LDAP authentication for web services

Published

Some web services I run don't offer integration with LDAP for authentication. One possible way to have authentication is to use the Vouch proxy. I used it along with Nextcloud (which has integration with LDAP) providing OAuth. But I encountered a limitation to this approach. Some clients only support basic authentication and don't support the newer JWT tokens and OAuth flows (clients for the Transmission torrent clients are an example for that). I didn't want to deal with secret management or with .htaccess files. I wanted users to be able to authenticate using their LDAP password.

First attempt was using the LDAP authnz module for Apache. But either I didn't set it up correctly or that connecting to the LDAP server over a Unix socket doesn't work as expected. Anyway, authentication always succeeded when using the Unix socket and I didn't want to change the LDAP setup I have (I prefer using the Unix socket with containers as I can easily limit which containers have access to the LDAP server by cross-mounting the socket only to containers I want to have access).

I ended up creating a small service in Python with Flask and Flask-SimpleLDAP. The service exposes just a single endpoint /validate which returns a 200 code when basic authentication succeeds or a 401 code when it fails. Authentication uses the LDAP server over the Unix socket as I wanted. It can be easily integrated with Nginx using the auth_request directive. An example can be seen here. The entire service is available on my GitLab instance. There's even a Docker image you can use in my container registry.

For now I'm using a fork of Flask-SimpleLDAP (until my PR for adding support for accessing the LDAP server over a Unix socket is merged).