Go-lang LDAP Authentication (GLAuth) is a secure, easy-to-use, LDAP server w/ configurable backends.

Overview

GLAuth: LDAP authentication server for developers

Go-lang LDAP Authentication (GLAuth) is a secure, easy-to-use, LDAP server w/ configurable backends.

Gitter Matrix

GitHub all releases Docker pulls

Travis (.com) branch Docker Automated build

GitHub last commit (branch) Code Climate maintainability

  • Centrally manage accounts across your infrastructure
  • Centrally manage SSH keys, Linux accounts, and passwords for cloud servers.
  • Lightweight alternative to OpenLDAP and Active Directory for development, or a homelab.
  • Store your user directory in a file, local or in S3; SQL database; or proxy to existing LDAP servers.
  • Two Factor Authentication (transparent to applications)
  • Multiple backends can be chained to inject features

Use it to centralize account management across your Linux servers, your OSX machines, and your support applications (Jenkins, Apache/Nginx, Graylog2, and many more!).

Contributing

  • Please base all Pull Requests on dev, not master.
  • Format your code autonmatically using gofmt -d ./ before committing

Quickstart

This quickstart is a great way to try out GLAuth in a non-production environment. Be warned that you should take the extra steps to setup SSL (TLS) for production use!

  1. Download a precompiled binary from the releases page.
  2. Download the example config file.
  3. Start the GLAuth server, referencing the path to the desired config file with -c.
    • ./glauth64 -c sample-simple.cfg
  4. Test with traditional LDAP tools
    • For example: ldapsearch -LLL -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com cn=hackers

Make Commands

Note - makefile uses git data to inject build-time variables. For best results, run in the context of the git repo.

make all - run build binaries for platforms

make fast - run build for only linux 64 bit

make run - wrapper for the 'go run' command, setting up the needed tooling

make plugins - build additional (SQL) plugin backends

make test - run the integration test on linux64 binary

Usage:

glauth: securely expose your LDAP for external auth

Usage:
  glauth [options] -c 
  glauth -h --help
  glauth --version

Options:
  -c, --config        Config file.
  -K            AWS Key ID.
  -S        AWS Secret Key.
  -r            AWS Region [default: us-east-1].
  --ldap 
Listen address for the LDAP server. --ldaps
Listen address for the LDAPS server. --ldaps-cert Path to cert file for the LDAPS server. --ldaps-key Path to key file for the LDAPS server. -h, --help Show this screen. --version Show version.

Configuration:

GLAuth can be deployed as a single server using only a local configuration file. This is great for testing, or for production if you use a tool like Puppet/Chef/Ansible:

glauth -c glauth.cfg

Here's a sample config wth hardcoded users and groups:

[backend]
  datastore = "config"
  baseDN = "dc=glauth,dc=com"
[[users]]
  name = "hackers"
  uidnumber = 5001
  primarygroup = 5501
  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a"   # dogood
  sshkeys = [ "ssh-dss AAAAB3..." ]
[[users]]
  name = "uberhackers"
  uidnumber = 5006
  primarygroup = 5501
  passbcrypt = "243261243130244B62463462656F7265504F762E794F324957746D656541326B4B46596275674A79336A476845764B616D65446169784E41384F4432"   # dogood
[[groups]]
  name = "superheros"
  gidnumber = 5501

To create the password SHA hash, use this command: echo -n "mysecret" | openssl dgst -sha256

Instead of a local configuration file, GLAuth can fetch its configuration from S3. This is an easy way to ensure redundant GLAuth servers are always in-sync.

glauth -c s3://bucketname/glauth.cfg

In order to use S3, you must set your AWS credentials. Either:

  1. set the -K and -S command-line flags OR
  2. set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

More configuration options are documented here: https://github.com/glauth/glauth/blob/master/sample-simple.cfg

Chaining backends

This can be used, for instance, to inject support for Two Factor Authentication for backends that do not support the feature natively:

[[backends]]
  datastore = "ldap"
  servers = ["ldap:s//localhost:390"]

[[backends]]
  datastore = "config"

...

[[users]]
  name = "hackers"
  otpsecret = "................"

Required Fields

  • Name
    • The user's username
  • ou
    • ID of the user's primary group
  • uidnumber
    • The user's unix user id
  • sshPublicKey
    • Specify an array of public keys

Optional Fields

  • otherGroups
    • Array of IDs of groups the user is a member of.
    • Example: [5501, 5002]
    • default = blank
  • givenname
    • First name
    • Example: John
    • default = blank
  • sn
    • Last name
    • Example: Doe
    • default = blank
  • disabled
    • Specify if account is active.
    • Set to 'true' (without quotes) to make the LDAP entry add 'AccountStatus = inactive'
    • default = false (active)
  • mail
  • loginshell
    • Specify a different login shell for the user
    • Example: /bin/sh, or /sbin/nologin
    • default = /bin/bash
  • homedirectory
    • Specify an overridden home directory for the user
    • Example: /home/itadmin
    • default = /home/[username]
  • otpsecret
    • Specify OTP secret used to validate OTP passcode
    • Example: 3hnvnk4ycv44glzigd6s25j4dougs3rk
    • default = blank
  • passappbcrypt
    • Specify an array of app passwords which can also succesfully bind - these bypass the OTP check. Hash the same way as password.
    • Example: ["c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa","4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88"]
    • default = blank
  • passappsha256
    • Specify an array of app passwords which can also succesfully bind - these bypass the OTP check. Hash the same way as password.
    • Example: ["c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa","4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88"]
    • default = blank
  • yubikey
    • Specify Yubikey ID for maching Yubikey OTP against the user
    • Example: cccjgjgkhcbb
    • default = blank

