{"id":24453089,"url":"https://github.com/dignajar/another-ldap","last_synced_at":"2025-10-01T15:31:13.521Z","repository":{"id":41282922,"uuid":"392090450","full_name":"dignajar/another-ldap","owner":"dignajar","description":"Another LDAP is a form-based authentication for Active Directory / LDAP server. Provides Authentication and Authorization for your applications running in Kubernetes.","archived":false,"fork":false,"pushed_at":"2023-10-01T15:52:44.000Z","size":478,"stargazers_count":47,"open_issues_count":4,"forks_count":12,"subscribers_count":4,"default_branch":"main","last_synced_at":"2023-10-01T18:54:37.842Z","etag":null,"topics":["authentication","form-based","form-based-authentication","ingress","kubernetes","ldap","ldap-authentication"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dignajar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-08-02T20:50:00.000Z","updated_at":"2023-09-05T10:38:30.000Z","dependencies_parsed_at":"2022-07-07T01:02:29.130Z","dependency_job_id":null,"html_url":"https://github.com/dignajar/another-ldap","commit_stats":null,"previous_names":[],"tags_count":11,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dignajar%2Fanother-ldap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dignajar%2Fanother-ldap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dignajar%2Fanother-ldap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dignajar%2Fanother-ldap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dignajar","download_url":"https://codeload.github.com/dignajar/another-ldap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234878798,"owners_count":18900701,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","form-based","form-based-authentication","ingress","kubernetes","ldap","ldap-authentication"],"created_at":"2025-01-21T01:18:28.977Z","updated_at":"2025-10-01T15:31:13.204Z","avatar_url":"https://github.com/dignajar.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Another LDAP\nAnother LDAP is a form-based authentication for Active Directory / LDAP server.\n\nAnother LDAP provides Authentication and Authorization for your applications running on Kubernetes.\n\n**Another LDAP** works perfect with **NGINX ingress controller** via ([External OAUTH Authentication](https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/)), **HAProxy** ([haproxy-auth-request](https://github.com/TimWolla/haproxy-auth-request)) or any webserver/reverse proxy with authorization based on the result of a subrequest.\n\n[![Docker image](https://img.shields.io/badge/Docker-image-blue.svg)](https://github.com/dignajar/another-ldap/pkgs/container/another-ldap)\n[![Kubernetes YAML manifests](https://img.shields.io/badge/Kubernetes-manifests-blue.svg)](https://github.com/dignajar/another-ldap/tree/master/kubernetes)\n[![codebeat badge](https://codebeat.co/badges/f57de995-ca62-49e5-b309-82ed60570324)](https://codebeat.co/projects/github-com-dignajar-another-ldap-master)\n[![release](https://img.shields.io/github/v/release/dignajar/another-ldap.svg)](https://github.com/dignajar/another-ldap/releases)\n[![license](https://img.shields.io/badge/license-MIT-green)](https://github.com/dignajar/another-ldap/blob/master/LICENSE)\n\n![Alt text](another-ldap.png?raw=true \"Another LDAP\")\n\n## Features\n- Authentication and Authorization for applications.\n- Authorization via LDAP groups, supports regex in groups list.\n- Supports protocols `ldap://` and `ldaps://`.\n- Enabled by design TLS via self-signed certificate.\n- Supports configuration via headers or via environment variables.\n- HTTP response headers with username and matched groups for the backend.\n- Brute force protection.\n- Log format in Plain-Text or JSON.\n\n## Installation\n- Clone this repository or download the manifests from the directory `kubernetes`.\n- Edit the ingress, config-map and secrets with your configuration.\n- ALDAP is installed in the namespace `another`.\n\n```\ngit clone https://github.com/dignajar/another-ldap.git\ncd another-ldap/kubernetes\nkubectl apply -f .\n```\n\n## Configuration\n\n### Example 1: Authentication\nThe following example provides authentication for the application `my-app`.\n- The authentication validates username and password.