Ingress-nginx: Add support for LDAP authentication
Is this a request for help?: No
Is this a BUG REPORT or FEATURE REQUEST?: FEATURE REQUEST
It would be nice if you add LDAP support to authenticate against LDAP servers.
dominikhahn
All 11 comments
@dominikhahn not sure if this is a feature that many users need. That being said we could add the kvspb/nginx-auth-ldap to add support for this feature but I think something like https://github.com/coreos/dex is a better alternative
aledbf
on 9 Nov 2017
+1 for either of implementations however - it is my understanding that the repo maintainers don't want to add external modules to the main ingress image, so this is probably going to be not accepted.
Worth noting, that ingress comes with --with-http_auth_request_module and you could use dex or anything else for that matter through configuration described in here:
https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/
https://www.nginx.com/blog/nginx-plus-authenticate-users/
It is also possible that maintainers changed their views on that since these modules are already included in the ingress:
--add-module=/tmp/build/ngx_devel_kit-0.3.0
--add-module=/tmp/build/set-misc-nginx-module-0.31
--add-module=/tmp/build/nginx-module-vts-0.1.15
--add-module=/tmp/build/headers-more-nginx-module-0.32
--add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-08a395c66e42
--add-module=/tmp/build/nginx-http-auth-digest-7955af9c77598c697ac292811914ce1e2b3b824c
--add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b
--add-module=/tmp/build/nginx-opentracing-fcc2e822c6dfc7d1f432c16b07dee9437c24236a
virtuman
on 15 Nov 2017
Yeah, its a slippery slope adding auth directly in. you want ldap, the next folks want kerberos, then saml, oidc, securid.....
I've played with dex for other things and did notice the ldap option. that may be a good route. Dex + oauth2_proxy + nginx-ingress. Havent tried that combination yet. If you do try it, please ping me to let me know how it goes. :)
I do have a start of a helm chart too for dex https://github.com/kfox1111/charts/tree/dex/stable/dex if you want to test the waters with that too. Feedbacks welcome. :)
kfox1111
on 15 Nov 2017
Closing. As @kfox1111 pointed out its a slippery slope adding auth directly in. Using dex as gateway is a better way to handle this use case
aledbf
on 18 Nov 2017
You can now use this image:
https://hub.docker.com/r/tpimenta/nginx-ldap-auth/
The instructions and yaml is here:
https://github.com/tiagoapimenta/nginx-ldap-auth
tiagoapimenta
on 4 Oct 2018
Hi @tiagoapimenta , want to let you know that your container is working like a charm. Thanks a lot, you saved me a lot of trouble. I wanted to investigate DEX first but as your solution is so dead simple ... THANK YOU !
frederic-loui
on 23 Nov 2018
I appreciated your joy, I have tried DEX as well, in the end it wasn't what I was looking for either.
tiagoapimenta
on 23 Nov 2018
@tiagoapimenta can you work keycloak ?
ilanni2460
on 4 Jan 2019
Hi @tiagoapimenta, I have tried out your solution and it is exactly what I am looking for. However, in my case, the below annotation does n't seem to be working. I mean the downstream service is directly accessible without authentication.
I am not sure what I am missing. Could you please help.
nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555
Below is my ingress file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555
name: external-auth
namespace: default
spec:
rules:
- host: gtey01247
http:
paths:
- backend:
#serviceName: nginx-ldap-auth
serviceName: my-nginx
servicePort: 80
path: /
- backend:
When I curl the Authentication service directly, it is working fine. However, the authentication is not happening when I request come through ingress.
rajvasupilli
on 14 Oct 2019
Hi @tiagoapimenta, I have tried out your solution and it is exactly what I am looking for. However, in my case, the below annotation does n't seem to be working. I mean the downstream service is directly accessible without authentication.
I am not sure what I am missing. Could you please help.
nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555Below is my ingress file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555
name: external-auth
namespace: default
spec:
rules:
host: gtey01247
http:
paths:
- backend:
serviceName: nginx-ldap-auth
serviceName: my-nginx
servicePort: 80
path: /
When I curl the Authentication service directly, it is working fine. However, the authentication is not happening when I request come through ingress.
Same issue here after upgrading to Kubernetes 1.16.
massimeddu
on 5 Nov 2019
I made a Docker image with a small script in Python for external LDAP authentication for Nginx, HAProxy (haproxy-auth-request) or any webserver/reverse proxy with authorization based on the result of a subrequest, also supports cache.
dignajar
on 14 Feb 2020
Related issues
vdavidoff
路
3Comments
bashofmann
路
3Comments
cxj110
路
3Comments
c-mccutcheon
路
3Comments
silasbw
路
3Comments
Most helpful comment
You can now use this image:
https://hub.docker.com/r/tpimenta/nginx-ldap-auth/
The instructions and yaml is here:
https://github.com/tiagoapimenta/nginx-ldap-auth