OpenSSH keys:

GLAuth can store a user's SSH authorized keys. Add one or more keys per user as shown above, then setup the goklp helper: https://github.com/appliedtrust/goklp

Strong Passwords

If you are currently using sha256 passwords (passsha256 or passappsha256) moving to strong, salted paswords is recommended. Simply switch to passbcrypt and/or passappbcrypt password types. Currently (2021) 212 is a reasonably good value, depending our your server's CPU.

Two Factor Authentication

GLAuth can be configured to accept OTP tokens as appended to a users password. Support is added for both TOTP tokens (often known by it's most prominent implementation, "Google Authenticator") and Yubikey OTP tokens.

When using 2FA, append the 2FA code to the end of the password when authenticating. For example, if your password is "monkey" and your otp is "123456", enter "monkey123456" as your password.

TOTP Configuration

To enable TOTP authentication on a user, you can use a tool like this to generate a QR code (pick 'Timeout' and optionally let it generate a random secret for you), which can be scanned and used with the Google Authenticator app. To enable TOTP authentication, configure the otpsecret for the user with the TOTP secret.

App Passwords

Additionally, you can specify an array of password hashes using the passappsha256 for app passwords. These are not OTP validated, and are hashed in the same way as a password. This allows you to generate a long random string to be used in software which requires the ability to authenticate.

However, app passwords can be used without OTP as well.

Yubikey Configuration

For Yubikey OTP token authentication, first configure your Yubikey. After this, make sure to request a Client ID and Secret key pair.

Now configure the yubikeyclientid and yubikeysecret fields in the general section in the configuration file.

To enable Yubikey OTP authentication for a user, you must specify their Yubikey ID on the users yubikey field. The Yubikey ID is the first 12 characters of the Yubikey OTP, as explained in the below chart.

Yubikey OTP

When a user has been configured with either one of the OTP options, the OTP authentication is required for the user. If both are configured, either one will work.

Backends:

For advanced users, GLAuth supports pluggable backends. Currently, it can use a local file, S3 or an existing LDAP infrastructure. In the future, we hope to have backends that support Mongo, SQL, and other datastores.

[backend]
  datastore = "ldap"
  servers = [ "ldaps://server1:636", "ldaps://server2:636" ]

Production:

Any of the architectures above will work for production. Just remember:

  • Always use legit SSL certs for production!

Other Architectures

A small note about other architectures: while I expect the code is, for the most part, system-independent, there is not a good (and free) CI system which can be easily used to continuously test releases on ARM, BSD, Linux-32bit, and Windows. As such, all of the non-linux-64bit packages are provided as is. The extent of testing on these packages consists solely of cross-compiling for these architectures from a linux 64 bit system.

We will accept PRs which fix bugs on these platforms, but be aware these binaries will not be tested regularly, and instead are provided for the convenience of those who feel comfortable with this.

Building:

You'll need go-bindata to build GLAuth. Then use the Makefile.

go get github.com/jteeuwen/go-bindata/...
make all

Logging

  • using logr with increasing verbosity
    • 0 you always want to see this
    • 1 common logging that you might possibly want to turn off (error)
    • 2 warn
    • 3 notice
    • 4 info
    • 6 debug
    • 8 trace
    • 10 I would like to performance test your log collection stack
  • errors really are errors that cannot be handled or returned
    • returning a proper LDAP error code is handling an error

Testing

Of course, a core set of tests is being run by Travis CI. However, when developing new features/refactoring, a more comprehensive regression testing suite is needed.

You can run go test to execute the tests found in glauth_test.go -- better, if it is installed, you can run goconvey

Since some tests cover TOTP, you will first need to install oathtool in your environment.

In order to test GLAuth against an LDAP backend, you will need docker. Run this command:

docker run \
    --rm \
    -d \
    -p 389:389 \
    --name openldap-service \
    --hostname ldap-service \
    --env LDAP_ORGANISATION="GLauth" \
    --env LDAP_DOMAIN="glauth.com" \
    --env LDAP_ADMIN_PASSWORD="password" \
    --env LDAP_CONFIG_PASSWORD="password" \
    --env LDAP_BASE_DN="dc=glauth,dc=com" \
    -v $PWD/misc/openldap/config:/etc/ldap/slapd.d \
    -v $PWD/misc/openldap/db:/var/lib/ldap \
    osixia/openldap:latest

Refer to this page for a somewhat more in-depth overview of testing with OpenLDAP.

Compatibility

While our stated goal for GLAuth is to provide the simplest possible authentication server, we keep finding an increasing number of client appliances that are asking fairly "existential" questions of the server. We have been working on providing answers these clients will find satisfactory.

