-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(authentication): add LDAP authentication support #1093
Conversation
You can test this feature using the image |
Will test that this week |
I started my preexisting portainer container with the image portainer/portainer:pr1093. Within the user management, the password fields were missing and I could not see any options for ldap. |
When LDAP is enabled, Portainer will automatically hide password management. So that would mean that LDAP is already enabled on your instance. |
It seems I must have been blind (or too tired). I was looking at Settings but must have overlooked the Authentication Menuitem. I was not able to get it working like I did with other applications. This is my home lab which is using a Microsoft Active Directory running on a Windows Server 2012R2. I have been able to configure the connection using other tools like Jenkins, All Certificates are issued by my own pki and are working fine. LDAP has been tested on 389+3268(plain+starttls), 636+3269(SSL) using LDAP Admin.
This may be due to the missing User search configurations.
I assume that this tls is only used for client authentication?
Setting the protocol explicitly to ldaps:// within the LDAP URL is not supported either. |
@DimeOne thanks for the feedback !
There was an issue that was fixed this morning where the User search configurations would not appear when using previous Portainer data (you can pull again There
I was not able to test the TLS connection, indeed all 3 TLS fields are mandatory so I'm pretty sure it won't work without the TLS trio.
You don't need to specify the protocol in the URL field. You can ping me on Slack for a more reactive support / communication. |
After pulling the latest pr1093 I was able to get LDAP login to work (without tls/ssl). For AD I used following user search configurations: I had to add the users manually, but then I was able to login with said users. If you could give me a reference to the documentation of the library you used for ldap, I may take a look at encryption. P.S.: Great product, keep on with the good work :) 👍 |
@DimeOne nice to hear that ! I used the following library for the implementation: https://github.com/go-ldap/ldap (godoc available at https://godoc.org/gopkg.in/ldap.v2) I've specifically used https://godoc.org/gopkg.in/ldap.v2#DialTLS to establish a TLS connection, this is using a See the The |
Within the dokumentation is a StartTLS with a basic example that skips certificate verification, more secure options would include a certificate chain, servername within the config: https://godoc.org/crypto/tls#Config err = l.StartTLS(&tls.Config{InsecureSkipVerify: true}) The changes I would make:
That should allow using ldap with encryption and validation with TLS and StartTLS. I'm not familiar with go and could provide a patch for that, but I'd be happy to give feedback and test it at home and work :) |
Sweet, let me make some changes and I'll ping you to give it a try :-) |
@DimeOne would you be able to join me on Slack as I've got multiple questions ? https://portainer.io/slack/ |
Never used slack before, I'll figure it out in a few minutes |
Thanks everyone for your feedback on this ! @DimeOne Now that it's merged into develop, do you mind testing again the TLS settings ? (I did some cleanup and want to be sure I did not broke anything). You should be able to use |
Does this work now with Windows containers? |
@artisticcheese our instable build is not available as a Windows container yet (only linux amd64 build). Tho it will be released this week ! |
I get the following after setup of ldap. Is there a limit of the # of users portainer can handle on it's side? I'll dig in a bit more when I have time. {"err":"User not found or too many entries returned"} |
Everything seems to work if I restrict the results to just a single user via the filter option in the "User search configurations". (uid=%s) <--- doesn't work |
@beenanner if you want to use
No there is not.
This error is raised when the LDAP search query returned either 0 results or more than 1 (probably due to incorrect search settings). |
Nice @deviantony, I tried your suggestion and just removed the filter and everything is working! Awesome job and welcomed feature! |
This PR introduces a new Authentication section in the Settings of Portainer. It will allow you to choose between Internal (managed by Portainer) and LDAP authentication.
Close #677