How to use LDAP authentication with LetsEncrypt and Heimdall

piramiday · 14 July 2020 17:23

I am trying to understand how to use LDAP authentication with LetsEncrypt, using Heimdall as an example.

this is my docker-compose:

---
version: "2.1"
services:
  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - URL=myDomain.duckdns.org
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=myToken
      - STAGING=true
    volumes:
      - $PWD/letsencrypt:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

  ldap-auth:
    image: linuxserver/ldap-auth
    container_name: ldap-auth
    restart: unless-stopped

  heimdall:
    image: linuxserver/heimdall
    container_name: heimdall
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - $PWD/heimdall:/config
    restart: unless-stopped

then I uncommented the relevant lines in the letsencrypt configs at /home/test/letsencrypt/nginx/site-confs/default:

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	root /config/www;
	index index.html index.htm index.php;

	server_name heimdall.*;

	include /config/nginx/ssl.conf;

	include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
		auth_request /auth;
		error_page 401 =200 /ldaplogin;

		include /config/nginx/proxy.conf;
		resolver 127.0.0.11 valid=30s;
		set $upstream_app heimdall;
		set $upstream_port 443;
		set $upstream_proto https;
		proxy_pass $upstream_proto://$upstream_app:$upstream_port;
	}
}

I am now at a loss about how to modify the /config/nginx/ldap.conf file.
any suggestions?
what do I have to set up?
are there user/password combinations?

thanks

j0nnymoe · 14 July 2020 17:35

You need to configure the LDAP.conf file to point to your existing LDAP server

j0nnymoe · 14 July 2020 17:38

github.com

linuxserver/docker-letsencrypt/blob/master/root/defaults/ldap.conf#L48


#    -----------    ----------------
#    url            X-Ldap-URL
#    starttls       X-Ldap-Starttls
#    basedn         X-Ldap-BaseDN
#    binddn         X-Ldap-BindDN
#    bindpasswd     X-Ldap-BindPass
#    cookiename     X-CookieName
#    realm          X-Ldap-Realm
#    template       X-Ldap-Template

# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL      "ldap://example.com";

# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";

Starting from this line here

aptalca · 14 July 2020 17:40

also, follow the instructions at the top: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/ldap.conf#L2-L4

piramiday · 14 July 2020 17:48

isn’t some form of ready-to-use LDAP server included in either of the LSIO images?

j0nnymoe · 14 July 2020 17:53

Nope we don’t provide a LDAP container.

piramiday · 14 July 2020 17:56

oh, I thought you did, because I saw other docker containers online with LDAP included and I decided to try staying in the LSIO realm.

so then no wonder it does not work.

still, it would be cool if there was a way to set this up, all in-LSIO-house.

system · 19 July 2020 17:56

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.