feat: Add ldap-auth plugin

[jp-gouin]

What this PR does / why we need it:

This PR add a new authentication plugin that use a LDAP server to authenticate the user

This add a new type of consumer

"ldap-auth": {
    "userdn": "cn=user01,dc=example,dc=org"
 }

This plugin can also automatically create a consumer upon request if auto_create_consumer = true
This fixes : #3861 and #1128

Test cases are not fully operational yet.

Help needed

Also need help to add the deployment of an Openldap server on Github Action.
FYI i used the (bitnami/openldap:2)(https://hub.docker.com/r/bitnami/openldap/) docker image

openldap:
    image: bitnami/openldap:2
    ports:
      - '389:1389'
      - '636:1636'
    environment:
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=adminpassword
      - LDAP_USERS=user01,user02
      - LDAP_PASSWORDS=password1,password2

Next feature

Add a group variable in the consumer , this group would come from the memberOf (configurable) attribute of the ldap user and add it in the consumer.
Then plugins such as consumer_restriction could be updated to take into account groups -> (which can also be used on basic-auth (and more) plugin where a consumer can also be part of a group)

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• [-] Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[spacewander]

"authenticates"?

[jp-gouin]

Yes corrected

[spacewander]

return ok, err is enough.

[jp-gouin]

Ok added

[spacewander]

Better to avoid creating temporary consumers. The temporary consumer may be broken somewhere else.

[jp-gouin]

Ok remove this feature .
It was more to act like the oidc plugin , that does not require a consumer to be created , but i see your point

[spacewander]

Is it the password?

[jp-gouin]

No indeed it's the uid attribute that changes depending of the ldap server solution

[spacewander]

Would you use a snake case for the field name, like base_dn / ldap_uri?

[jp-gouin]

Ok changed

[spacewander]

@jp-gouin
You can install the docker in:

apisix/.travis/linux_openresty_common_runner.sh

Line 21 in 654b1a9

before_install() {

And the libldap in:

apisix/utils/linux-install-openresty.sh

Line 43 in 654b1a9

sudo apt-get install "$openresty" lua5.1 liblua5.1-0-dev

[spacewander]

@membphis @moonming
Can we introduce libldap as an extern dependency? This library needs to be installed manually.

[spacewander]

Why not use the latest release: 1.2.6?

[membphis]

@membphis @moonming
Can we introduce libldap as an extern dependency? This library needs to be installed manually.

https://github.com/lualdap/lualdap does not declare the license, the author needs to declare the license first, otherwise APISIX cannot use this open-source project.

[jp-gouin]

@membphis there is a licence in their website https://lualdap.github.io/lualdap/license
We can open a ticket if the licence needs to be at project level

[spacewander]

The spirit of the license is that you are free to use LuaLDAP for any purpose at no cost without having to ask us. The only requirement is that if you do use LuaLDAP, then you should give us credit by including the appropriate copyright notice somewhere in your product or its documentation.

IMHO, it seems we can use it after adding the copyright notice.

There is the raw file of the License page: https://github.com/lualdap/lualdap/blob/master/docs/license.md.

[membphis]

@membphis there is a licence in their website https://lualdap.github.io/lualdap/license
We can open a ticket if the licence needs to be at project level

https://github.com/lualdap/lualdap

there is no information about license: https://github.com/lualdap/lualdap/search?q=license

I created a new issue right now: lualdap/lualdap#21

[jp-gouin]

@jp-gouin
You can install the docker in:

apisix/.travis/linux_openresty_common_runner.sh

Line 21 in 654b1a9

before_install() {

And the libldap in:

apisix/utils/linux-install-openresty.sh

Line 43 in 654b1a9

sudo apt-get install "$openresty" lua5.1 liblua5.1-0-dev

The CI doesn't seems to install libldap2-dev before installing apisix. Am i missing something ?

[spacewander]

@jp-gouin
Thank you for your contribution.
However, as @membphis mentioned, we need to wait for the author's confirmation in
lualdap/lualdap#21

[spacewander]

@jp-gouin
You can install the docker in:

apisix/.travis/linux_openresty_common_runner.sh

Line 21 in 654b1a9

before_install() {

And the libldap in:

apisix/utils/linux-install-openresty.sh

Line 43 in 654b1a9

sudo apt-get install "$openresty" lua5.1 liblua5.1-0-dev

The CI doesn't seems to install libldap2-dev before installing apisix. Am i missing something ?