Root DSE

RFC 4512: "An LDAP server SHALL provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE"

Test: ldapsearch -LLL -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -s base "(objectclass=*)"

Subschema Discovery

RFC 4512: "To read schema attributes from the subschema (sub)entry, clients MUST issue a Search operation [RFC4511] where baseObject is the DN of the subschema (sub)entry..."

Test: ldapsearch -LLL -o ldif-wrap=no -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bcn=schema -s base

By default, this query will return a very minimal schema (~5 objects) -- you can ask GLAuth to return more comprehensive schemas by unpacking, in the schema/ directory, the OpenLDAP or FreeIPA schema archives found in the assets/ directory.

LDAP Backend: "1.1" attribute

RFC 4511: "A list containing only the OID "1.1" indicates that no attributes are to be returned."

Stargazers over time

Stargazers over time

Comments
  • Add TLS options for running both with TLS and without on the same time

    Add TLS options for running both with TLS and without on the same time

    This commit expands on the settings available for using TLS. It puts TLS settings under the [frontend.tls] section and adds a new setting to [frontend] called TLSExclusive (bool). TLSExclusive specifies whether or not to only run TLS when it is enabled, and is 'true' by default. Setting it to 'false' and having TLS enabled, causes the server to start both a LDAP and LDAPS server, and therefore requires two seperate 'listen' options (to run on different ports) - the Frontend.Listen and the Frontend.TLS.Listen. If TLSExclusive is set to 'true' and no Frontend.TLS.Listen is specified, it will use the Frontend.Listen.

    sample-simple.cfg is updated with example and comments

    incomplete 
    opened by ryskov 16
  • LDAP Result Code 49 - BindDN should have only one or two parts

    LDAP Result Code 49 - BindDN should have only one or two parts

    I working on the integration with GLAuth in https://github.com/greenpau/caddy-security/issues/32

    The LDAP library used is github.com/go-ldap/ldap/v3 v3.4.1.

    Working with the sample-simple.cfg provided in the getting started.

    The binding does not quite work.

    As user. I get: LDAP Result Code 49 "Invalid Credentials":

    In GLAuth logs I see: BindDN should have only one or two parts

    18:11:40.997631 Bind ▶ DEBU 023  "level"=6 "msg"="Bind request"  "basedn"="dc=glauth,dc=com" "binddn"="cn=serviceuser,ou=svcaccts,dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.997681 Bind ▶ DEBU 024  "level"=6 "msg"="Bind success"  "binddn"="cn=serviceuser,ou=svcaccts,dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.998060 Search ▶ DEBU 025  "level"=6 "msg"="Search request"  "basedn"="dc=glauth,dc=com" "binddn"="cn=serviceuser,ou=svcaccts,dc=glauth,dc=com" "filter"="(\u0026(|(uid=johndoe)(mail=johndoe))(objectClass=posixAccount))" "scope"=2 "searchbasedn"="dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.998076 searchMaybeTopLevelNodes ▶ DEBU 026  "level"=6 "msg"="Search request"  "special case"="top-level browse"
    18:11:40.998131 searchMaybeTopLevelNodes ▶ DEBU 027  "level"=6 "msg"="AP: Top-Level Browse OK"  "filter"="(\u0026(|(uid=johndoe)(mail=johndoe))(objectClass=posixAccount))"
    18:11:40.998388 Bind ▶ DEBU 028  "level"=6 "msg"="Bind request"  "basedn"="dc=glauth,dc=com" "binddn"="cn=johndoe,ou=superheros,ou=users,dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.998404 findUser ▶ WARN 029  "level"=2 "msg"="BindDN should have only one or two parts"  "binddn"="cn=johndoe,ou=superheros,ou=users,dc=glauth,dc=com" "numparts"=3
    

    Please assist.

    opened by greenpau 14
  • Additional Backends

    Additional Backends

    From @benyanke on April 19, 2018 1:21

    This thread is for requests of additional backends.

    MySQL seems the first obvious one. Feel free to chime in if anyone has other ideas. I'll implement as I'm able or accept PRs.

    Currently tracked backends:

    • MySQL
    • Postgres
    • CockroachDB (would likely be the same as postgres)
    • Etcd
    • Amazon Cognito REST API

    Before implementing these backends, perhaps it would be useful to add an interface layer to cleanly specify the contract between a backend provider and glauth, and also move backend providers into their own directory.

    enhancement backend-request 
    opened by benyanke 13
  • Database plugins

    Database plugins

    Me again!

    Following your feedback, things are now much lighter: CGO dependencies are gone and, more importantly, I am now using Go's plugin mechanism so that the database backends are not compiled in GLAuth by default.

    I added 3 simple targets so that either of them can be easily compiled to a dynamically loadable plugin.

