LDAP is probably the most ubiquitous authentication backend, before the current era of "stupid social sign-ons". Many of the recipes featured in the cookbook (NextCloud, Kanboard, Gitlab, etc) offer LDAP integration.
This is a companion discussion topic for the original entry at https://geek-cookbook.funkypenguin.co.nz/recipes/openldap/
I followed this recipe and migrated most of the lam_proxy labels to lam because I don’t use Auth proxies (traefik-forward-auth instead). It gives me a Bad Gateway error and in Traefik (v1.7) logs I have “dial Connect: Connection Refused”. Docker-inspect shows that both containers are connected to both networks with IP addresses. I’ve tried all manner of manipulating the traefik labels but can’t seem to get it to work. Any ideas?
My docker-compose is below:
version: '3'
services:
openldap:
image: osixia/openldap
env_file: /share/appdata/config/openldap/openldap.env
command: --loglevel debug
networks:
- traefik_public
- auth_internal
volumes:
- /share/runtime/openldap/:/var/lib/ldap
- /share/appdata/config/openldap/openldap/:/etc/ldap/slapd.d
lam:
image: jacksgt/ldap-account-manager
env_file: /share/appdata/config/openldap/openldap.env
networks:
- traefik_public
- auth_internal
deploy:
labels:
- traefik.frontend.rule=Host:lam.DOMAIN.TLD
- traefik.docker.network=traefik_public
- traefik.port=80
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
- traefik.frontend.auth.forward.trustForwardHeader=true
volumes:
- /share/appdata/config/openldap/lam/config/config.cfg:/var/www/html/config/config.cfg
- /share/appdata/config/openldap/lam/config/FamilyProfile.conf:/var/www/html/config/FamilyProfile.conf
networks:
traefik_public:
external: true
auth_internal:
external: true
If you shell onto the traefik container, can you curl the LAM container on port 80?
I figured it out. I had to have the 8080 exposed on the LAM container (because that is what is exposed int the DockerFile).
Now, I can’t log in! Don’t know which admin password was set…
Updated docker-compose with Traefik 2.0 labels for KeyCloak:
services:
openldap:
image: osixia/openldap
env_file: /share/appdata/config/openldap/openldap.env
networks:
- traefik_public
- internal
volumes:
- /share/runtime/openldap/:/var/lib/ldap
- /share/appdata/config/openldap/openldap/:/etc/ldap/slapd.d
lam:
image: jacksgt/ldap-account-manager
networks:
- traefik_public
- internal
volumes:
- /share/appdata/config/openldap/lam/config/config.cfg:/var/www/html/config/config.cfg
- /share/appdata/config/openldap/lam/config/FamilyProfile.conf:/var/www/html/config/FamilyProfile.conf
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.lam.entrypoints=https"
- "traefik.http.routers.lam.rule=Host(`lam.domain.tld`)"
- "traefik.http.routers.lam.tls.certresolver=cloudflare"
- "traefik.http.routers.lam.middlewares=forward-auth@file"
- "traefik.http.services.lam.loadbalancer.server.port=8080"
networks:
# Used to expose openldap to keycloak
traefik_public:
external: true
# Used to expose openldap to other apps which want to talk to LDAP, including LAM
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.39.0/24```
1 Like
hey @funkypenguin Thanks for your recipe
followed yours to the letter (just had to rebuild lam docker image for arm processor) and I’m running into a bit of a pickle using it as a backend for authelia. Got the connection between the two up and running but authelia cannot retrieve the groups of authenticated users. As most of my authelia rules have a group restriction, this is problematic.
I had authelia running with lldap which support testing group membership through memberOf filter and it worked fine but I cannot have it work for openldap and authelia, although correctly authenticating any openldap user, cannot retrieve any of their group (be it gid or secondary associated group)
Any idea on what I’m missing?
Hey @tomazed!
I’ve not tried openldap with Authelia specifically, but I use memberOf
with KeyCloak, by setting ldap_group_membership_attribute
to memberOf
- is there an equivalent option in Authelia, I wonder?