Some ci cases have their own way to install the library, like:

apisix/utils/centos7-ci.sh

Line 25 in 4156a73

yum install -y wget tar gcc automake autoconf libtool make unzip \

apisix/ci/linux_tengine_runner.sh

Line 218 in 4156a73

sudo apt-get install lua5.1 liblua5.1-0-dev

[tzssangglass]

@jp-gouin hi, are you still interested in continuing this PR?

[jp-gouin]

I am , however there is still the licence issue on the lualdap/lualdap#21
As soon has the licence has been validated by @membphis , i will update this PR

[membphis]

@membphis @moonming
Can we introduce libldap as an extern dependency? This library needs to be installed manually.

@moonming need your help. ^_^

[jp-gouin]

@membphis is the information provided in the lualdap/lualdap#21 enough for the use of lualdap in Apisix ?
If so i would be happy to continue working on the PR

[membphis]

@membphis is the information provided in the lualdap/lualdap#21 enough for the use of lualdap in Apisix ?
If so i would be happy to continue working on the PR

cool, I think you can continue this PR, it fine now.

[membphis]

I think you need to resolve the conflicting files ^_^

[jp-gouin]

Failed tests do not seems to be related to ldap-auth plugin, do you confirm ?
Chaos test should be ok once PR apache/apisix-docker#222 is merged

[spacewander]

Better to check if decoded is not nil and the split result has two elements.

[jp-gouin]

Actually it’s a copy paste from

apisix/apisix/plugins/basic-auth.lua

Line 83 in 34df010

local decoded = ngx.decode_base64(m[1])

, I’ll try to update the code

[spacewander]

Feel free to submit another PR to update basic-auth.

[spacewander]

We can remove this part now. The dashboard is not shipped by default.

[jp-gouin]

Ok will remove , actually it’s a copy paste from

apisix/docs/en/latest/plugins/basic-auth.md

Line 64 in 34df010

you also can add a Consumer through the web console:

[spacewander]

Failed tests do not seems to be related to ldap-auth plugin, do you confirm ? Chaos test should be ok once PR apache/apisix-docker#222 is merged

Look like they are just flaky test results.

[membphis]

@membphis @moonming Can we introduce libldap as an extern dependency? This library needs to be installed manually.

LGTM ^_^

[membphis]

Needs to install the libldap2-dev in ChaosMesh case.

https://github.com/apache/apisix/pull/3894/checks?check_run_id=3788501510#step:5:1004

Error: Failed installing dependency: https://luarocks.org/lualdap-1.2.6-1.src.rock - Could not find header file for LDAP
  No file ldap.h in /usr/local/include
  No file ldap.h in /usr/include
  No file ldap.h in /include

[spacewander]

Suggested change

	return nil, "split authorization length is invalid"
	return nil, "split authorization err: invalid decoded data: " .. decoded

[spacewander]

if not decoded then
        return nil, "failed to decode authentication header: " .. m[1]
end

[jp-gouin]

@membphis , the chaos mesh test is using the apisix-docker project to build apisix :

apisix/.github/workflows/chaos.yml

Line 41 in aa375ab

docker build -t apache/apisix:alpine-local --build-arg APISIX_PATH=. -f Dockerfile .

I submitted a PR to add the library in the apisix-docker apache/apisix-docker#222

[spacewander]

@jp-gouin
Would you update this PR? It is almost done.

[jp-gouin]

@jp-gouin Would you update this PR? It is almost done.

Done :)

[tzssangglass]

LGTM

[lijing-21]

@jp-gouin,
Hi, Thank you for your contribution! We are excited to hear about your story with APISIX, so we want to invite you to write an article, for reference，you could introduce the reason why you choose to use APISIX, and why you wrote this plugin, or show the readers how to use this plugin. We will publish this article on the official website of Apahce APISIX, I believe it will be of great help to our readers.
Here is my e-mail: [email protected]. Looking forward to your reply！~

[Zeeeeta]

Thanks for the effort.
May I know if base_dn only support searching in one level of directory and not searching for the AD objects in subdirectory?