    You will also note that everything is self contained in its own package.

    opened by Fusion 12
  • macOS native binary run with postgres plugin throwing error:

    macOS native binary run with postgres plugin throwing error: "error"="Unable to load specified backend plugin: plugin: not implemented" "msg"="Could not create server"

    OS: macOS Big Sur (11.16.5) glauth version: v2.1.0 (downloaded from release) plugin: postgres.so

    config:

    [backend]
      datastore = "plugin"
      # If "plugin," uncomment the line below
      # plugin = "bin/sqlite.so"
      # pluginhandler = "NewSQLiteHandler"
      plugin = "postgres.so"
      pluginhandler = "NewPostgresHandler"
    

    files:

    $ ls

    glauth*              glauth.sha256        mysql.so             postgres.so          sample-database.cfg  sqlite.so
    
    ./glauth -c sample-database.cfg
    09:38:20.886567 doConfig ▶ DEBU 001  "level"=6 "msg"="Debugging enabled"
    09:38:20.886598 startService ▶ DEBU 002  "level"=6 "msg"="Web API enabled"
    09:38:20.886635 startService ▶ ERRO 003  "error"="Unable to load specified backend plugin: plugin: not implemented" "msg"="Could not create server"
    
    opened by leopku 10
  • Push current images to docker hub

    Push current images to docker hub

    I really like glauth /w cockraochdb and it works fine with my own built docker image. But is there a way, that the latest glauth(-plugins) will be pushed to the glauth/glauth docker hub? Seems very outdated. Thanks.

    opened by maikelcoke 10
  • ldap filter `memberOf` does not work

    ldap filter `memberOf` does not work

    I use glauth w/ ldap backend. The filter using memberOf doesn't seem to work. Example:

    ldapsearch -H ldaps://ldap-proxy.example.com:636 -b dc=example,dc=com -D uid=abc,cn=users,dc=example,dc=com -x -w PASS '(memberOf=cn=admin,cn=groups,dc=example,dc=com)'
    

    The same query works with the ldap backend.

    opened by Tony2 9
  •  Space in search BaseDN causes request to fail

    Space in search BaseDN causes request to fail

    I wanted to try out GLAuth instead of OpenLDAP for use with Authelia. GLAuth works perfectly with ldaptools, but with Authelia I always get "Authentication failed", so I started to debug the requests and found out Authelia puts a space between the request BaseDN so instead of dc=example,dc=com it sends dc=example, dc=com which causes the request to fail. I wasn't sure whether to submit this to GLAuth or to Authelia, so I'll just submit it to both.

    https://github.com/clems4ever/authelia/issues/306

    Example of working request (done with ldapsearch):

    14:13:12.879190 Bind ▶ DEBU 054 Bind request: bindDN: cn=admin,ou=admins,dc=example,dc=com, BaseDN: dc=example,dc=com, source: 192.168.0.68:54638
    14:13:12.879279 Bind ▶ DEBU 055 Bind success as %s from %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54638
    14:13:12.879753 Search ▶ DEBU 056 Search request as %s from %s for %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54638 (objectclass=*)
    14:13:12.879955 Search ▶ DEBU 057 AP: Search OK: %s (objectclass=*)
    

    Example of broken request

    
    14:13:27.437198 Bind ▶ DEBU 058 Bind request: bindDN: cn=admin,ou=admins,dc=example,dc=com, BaseDN: dc=example,dc=com, source: 192.168.0.68:54642
    14:13:27.437283 Bind ▶ DEBU 059 Bind success as %s from %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54642
    14:13:27.437730 Search ▶ DEBU 05a Search request as %s from %s for %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54642 (objectclass=*)
    2018/12/15 14:13:27 handleSearchRequest error LDAP Result Code 50 "Insufficient Access Rights": Search Error: search BaseDN dc=example, dc=com is not in our BaseDN dc=example,dc=com
    
    bug question 
    opened by ghost 9
  • glauth does not work with gitea

    glauth does not work with gitea

    Hi,

    I exposed a ldap server via glauth to public net, using the ldap backend connected to a ldap server in internal net. My intent is to use glauth as authentication source for a gitea server facing public net.

    I have tested glauth successfully using ldapsearch as follows:

    ldapsearch -H ldaps://ldap-proxy.example.com:636 -b cn=users,dc=example,dc=com -D uid=abc,cn=users,dc=example,dc=com -x -w password -LLL '(uid=abc)'
    

    However I cannot get it work with gitea; glauth log says

    Jul  8 13:46:24 vm-ldap-proxy glauth64[61172]: 13:46:24.314141 Bind ▶ DEBU 34d Bind success as uid=abc,cn=users,dc=example,dc=com from 1.2.3.4:50578
    Jul  8 13:46:24 vm-ldap-proxy /usr/local/bin/glauth64[61172]: 13:46:24.314141 Bind ▶ DEBU 34d Bind success as uid=abc,cn=users,dc=example,dc=com from 1.2.3.4:50578
    

    but gitea web UI says "incorrect username or password". I looked into gitea log and saw:

    gitea  | 2021/07/08 13:23:09 ...dels/login_source.go:850:UserSignIn() [W] Failed to login 'abc' via 'ldap-proxy': user does not exist [uid: 0, name: abc, keyid: 0]
    gitea  | 2021/07/08 13:23:09 routers/user/auth.go:179:SignInPost() [I] Failed authentication attempt for abc from 172.19.0.1:63892: user does not exist [uid: 0, name: , keyid: 0]
    

    It seems to me more likely a problem with gitea than with glauth; however when I tried gitea to authenticate against the internal ldap server I could login. So perhaps the answer from glauth is slightly different than the one from the internal ldap, which makes gitea unhappy.

