How to do LDAP authentication in STF

[luisxiaomai]

Hi,

I know STF provides authentication units for OAuth 2.0, LDAP, mock. When we run stf with this command "stf local", it will use mock implementation which only asks for a name and an email address.

But I want to use true user authentication by LDAP, suppose that we have a LDAP server like xxxx.xxxx.xxx:222, but how I run STF and use which command? Please help give some guidance, thanks a lot.

[sorccu]

Hi,

There's a relevant reply in #46, but it's kind of unrelated otherwise so I'll just paste my reply here once more for search purposes:

---

You can use OAuth 2.0 or LDAP. Some information is available in doc/DEPLOYMENT.md. Note that you're not supposed to run STF with stf local in production, although it can be done. Here's my reply to someone else who asked privately:

---

As for authentication, what do you currently use? If you trust your developers enough that they're not going to claim to be someone else, you could just use the mock login while you're testing the system. Alternatively, we provide an implementation for LDAP and OAuth 2.0.

Although the processes are meant to be started separately, you COULD use either with of those with stf local like this:

stf local --auth-type oauth2 \
  --auth-options '[ 
    "--oauth-authorization-url", "https://sso.company.example.org/as/authorization.oauth2",
    "--oauth-token-url", "https://sso.company.example.org/as/token.oauth2",
    "--oauth-userinfo-url", "https://sso.company.example.org/idp/userinfo.openid",
    "--oauth-client-id", "YOUR_CLIENT_ID",
    "--oauth-client-secret", "YOUR_CLIENT_SECRET",
    "--oauth-callback-url", "https://stf.example.org/auth/oauth/callback",
    "--oauth-scope", "openid email"
  ]'

If that looks a bit weird, it's because it's not really meant to be super convenient - just possible.

You may also need to export NODE_TLS_REJECT_UNAUTHORIZED=0 in case you're using a self-signed cert.

Similarly, you could support LDAP (or possibly ActiveDirectory) with the auth-ldap provider (or --auth-type ldap with stf local). Check stf auth-ldap --help for the available options.

We are planning on improving the documentation over time, however there are still a few bugs we want to fix first.

Also, be sure to read the Troubleshooting section of the README, especially if you're planning on using Intel processors, as you might find out you're only able to support 8-12 devices per machine otherwise!

Hope this gets you going for now.

[luisxiaomai]

Thanks for you quick answer, I know this command but not so familiar with the options which stf auth-ldap provided. Hope you can paste a complete command sample for LDAP.

[sorccu]

See stf auth-ldap --help for the available options. You yourself have to know which options you have to set and to which values.

[luisxiaomai]

ok, thank for you answer and I will try.

[luisxiaomai]

@sorccu

I want to authenticate users in stf against an existing LDAP server, I tried to use this command to lauch stf:

stf local --auth-type ldap --auth-options '["--ldap-url","ldap://myldapserver"]'

But it display below error after I click the login button in ldap login page.

/auth-ldap 55816 [::ffff:127.0.0.1] Unexpected error AssertionError: options.attribute (string) is required
at EqualityFilter (/usr/local/lib/node_modules/stf/node_modules/ldapjs/node_modules/ldap-filter/lib/equality_filter.js:15:12)
at new EqualityFilter (/usr/local/lib/node_modules/stf/node_modules/ldapjs/lib/filters/equality_filter.js:16:26)
at tryFind (/usr/local/lib/node_modules/stf/lib/util/ldaputil.js:55:15)
at /usr/local/lib/node_modules/stf/lib/util/ldaputil.js:108:12
From previous event:
at Object.module.exports.login (/usr/local/lib/node_modules/stf/lib/util/ldaputil.js:107:23)
at /usr/local/lib/node_modules/stf/lib/units/auth/ldap.js:71:29
at processImmediate as _immediateCallback
From previous event:
at /usr/local/lib/node_modules/stf/lib/units/auth/ldap.js:70:12
at Layer.handle as handle_request
at next (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/route.js:131:13)
at Route.dispatch (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/route.js:112:3)
at Layer.handle as handle_request
at /usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:277:22
at Function.process_params (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:330:12)
at next (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:271:10)
at /usr/local/lib/node_modules/stf/lib/units/auth/ldap.js:50:5
at Layer.handle as handle_request
at trim_prefix (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:312:13)
at /usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:280:7
at Function.process_params (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:330:12)
at next (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:271:10)
at /usr/local/lib/node_modules/stf/node_modules/express-validator/lib/express_validator.js:163:5
at Layer.handle as handle_request
at trim_prefix (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:312:13)
at /usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:280:7
at Function.process_params (/usr/local/lib/node_modules/stf/node_modules/express/lib/router/index.js:330:12)

[sorccu]

The syntax is correct, but you don't have enough options. You should add at least --ldap-search-dn and --ldap-search-field, and possibly --ldap-search-scope and/or --ldap-search-class if your company is using different values.

[MichaelDepner]

I've been trying to enable LDAP authentication with the auth module service file. I am getting what is probably a mix of syntax and comprehension errors. I do have people I can go to for figuring out what parameters I need for LDAP, but I'll need to make sure I get the syntax right before I waste peoples time. Is this the right way to add the variables to the run command in a service file?

ExecStart=/usr/bin/docker run --rm \
  --name %p-%i \
  -e "SECRET=SECRET" \
  -e "NODE_TLS_REJECT_UNAUTHORIZED=0" \
  -p %i:3000 \
  openstf/stf:latest \
  stf auth-ldap --port 3000 \
    -u ldap://XXXauth.XXX.com:389/ \
    -t 0 \
    --ldap-bind-dn "CN=XXX,OU=XXX,OU=XXX,DC=XXX,DC=com" \
    --ldap-bind-credentials "PASSWORD_HERE" \
    --ldap-search-dn "OU=User Accounts,DC=XXX,DC=com" \
    --ldap-search-scope "sAMAccountName={0}" \
    --app-url https://xx.xx.xx.xx/
ExecStop=-/usr/bin/docker stop -t 10 %p-%i

[tadesushilgithub]

Hey I am using STF local when I run below command
stf local --auth-type oauth2
--auth-options '[
"--oauth-authorization-url", "https://sso.company.example.org/as/authorization.oauth2",
"--oauth-token-url", "https://sso.company.example.org/as/token.oauth2",
"--oauth-userinfo-url", "https://sso.company.example.org/idp/userinfo.openid",
"--oauth-client-id", "12345",
"--oauth-client-secret", "54321",
"--oauth-callback-url", "https://stf.example.org/auth/oauth/callback",
"--oauth-scope", "tadesushil@gmail.com"
]'

I am getting below error

INF/util:procutil 2199 [] Forking "/usr/local/lib/node_modules/stf/lib/cli.js migrate"
INF/db 2204 [] Connecting to 127.0.0.1:28015
INF/db 2204 [] Unable to connect to 127.0.0.1:28015
FTL/db 2204 [] No hosts left to try
FTL/util:lifecycle 2204 [*] Shutting down due to fatal error
/usr/local/lib/node_modules/stf/node_modules/bluebird/js/main/promise.js:677
throw e;
^
ExitError: Exit code "1"
at ChildProcess. (/usr/local/lib/node_modules/stf/lib/util/procutil.js:49:23)
at emitTwo (events.js:100:13)
at ChildProcess.emit (events.js:185:7)
at Process.ChildProcess._handle.oneexit (internal/child_process.js:200:12)

am I missing something?

[vbanthia-zz]

As you can see in the logs, it says INF/db 2204 [] Unable to connect to 127.0.0.1:28015. It means stf is not able to connect to db. Did you start rethinkdb before running stf?