Code Monkey home page Code Monkey logo

lauth's Introduction

Lauth

Test and Build status codecov coverage Container in Docker Hub Container in GitHub Container Registry MIT License

The simple OpenID Provider for LDAP like a Microsoft ActiveDirectory(AD).

Lauth can translate LDAP and OAuth2/OpenID Connect

Compatibility

Installation

Use on Docker

$ docker run macrat/lauth:latest --version
lauth version 1.0.0

Build by source

$ go get github.com/macrat/lauth

$ lauth --version
lauth version 1.0.0

Usage

First, Generate a config file.

$ lauth gen-client your-client-name -u https://you-client.example.com/callback >> config.toml

Then, start the server.

$ lauth \
  --ldap ldap://ldap.example.com \
  --ldap-user "CN=username,OU=somewhere,DC=example,DC=local" \
  --ldap-password ${LDAP_USER_PASSWORD} \
  --config config.toml

Finally, use it.

See also all options list and example config file.

For production

In the production use-case, please add those options.

  • --issuer: External URL of the server.
  • --sign-key: RSA private key for signing to the token.
  • --tls-cert and --tls-key (or --tls-auto): TLS encryption key files (Or automate generate those with Let's encryption).
  • --metrics-username and --metrics-password: Credentials for protect metrics page. (metrics page perhaps interesting hint for an attacker)

Use in docker-compose

Please see example.

Customize

Page design

This is default page design:

default design of login page and error page

If you want to customize the design, you can use --login-page, --logout-page, and --error-page. Templates using html/template libraries format.

Please see also the default page templates:

ID attribute

In default, Lauth uses sAMAccountName as the username. That is the logon ID of Microsoft ActiveDirectory.

Please use --ldap-id-attribute option if you want to use another attribute as the username.

$ lauth --ldap-id-attribute mail  # login with e-mail

Or, you can use a config file.

$ cat <<EOS > config.toml
[ldap]
id_attribute = "mail"
EOS

$ lauth --config config.toml

Scope and Claims

You can change scope and claims for id_token and userinfo in the config file.

This is default config; That claims for Microsoft ActiveDirectory.

[scope]

profile = [
  { claim = "name",        attribute = "displayName" },
  { claim = "given_name",  attribute = "givenName"   },
  { claim = "family_name", attribute = "sn"          },
]

email = [
  { claim = "email", attribute = "mail" },
]

phone = [
  { claim = "phone_number", attribute = "telephoneNumber" },
]

groups = [
  { claim = "groups", attribute = "memberOf", type = "[]string" },
]

Options

server command

$ lauth [OPTIONS]
command line config file environment variable default value description
--issuer issuer LAUTH_ISSUER http://localhost:8000 Issuer URL.
--listen listen LAUTH_LISTEN same port as the Issuer URL Listen address and port.
--sign-key sign_key LAUTH_SIGN_KEY generate random key RSA private key for signing to token.
--tls-auto tls.auto LAUTH_TLS_AUTO Enable auto generate TLS cert with Let's Encryption.
--tls-cert tls.cert LAUTH_TLS_CERT Cert file for TLS encryption.
--tls-key tls.key LAUTH_TLS_KEY Key file for TLS encryption.
--authz-endpoint endpoint.authz LAUTH_ENDPOINT_AUTHZ /login Path to authorization endpoint.
--token-endpoint endpoint.token LAUTH_ENDPOINT_TOKEN /login/token Path to token endpoint.
--userinfo-endpoint endpoint.userinfo LAUTH_ENDPOINT_USERINFO /login/userinfo Path to userinfo endpoint.
--jwks-uri endpoint.jwks LAUTH_ENDPOINT_JWKS /login/jwks Path to jwks uri.
--login-expire expire.login LAUTH_EXPIRE_LOGIN 1h Time limit to input username and password on the login page.
--code-expire expire.code LAUTH_EXPIRE_CODE 5m Time limit to exchange code to access_token or id_token.
--token-expire expire.token LAUTH_EXPIRE_TOKEN 1d Expiration duration of access_token and id_token.
--refresh-expire expire.refresh LAUTH_EXPIRE_REFRESH 1w Expiration duration of refresh_token.
If set 0, refresh_token will not create.
--sso-expire expire.sso LAUTH_EXPIRE_SSO 2w Duration for don't show login page if logged in past.
If set 0, always ask the username and password to the end-user.
--ldap ldap.server LAUTH_LDAP_SERVER URL of LDAP server.
You can include user credentials like `ldap://USER_DN:PASSW
--ldap-user ldap.user LAUTH_LDAP_USER User DN for connecting to LDAP.
You can use DOMAIN\username style if using ActiveDirectory.
--ldap-password ldap.password LAUTH_LDAP_PASSWORD Password for connecting to LDAP.
--ldap-base-dn ldap.base_dn LAUTH_LDAP_BASE_DN same as user DC The base DN for search user account in LDAP like OU=somewhere,DC=example,DC=local.
--ldap-id-attribute ldap.id_attribute LAUTH_LDAP_ID_ATTRIBUTE sAMAccountName ID attribute name in LDAP.
--ldap-disable-tls ldap.disable_tls LAUTH_LDAP_DISABLE_TLS Disable use TLS when connecting to the LDAP server. THIS IS INSECURE.
--login-page template.login_page LAUTH_TEMPLATE_LOGIN_PAGE Templte file for login page.
--logout-page template.logout_page LAUTH_TEMPLATE_LOGOUT_PAGE Templte file for logged out page.
--error-page template.error_page LAUTH_TEMPLATE_ERROR_PAGE Templte file for error page.
--metrics-path metrics.path LAUTH_METRICS_PATH /metrics Path to Prometheus metrics.
--metrics-username metrics.username LAUTH_METRICS_USERNAME Basic auth username to access to Prometheus metrics.
If omit, disable authentication.
--metrics-password metrics.password LAUTH_METRICS_PASSWORD Basic auth password to access to Prometheus metrics.
If omit, disable authentication.
--config LAUTH_CONFIG Load options from TOML, YAML, or JSON file.
--debug Enable debug output. This is insecure for production use.

gen-client sub command

$ lauth gen-client CLIENT_ID [OPTIONS]
option description
--redirect-uri URIs to accept redirect to.
--secret Client secret value. Generate random secret if omitted. Not recommend using this option.

lauth's People

Contributors

macrat avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

fossabot hartl3y94 zacharyjia

lauth's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.