From 43474b2f72b5cd1f5287095402078a6a9526e157 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 8 May 2021 21:06:34 +0300
Subject: [PATCH] Post on ldap-auth.

---
 content/ldap-auth.rst | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 content/ldap-auth.rst

diff --git a/content/ldap-auth.rst b/content/ldap-auth.rst
new file mode 100644
index 0000000..b9f5092
--- /dev/null
+++ b/content/ldap-auth.rst
@@ -0,0 +1,41 @@
+LDAP authentication for web services
+====================================
+
+:date: 2021-05-08
+:summary: LDAP authentication for web services
+
+Some web services I run don't offer integration with LDAP for authentication.
+One possible way to have authentication is to use the `Vouch proxy
+<https://github.com/vouch/vouch-proxy>`_. I used it along with Nextcloud (which
+has integration with LDAP) providing OAuth. But I encountered a limitation to
+this approach. Some clients only support basic authentication and don't support
+the newer JWT tokens and OAuth flows (clients for the Transmission torrent
+clients are an example for that). I didn't want to deal with secret management
+or with ``.htaccess`` files. I wanted users to be able to authenticate using
+their LDAP password.
+
+First attempt was using the `LDAP authnz module for Apache
+<https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html>`_. But either I
+didn't set it up correctly or that connecting to the LDAP server over a Unix
+socket doesn't work as expected. Anyway, authentication always succeeded when
+using the Unix socket and I didn't want to change the LDAP setup I have (I
+prefer using the Unix socket with containers as I can easily limit which
+containers have access to the LDAP server by cross-mounting the socket only
+to containers I want to have access).
+
+I ended up creating a small service in Python with Flask and `Flask-SimpleLDAP
+<https://flask-simpleldap.readthedocs.io/>`_. The service exposes just a single
+endpoint ``/validate`` which returns a 200 code when basic authentication
+succeeds or a 401 code when it fails. Authentication uses the LDAP server over
+the Unix socket as I wanted. It can easily integrated with Nginx using the
+`auth_request directive
+<http://nginx.org/en/docs/http/ngx_http_auth_request_module.html#auth_request>`_.
+An example can be seen `here
+<https://git.shore.co.il/shore/web-proxy-docker/-/blob/master/snippets/ldap-auth.conf>`_.
+The entire service is available on my `GitLab instance
+<https://git.shore.co.il/shore/ldap-auth>`_. There's even a Docker image you can
+use in my `container registry <https://registry.shore.co.il/>`_.
+
+For now I'm using a fork of Flask-SimpleLDAP (until `my PR
+<https://github.com/alexferl/flask-simpleldap/pull/86>`_ for adding support for
+accessing the LDAP server over a Unix socket is merged).
-- 
GitLab