\n\n```\n---\nkind: Ingress\napiVersion: networking.k8s.io/v1\nmetadata:\n name: my-app\n annotations:\n kubernetes.io/ingress.class: \"nginx\"\n nginx.ingress.kubernetes.io/auth-url: https://another-ldap.another.svc.cluster.local/auth\n nginx.ingress.kubernetes.io/server-snippet: |\n error_page 401 = @login;\n location @login {\n return 302 https://another-ldap.testmyldap.com/?protocol=$pass_access_scheme\u0026callback=$host;\n }\nspec:\n rules:\n - host: my-app.testmyldap.com\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: my-app\n port:\n number: 80\n```\n\n### Example 2: Authentication and Authorization\nThe following example provides authentication and authorization for the application `my-app`.\n- The authentication validates username and password.\n- The authorization validates if the user has the LDAP group `DevOps production environment`.\n\n```\n---\nkind: Ingress\napiVersion: networking.k8s.io/v1\nmetadata:\n name: my-app\n annotations:\n kubernetes.io/ingress.class: \"nginx\"\n nginx.ingress.kubernetes.io/auth-url: https://another-ldap.another.svc.cluster.local/auth\n nginx.ingress.kubernetes.io/auth-snippet: |\n proxy_set_header Ldap-Allowed-Groups \"DevOps production environment\";\n nginx.ingress.kubernetes.io/server-snippet: |\n error_page 401 = @login;\n location @login {\n return 302 https://another-ldap.testmyldap.com/?protocol=$pass_access_scheme\u0026callback=$host;\n }\nspec:\n rules:\n - host: my-app.testmyldap.com\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: my-app\n port:\n number: 80\n```\n\n### Example 3: Authentication, Authorization and response headers\nThe following example provides authentication and authorization for the application `my-app` and calls the application with the headers `x-username` and `x-groups`.\n- The authentication validates username and password.\n- The authorization validates if the user has one of the following LDAP groups `DevOps production environment` or `DevOps QA environment`.\n- Nginx will return the header `x-username` to the application that contains the username authenticated.\n- Nginx will return the header `x-groups` to the application that contains the matched groups for the username authenticated.\n\nWith the headers you can do increase the authorization in the application or display the user logged.\n\n```\n---\nkind: Ingress\napiVersion: networking.k8s.io/v1\nmetadata:\n name: my-app\n annotations:\n kubernetes.io/ingress.class: \"nginx\"\n nginx.ingress.kubernetes.io/auth-url: https://another-ldap.another.svc.cluster.local/auth\n nginx.ingress.kubernetes.io/auth-response-headers: \"x-username, x-groups\"\n nginx.ingress.kubernetes.io/auth-snippet: |\n proxy_set_header Ldap-Allowed-Groups \"DevOps production environment, DevOps QA environment\";\n nginx.ingress.kubernetes.io/server-snippet: |\n error_page 401 = @login;\n location @login {\n return 302 https://another-ldap.testmyldap.com/?protocol=$pass_access_scheme\u0026callback=$host;\n }\nspec:\n rules:\n - host: my-app.testmyldap.com\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: my-app\n port:\n number: 80\n```\n\n## Available parameters\nAll parameters are defined in the config-map and secret manifests.\n\nAll values type are `string`.\n\nThe parameter `LDAP_SEARCH_FILTER` supports variable expansion with the username, you can do something like this `(sAMAccountName={username})` and `{username}` is going to be replaced by the username typed in the login form.\n\nThe parameter `LDAP_BIND_DN` supports variable expansion with the username, you can do something like this `{username}@TESTMYLDAP.com` or `UID={username},OU=PEOPLE,DC=TESTMYLDAP,DC=COM` and `{username}` is going to be replaced by the username typed in the login form.\n\nThe parameter `COOKIE_DOMAIN` define the scope of the cookie, for example if you need to authentication/authorizate the domain `testmyldap.com` you should set the wildcard `.testmyldap.com` (notice the dot at the beginning).\n\n## Supported HTTP request headers\nThe variables send via HTTP headers take precedence over environment variables.\n- `Ldap-Allowed-Users`\n- `Ldap-Allowed-Groups`\n- `Ldap-Conditional-Groups`: Default=`\"or\"`\n- `Ldap-Conditional-Users-Groups`: Default=`\"or\"`\n\n## HTTP response headers\n- `x-username` Contains the authenticated username\n- `x-groups` Contains the user's matches groups\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdignajar%2Fanother-ldap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdignajar%2Fanother-ldap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdignajar%2Fanother-ldap/lists"}