    Any hint or idea what can be tried to troubleshoot this?

    opened by hth2 8
  • Unable to integrate it with PAM

    Unable to integrate it with PAM

    I have enough services in my home lab to have a LDAP to try to centralize users but now enough to mount a full pledge LDAP like slapd or whatsever.

    I was doing a test on some VMs to test this and worked with some services like next cloud and nginx-ldap but now I'm trying to integrated with Linux at PAM level.

    I think Glauth is correctly configured:

    [ldap]
      enabled = true
      listen = "0.0.0.0:3893"
    [ldaps]
      enabled = false
    [api]
      enabled = true
      tls = false # enable TLS for production!!
      listen = "0.0.0.0:5555"
      cert = "cert.pem"
      key = "key.pem"
    
    debug = true
    
    [backend]
      datastore = "config"
      baseDN = "dc=h"
    
    ################# USERS #################
    [[users]]
      name = "root"
      givenname = "root"
      unixID = 0
      primaryGroup = 5501
      otherGroups = [ 5503 ]
      loginShell = "/bin/bash"
      homeDir = "/root"
      passsha256 = REDACTED
    
    # Home users
    [[users]]
      name = "kang"
      unixID = 10000
      primaryGroup = 5501
      otherGroups = [ 5503 ]
      loginShell = "/bin/bash"
      homeDir = "/home/kang"
      passsha256 = REDACTED
    
    ################# GROUPS #################
    [[groups]]
      name = "home"
      unixid = 5501
    

    % ldapsearch -x -H ldap://glauth.s -D cn=root,ou=home,dc=h -w "$pass" -b dc=h cn=kang

    # extended LDIF
    #
    # LDAPv3
    # base <dc=h> with scope subtree
    # filter: cn=kang
    # requesting: ALL
    #
    
    # kang, home, h
    dn: cn=kang,ou=home,dc=h
    cn: kang
    uid: kang
    ou: home
    uidNumber: 10000
    accountStatus: active
    objectClass: posixAccount
    objectClass: shadowAccount
    loginShell: /bin/bash
    homeDirectory: /home/kang
    description: kang
    gecos: kang
    gidNumber: 5501
    memberOf: cn=home,ou=groups,dc=h
    shadowExpire: -1
    shadowFlag: 134538308
    shadowInactive: -1
    shadowLastChange: 11000
    shadowMax: 99999
    shadowMin: -1
    shadowWarning: 7
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    So I configure PAM: # cat /etc/nsswitch.conf

    passwd:         files ldap
    group:          files ldap
    shadow:         files ldap
    gshadow:        files ldap
    

    # cat /etc/libnss-ldap.conf

    host glauth.s
    base dc=h
    ldap_version 3
    
    rootbinddn cn=root,ou=home,dc=h
    bindpw secret
    

    # cat /etc/libnss-ldap.secret

    REDACTED
    

    It seems to work: # getent passwd | grep kang

    kang:x:10000:5501:kang:/home/kang:/bin/bash
    

    # getent group | grep kang

    home:*:5501:kang,root,kang,root
    

    But when I try to the a passwd with getent passwd o simply su it fails. # getent shadow | grep kang | wc -l

    0
    

    These are the errors I find in the logs:

    2020/12/09 20:10:53 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(&(objectClass=shadowAccount)(uid=kang))]
    2020/12/09 20:10:53 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(&(objectClass=shadowAccount)(uid=kang))]
    2020/12/09 20:10:54 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(&(objectClass=shadowAccount)(uid=kang))]
    2020/12/09 20:13:02 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(objectClass=shadowAccount)]
    2020/12/09 20:13:58 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(objectClass=shadowAccount)]
    2020/12/09 20:15:39 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(objectClass=shadowAccount)]
    

    Any hint of when to start to debug to see if I can help?

    OS: Debian 10 Simply install libnss-ldap and libpam-ldapd on a fresh machine and change the files I mentioned to reproduce this bug/feature request.

    opened by kang-makes 8
  • Support applications that verify the password themselves

    Support applications that verify the password themselves

    Some applications don't try to connect to the ldap server as the user it's trying to authenticate but look for the password in the result they get and calculate/compare the hash itself. As far as I can tell, glauth does not give those applications enough data to finish authentication.

    Right now I only know of nextcloud that is acting this way, but I'm sure there are more things out there doing the same.

    Possibly related to #3, because I don't think any other ldap implementation out there uses plain sha256.

    opened by jcgruenhage 8
  • passbcrypt broken with MySQL backend

    passbcrypt broken with MySQL backend

    Using a mysql backend passbcrypt VARCHAR(64) DEFAULT is not enough to contain a hexadecimal bcrypt password (120 chars long, I suggest using VARCHAR(128) instead)

    bug 
    opened by Hellhium 1
  • database schema?

    database schema?

    I would like to support different backends in my Ansible role.

    I am currently looking for documentation on the database schema, but have not been able to find anything. The only thing I could find were sample statements to import demo data: https://glauth.github.io/docs/databases.html

    Is there a working and documented schema?

    Regards

    opened by bodsch 3
  • Update sample-simple.cfg

    Update sample-simple.cfg

    Fix typo

    Thank you for making a pull request!

    A few things to be aware of as you're working on your PR:

    WIP Tag

    Incomplete PRs are more than welcome - it can be useful to collaborate before implementation of an idea is complete. However, if your PR is not ready for merge, please add [WIP] to the end of the title (work-in-progress).

