/lauth

Simple OpenID Provider for LDAP like a Microsoft ActiveDirectory.

Primary LanguageGoMIT LicenseMIT

Lauth

Test and Build status codecov coverage Container in Docker Hub Container in GitHub Container Registry MIT License

The simple OpenID Provider for LDAP like a Microsoft ActiveDirectory(AD).

Lauth can translate LDAP and OAuth2/OpenID Connect

Compatibility

Installation

Use on Docker

$ docker run macrat/lauth:latest --version
lauth version 1.0.0

Build by source

$ go get github.com/macrat/lauth

$ lauth --version
lauth version 1.0.0

Usage

First, Generate a config file.

$ lauth gen-client your-client-name -u https://you-client.example.com/callback >> config.toml

Then, start the server.

$ lauth \
  --ldap ldap://ldap.example.com \
  --ldap-user "CN=username,OU=somewhere,DC=example,DC=local" \
  --ldap-password ${LDAP_USER_PASSWORD} \
  --config config.toml

Finally, use it.

See also all options list and example config file.

For production

In the production use-case, please add those options.

  • --issuer: External URL of the server.
  • --sign-key: RSA private key for signing to the token.
  • --tls-cert and --tls-key (or --tls-auto): TLS encryption key files (Or automate generate those with Let's encryption).
  • --metrics-username and --metrics-password: Credentials for protect metrics page. (metrics page perhaps interesting hint for an attacker)

Use in docker-compose

Please see example.

Customize

Page design

This is default page design:

default design of login page and error page

If you want to customize the design, you can use --login-page, --logout-page, and --error-page. Templates using html/template libraries format.

Please see also the default page templates:

ID attribute

In default, Lauth uses sAMAccountName as the username. That is the logon ID of Microsoft ActiveDirectory.

Please use --ldap-id-attribute option if you want to use another attribute as the username.

$ lauth --ldap-id-attribute mail  # login with e-mail

Or, you can use a config file.

$ cat <<EOS > config.toml
[ldap]
id_attribute = "mail"
EOS

$ lauth --config config.toml

Scope and Claims

You can change scope and claims for id_token and userinfo in the config file.

This is default config; That claims for Microsoft ActiveDirectory.

[scope]

profile = [
  { claim = "name",        attribute = "displayName" },
  { claim = "given_name",  attribute = "givenName"   },
  { claim = "family_name", attribute = "sn"          },
]

email = [
  { claim = "email", attribute = "mail" },
]

phone = [
  { claim = "phone_number", attribute = "telephoneNumber" },
]

groups = [
  { claim = "groups", attribute = "memberOf", type = "[]string" },
]

Options

server command

$ lauth [OPTIONS]
command line config file environment variable default value description
--issuer issuer LAUTH_ISSUER http://localhost:8000 Issuer URL.
--listen listen LAUTH_LISTEN same port as the Issuer URL Listen address and port.
--sign-key sign_key LAUTH_SIGN_KEY generate random key RSA private key for signing to token.
--tls-auto tls.auto LAUTH_TLS_AUTO Enable auto generate TLS cert with Let's Encryption.
--tls-cert tls.cert LAUTH_TLS_CERT Cert file for TLS encryption.
--tls-key tls.key LAUTH_TLS_KEY Key file for TLS encryption.
--authz-endpoint endpoint.authz LAUTH_ENDPOINT_AUTHZ /login Path to authorization endpoint.
--token-endpoint endpoint.token LAUTH_ENDPOINT_TOKEN /login/token Path to token endpoint.
--userinfo-endpoint endpoint.userinfo LAUTH_ENDPOINT_USERINFO /login/userinfo Path to userinfo endpoint.
--jwks-uri endpoint.jwks LAUTH_ENDPOINT_JWKS /login/jwks Path to jwks uri.
--login-expire expire.login LAUTH_EXPIRE_LOGIN 1h Time limit to input username and password on the login page.
--code-expire expire.code LAUTH_EXPIRE_CODE 5m Time limit to exchange code to access_token or id_token.
--token-expire expire.token LAUTH_EXPIRE_TOKEN 1d Expiration duration of access_token and id_token.
--refresh-expire expire.refresh LAUTH_EXPIRE_REFRESH 1w Expiration duration of refresh_token.
If set 0, refresh_token will not create.
--sso-expire expire.sso LAUTH_EXPIRE_SSO 2w Duration for don't show login page if logged in past.
If set 0, always ask the username and password to the end-user.
--ldap ldap.server LAUTH_LDAP_SERVER URL of LDAP server.
You can include user credentials like `ldap://USER_DN:PASSW
--ldap-user ldap.user LAUTH_LDAP_USER User DN for connecting to LDAP.
You can use DOMAIN\username style if using ActiveDirectory.
--ldap-password ldap.password LAUTH_LDAP_PASSWORD Password for connecting to LDAP.
--ldap-base-dn ldap.base_dn LAUTH_LDAP_BASE_DN same as user DC The base DN for search user account in LDAP like OU=somewhere,DC=example,DC=local.
--ldap-id-attribute ldap.id_attribute LAUTH_LDAP_ID_ATTRIBUTE sAMAccountName ID attribute name in LDAP.
--ldap-disable-tls ldap.disable_tls LAUTH_LDAP_DISABLE_TLS Disable use TLS when connecting to the LDAP server. THIS IS INSECURE.
--login-page template.login_page LAUTH_TEMPLATE_LOGIN_PAGE Templte file for login page.
--logout-page template.logout_page LAUTH_TEMPLATE_LOGOUT_PAGE Templte file for logged out page.
--error-page template.error_page LAUTH_TEMPLATE_ERROR_PAGE Templte file for error page.
--metrics-path metrics.path LAUTH_METRICS_PATH /metrics Path to Prometheus metrics.
--metrics-username metrics.username LAUTH_METRICS_USERNAME Basic auth username to access to Prometheus metrics.
If omit, disable authentication.
--metrics-password metrics.password LAUTH_METRICS_PASSWORD Basic auth password to access to Prometheus metrics.
If omit, disable authentication.
--config LAUTH_CONFIG Load options from TOML, YAML, or JSON file.
--debug Enable debug output. This is insecure for production use.

gen-client sub command

$ lauth gen-client CLIENT_ID [OPTIONS]
option description
--redirect-uri URIs to accept redirect to.
--secret Client secret value. Generate random secret if omitted. Not recommend using this option.