Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ldap-auth): use lua-resty-ldap instead of lualdap #7590

Merged
merged 6 commits into from
Aug 4, 2022
Merged

feat(ldap-auth): use lua-resty-ldap instead of lualdap #7590

merged 6 commits into from
Aug 4, 2022

Conversation

kingluo
Copy link
Contributor

@kingluo kingluo commented Aug 2, 2022

Description

Use lua-resty-ldap to do nonblocking ldap auth.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

spacewander
spacewander reviewed Aug 2, 2022
View reviewed changes
apisix/plugins/ldap-auth.lua Outdated
@@ -30,11 +30,13 @@ local schema = {
title = "work with route or service object",
properties = {
base_dn = { type = "string" },
ldap_uri = { type = "string" },
ldap_host = { type = "string" },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should keep the compatibility of the configuration

apisix/plugins/ldap-auth.lua
verify_ldap_host = conf.verify_ldap_host,
base_dn = conf.base_dn,
attribute = uid,
keepalive = 60000,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's doc the newly added timeout and keepalive

Copy link
Contributor Author

@kingluo kingluo Aug 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spacewander These items are not exported to admin api, we only use default values. So we need to doc the default values? But it's kind of internal parameters.

apisix/plugins/ldap-auth.lua Outdated
}
local res, err = ldap.ldap_authenticate(user.username, user.password, ldapconf)
if not res then
core.log.error(err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use warning level log for this situation:

apisix/apisix/plugins/jwt-auth.lua

Line 369 in 5cbcf24

core.log.warn("JWT token invalid: ", jwt_obj.reason)

and it would be better to add a prefix in the error message

tzssangglass
tzssangglass previously approved these changes Aug 3, 2022
View reviewed changes
spacewander
spacewander reviewed Aug 3, 2022
View reviewed changes
apisix/plugins/ldap-auth.lua Outdated
}
local res, err = ldap.ldap_authenticate(user.username, user.password, ldapconf)
if not res then
core.log.warn("ldap-auth: ", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prefix should be more meaningful

docs/en/latest/plugins/ldap-auth.md Outdated
@@ -49,7 +49,8 @@ For Route:
|----------|---------|----------|---------|------------------------------------------------------------------------|
| base_dn | string | True | | Base dn of the LDAP server. For example, `ou=users,dc=example,dc=org`. |
| ldap_uri | string | True | | URI of the LDAP server. |
| use_tls | boolean | False | `true` | If set to `true` uses TLS. |
| use_tls | boolean | False | `false` | If set to `true` uses TLS. |
| verify_ldap_host| boolean | False | `false` | Whether to verify the server certificate when `use_tls` is enabled; If set to `true`, you must set `ssl_trusted_certificate` in `config.yaml`, and make sure the host of `ldap_uri` matches the host in server certificate. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field doesn't have default value in the code. Why add a default value in the doc?

docs/en/latest/plugins/ldap-auth.md Outdated
@@ -49,7 +49,8 @@ For Route:
|----------|---------|----------|---------|------------------------------------------------------------------------|
| base_dn | string | True | | Base dn of the LDAP server. For example, `ou=users,dc=example,dc=org`. |
| ldap_uri | string | True | | URI of the LDAP server. |
| use_tls | boolean | False | `true` | If set to `true` uses TLS. |
| use_tls | boolean | False | `false` | If set to `true` uses TLS. |
| verify_ldap_host| boolean | False | `false` | Whether to verify the server certificate when `use_tls` is enabled; If set to `true`, you must set `ssl_trusted_certificate` in `config.yaml`, and make sure the host of `ldap_uri` matches the host in server certificate. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the description, we should name this field tls_verify? It doesn't verify the host but the TLS relative stuff.

@spacewander spacewander merged commit 0c90081 into apache:master Aug 4, 2022
Liu-Junlin pushed a commit to Liu-Junlin/apisix that referenced this pull request Nov 4, 2022
@kingluo @Liu-Junlin
feat(ldap-auth): use lua-resty-ldap instead of lualdap (apache#7590)
ed9ab7a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tzssangglass tzssangglass tzssangglass approved these changes

@spacewander spacewander spacewander approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kingluo @spacewander @tzssangglass