    Tests

    Before committing, you are encouraged to run the small but growing test suite. This is accomplished by make test. Additionally, if you are adding new functionality, consider adding tests covering your feature.

    CI

    Each push to a branch connected to a PR will be run through GLAuth's CI system. Please use these to your advantage. In particular, the Github Actions integration tests rely on the LDAP queries returning with a set result, so if your changes will change the output, CI will likely fail.

    To update, run make fast && make updatetest && make test. This will delete the output snapshots provided and make new ones. You can then inspect the changes and commit them.

    Similarly, check codeclimate and try to fix what you find there if it fails.

    opened by vaporup 1
  • Update README.md

    Update README.md

    Fix typo and URL to sample config

    Thank you for making a pull request!

    A few things to be aware of as you're working on your PR:

    WIP Tag

    Incomplete PRs are more than welcome - it can be useful to collaborate before implementation of an idea is complete. However, if your PR is not ready for merge, please add [WIP] to the end of the title (work-in-progress).

    Tests

    Before committing, you are encouraged to run the small but growing test suite. This is accomplished by make test. Additionally, if you are adding new functionality, consider adding tests covering your feature.

    CI

    Each push to a branch connected to a PR will be run through GLAuth's CI system. Please use these to your advantage. In particular, the Github Actions integration tests rely on the LDAP queries returning with a set result, so if your changes will change the output, CI will likely fail.

    To update, run make fast && make updatetest && make test. This will delete the output snapshots provided and make new ones. You can then inspect the changes and commit them.

    Similarly, check codeclimate and try to fix what you find there if it fails.

    opened by vaporup 1
  • Hi 👋🏼  I am trying to set up glauth with authelia as well. I am not really following what you were all able to do to make it working. Do you have any tips? Thanks!

    Hi 👋🏼 I am trying to set up glauth with authelia as well. I am not really following what you were all able to do to make it working. Do you have any tips? Thanks!

    Originally posted by @onedr0p in https://github.com/glauth/glauth/issues/268#issuecomment-1193330459

    Hi 👋🏼 I am trying to set up glauth with authelia as well. I am not really following what you were all able to do to make it working. Do you have any tips? Thanks!

    glauth configuration

    I am testing, the password decrypted is none

    debug = true
    [ldap]
        enabled = true
        listen = "0.0.0.0:3893"
    [ldaps]
        enabled = false
    [api]
        enabled = true
        tls = false
        listen = "0.0.0.0:5555"
    [backend]
        datastore = "config"
        baseDN = "dc=home,dc=arpa"
        nameformat = "cn"
        groupformat = "ou"
    [[groups]]
        name = "svc"
        gidnumber = 5500
    [[users]]
        name = "admin"
        uidnumber = 5000
        primarygroup = 5500
        passsha256 = "140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe"
    [[users.capabilities]]
        action = "search"
        object = "*"
    [[groups]]
        name = "users"
        gidnumber = 6500
    [[users]]
        name = "devin"
        uidnumber = 6000
        primarygroup = 6500
        passsha256 = "140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe"
    

    authelia configuration

    authentication_backend:
      password_reset:
        disable: true
      ldap:
        url: ldap://glauth:3893
        username_attribute: uid
        additional_users_dn: ou=users
        users_filter: (&({username_attribute}={input})(objectClass=person))
        additional_groups_dn: ou=groups
        groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
        group_name_attribute: cn
        mail_attribute: mail
        display_name_attribute: displayName
        password: "none"
        base_dn: dc=home,dc=arpa
        user: cn=admin,ou=svc,dc=home,dc=arpa
    

    glauth logs

    glauth-546b97c79-l5mgx glauth 14:32:14.651356 Bind ▶ DEBU 00b  "level"=6 "msg"="Bind request"  "basedn"="dc=home,dc=arpa" "binddn"="cn=admin,ou=svc,dc=home,dc=arpa" "src"={"IP":"10.42.152.197","Port":51428,"Zone":""}
    glauth-546b97c79-l5mgx glauth 14:32:14.651514 Bind ▶ DEBU 00c  "level"=6 "msg"="Bind success"  "binddn"="cn=admin,ou=svc,dc=home,dc=arpa" "src"={"IP":"10.42.152.197","Port":51428,"Zone":""}
    glauth-546b97c79-l5mgx glauth 14:32:14.654708 Search ▶ DEBU 00d  "level"=6 "msg"="Search request"  "basedn"="dc=home,dc=arpa" "binddn"="cn=admin,ou=svc,dc=home,dc=arpa" "filter"="(\u0026(uid=devin)(objectClass=person))" "scope"=2 "searchbasedn"="ou=users,dc=home,dc=arpa" "src"={"IP":"10.42.152.197","Port":51428,"Zone":""}
    glauth-546b97c79-l5mgx glauth 14:32:14.654943 searchMaybeTopLevelUsersNode ▶ DEBU 00e  "level"=6 "msg"="Search request"  "special case"="top-level users node"
    glauth-546b97c79-l5mgx glauth 14:32:14.655255 searchMaybeTopLevelUsersNode ▶ DEBU 00f  "level"=6 "msg"="AP: Top-Level Users Browse OK"  "filter"="(\u0026(uid=devin)(objectClass=person))"
    

