 1547480691,
            "enabled": true,
            "id": "cd7019f6-8a59-4014-9273-98ae520dd907",
            "name": "ldap-auth",
            "route": {
                "id": "a31dfaaf-3b32-43f4-947a-a9d9b6a4ad48"
            },
            "run_on": "first",
            "service": null
        }
    ],
    "next": null
}

Best regards

[ramzioueslati]

Hi @ivangfr

I don't know the specifics and I haven't tried it myself. I just had a look at the code and found out that ldap-auth (my kong version is 0.12) only sets the authenticated_credential in context when authentication is successful.
Sorry it didn't help.

[ivangfr]

@p0pr0ck5 any news about this issue? Best regards

[bungle]

Oh, I know why it doesn't work. LDAP credential does not have id:
https://github.com/Kong/kong/blob/master/kong/plugins/rate-limiting/handler.lua#L60
OR
https://github.com/Kong/kong/blob/master/kong/plugins/rate-limiting/handler.lua#L64