    authelia logs

    authelia-56985d8557-q29b7 authelia time="2022-07-24T13:32:26Z" level=error msg="Unsuccessful 1FA authentication attempt by user 'devin': user not found" method=POST path=/api/firstfactor remote_ip=192.168.1.100 stack="github.com/authelia/authelia/v4/internal/handlers/response.go:233           markAuthenticationAttempt\ngithub.com/authelia/authelia/v4/internal/handlers/handler_firstfactor.go:53 FirstFactorPOST.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54           (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25          SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35          SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16          SecurityHeaders.func1\ngithub.com/fasthttp/[email protected]/router.go:414                            (*Router).Handler\ngithub.com/valyala/[email protected]/http.go:153                             (*Response).StatusCode\ngithub.com/authelia/authelia/v4/internal/middlewares/metrics.go:22          NewMetricsRequest.func1.1\ngithub.com/valyala/[email protected]/server.go:2308                          (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:224                       (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:196                       (*workerPool).getCh.func1\nruntime/asm_amd64.s:1571                                                    goexit"
    

    ldapsearch

    ❯ ldapsearch -LLL -H ldap://10.42.173.35:3893 -D "cn=admin,dc=home,dc=arpa" -w none -x -bdc=home,dc=arpa cn=devin
    dn: cn=devin,ou=users,ou=users,dc=home,dc=arpa
    cn: devin
    uid: devin
    ou: users
    uidNumber: 6000
    accountStatus: active
    objectClass: posixAccount
    objectClass: shadowAccount
    loginShell: /bin/bash
    homeDirectory: /home/devin
    description: devin
    gecos: devin
    gidNumber: 6500
    memberOf: ou=users,ou=groups,dc=home,dc=arpa
    shadowExpire: -1
    shadowFlag: 134538308
    shadowInactive: -1
    shadowLastChange: 11000
    shadowMax: 99999
    shadowMin: -1
    shadowWarning: 7
    
    ❯ ldapsearch -x -D "cn=admin,ou=svc,dc=home,dc=arpa" \
                     -W -H ldap://10.42.173.35:3893 -b "ou=users,dc=home,dc=arpa" \
                     -s sub "uid=devin" --filter "(&({username_attribute}={input})(objectClass=person))"
    Enter LDAP Password:
    # extended LDIF
    #
    # LDAPv3
    # base <ou=users,dc=home,dc=arpa> with scope subtree
    # filter: uid=devin
    # requesting: --filter (&({username_attribute}={input})(objectClass=person))
    #
    
    # devin, users, users, home.arpa
    dn: cn=devin,ou=users,ou=users,dc=home,dc=arpa
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    
    opened by Fusion 5
Releases(v2.1.0)
  • v2.1.0(Feb 28, 2022)

    Warning

    While this release does not introduce breaking changes, if you are using database plugins you should ensure that the database schema is correct.

    Enhancements

    • Custom Attributes #240
    • Multi Cfg #233
    • V2 hierarchy #228
    • 'Airgapping' web assets for security and preventing breakage #227
    • Assets: use stdlib "embed" package (thanks @hdonnay!) #200
    • Internal Stats -- performance view #221
    • Docker with plugins, distroless #217
    • Capabilities #214
    • Create and push docker image using podman #209
    • Getting rid of Travis CI now that it doesn't support FOSS anymore.
    • Any way to change objectClass? #239
    • Restrict service login #231
    • employeeType attribute #232
    • jpegPhoto attribute #225
    • Support multiple configuration files via a conf.d like directory (Beta!) #223

    Bugfixes

    • Cant enumerate groups or members of groups #86
    • With the database plugins, the database config line is printed to syslog if syslog is enabled #213
    • User serviceuser primary group is not svcaccts. #208
    • Fix 'ou' regression #246 #252
    Source code(tar.gz)
    Source code(zip)
    darwinamd64.zip(15.28 MB)
    darwinarm64.zip(15.38 MB)
    linux386.zip(4.83 MB)
    linuxamd64.zip(16.96 MB)
    linuxarm.zip(4.77 MB)
    linuxarm64.zip(4.84 MB)
    win386.zip(4.98 MB)
    winamd64.zip(5.24 MB)
  • v2.1.0-RC1(Nov 26, 2021)

    Warning

    While this release does not introduce breaking changes, if you are using database plugins you should ensure that the database schema is correct.

    Enhancements

    • Custom Attributes #240
    • Multi Cfg #233
    • V2 hierarchy #228
    • 'Airgapping' web assets for security and preventing breakage #227
    • Assets: use stdlib "embed" package (thanks @hdonnay!) #200
    • Internal Stats -- performance view #221
    • Docker with plugins, distroless #217
    • Capabilities #214
    • Create and push docker image using podman #209
    • Getting rid of Travis CI now that it doesn't support FOSS anymore.
    • Any way to change objectClass? #239
    • Restrict service login #231
    • employeeType attribute #232
    • jpegPhoto attribute #225
    • Support multiple configuration files via a conf.d like directory (Beta!) #223

    Bugfixes

    • Cant enumerate groups or members of groups #86
    • With the database plugins, the database config line is printed to syslog if syslog is enabled #213
    • User serviceuser primary group is not svcaccts. #208
    Source code(tar.gz)
    Source code(zip)
    darwinamd64.zip(14.07 MB)
    darwinarm64.zip(14.47 MB)
    linux386.zip(4.83 MB)
    linuxamd64.zip(16.96 MB)
    linuxarm.zip(4.77 MB)
    linuxarm64.zip(4.84 MB)
    win386.zip(4.98 MB)
    winamd64.zip(5.24 MB)
  • v2.0.0(Aug 13, 2021)

    The long-awaited v2.0.0 release, ready to rock after two weeks in RC status.

    Enhancements

    • Backends: Support for Database Backends Plugins (starting with MySQL, SQLite, Postgres) Database plugins #133

    • Backends: Backends acting as middleware: added the [[Backends]] configuration directive while retaining backward compatibility with [Backend] Database plugins #133

    • Backends: When chaining backends, any backend can be used to inject OTP value in password, before reaching a non-OTP-aware backend Database plugins #133

    • Backends: Add provisional support for writeable backends (those that will support write operations only) -- no commitment to support write operations at this time add support for writehandlers #135

    • Compatibility: Enable root DSE query #158

    • Compatibility: Allow bind operations with no group provided #205

    • Compatibility: Support for userPrincipalName binding and browsing. #206

    • Compatibility: Handling of special "1.1" attributes filter meaning "I do not want attributes" (RFC 4511, 4.5.1.8)

    • Compatibility: Support for "want types only" queries, even when proxying

    • Compatibility: Augmented root DSS and schema discovery based on content of schema directory

    • Compatibility: SubSchema query can return a minimal set, freeipa or openldap's schemas

    • Configuration: Variable "unixid" is now respectively "UIDNumber" and "GIDNumber" for… #201

    • Configuration: (@fanlix) Config file hot reload doesn't work #132

    • Configuration: Add LDAP listen flags #169

    • Platforms: Mac M1 Support and LDAP Req Attributes #192

    • Platforms: Bulid and push multiarch docker images #142

    • Testing: Introducing goconvey testing and refactoring of config and ... #204

    • Security: Stronger, salted paswords using bcrypt. #195

    Bugfixes

    • ldap filter memberOf does not work #186

    • Empty BaseDN when searhing with Python ldap3 Empty BaseDN when searhing with Python ldap3 #168

    • uidnumber or unixid? #144

    • ARM (multiarch) docker image #141

    • config: match shadowaccount objectclass #136

    • UserPrincipalName support as User attribute #129

    • Config backend should allow users to bind without specifying group name #98

    • Space in search BaseDN causes request to fail #68

    • postgres backend #118

    • mysql backend #117

    • Additional Backends #11

    • fix owncloud backend issues #128

    • check owncloud status code is ok #153

    • Implement Password Salting and Hash Incrementing #3

    • Suggestion: add bcrypt / Argon2 password hashing #179

    • Not able to connect glAuth server #147

    • Config file hot reload doesn't work #132

    • allow clean shutdown #126

    • glauth does not work with gitea #183

    • Invalid AWS region: ap-south-1 #182

    • Add Configuration Option to Allow Annon Binding #5

    • Need fix Travis CI API wiring #193

    • Allow using configmaps when deploying in kubernetes #161

    • Makefile compatiblility #134

    • unable to build on ubuntu 18.04.4 LTS #130

    • Write Unit Tests #10

    • Link to a public chat, eg gitter or matrix #166

    • Suggestion: enable wiki for documentation #127

    • Set up simple site #34

    Under the hood

    • Updated LDAP library to support UTF8 and case insensitive chars Feature/upgrade ldap library version #194 FYI updated LDAP library #188
    • LDAP backend: req. attribute injected in response if missing
    • Use functional options for handlers and the server use functional options pattern to inject logr #124
      • logr interface is passed around for logging
      • a wrapper for the go-logging lib is provided
    • Refactored non-proxied backends Introducing goconvey testing and refactoring of config and ... #204
    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(13.18 MB)
    glauth-arm32.sha256(79 bytes)
    glauth-arm64(14.81 MB)
    glauth-arm64.sha256(79 bytes)
    glauth-win32(14.27 MB)
    glauth-win32.sha256(79 bytes)
    glauth-win64(16.20 MB)
    glauth-win64.sha256(79 bytes)
    glauth32(13.83 MB)
    glauth32.sha256(75 bytes)
    glauth64(15.86 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(19.48 MB)
    glauthOSX-arm64(19.18 MB)
    glauthOSX-arm64.sha256(82 bytes)
    glauthOSX.sha256(76 bytes)
    plugins_darwin_amd64.zip(8.69 MB)
    plugins_darwin_arm64.zip(8.91 MB)
    plugins_linux_amd64.zip(9.41 MB)
  • v1.1.2(Feb 24, 2020)

    This release fixes a few bugs, refactors the codebase to make it reusable in other projects and adds an (experimental) ownCloud backend. Scraping the v1.1.2 dev PR we can see these interesting commits:

    Enhancements

    • Add support for including groups in groups #23
    • Add App Password Support #60 - implements #54
    • Allow for configuring DN format #57
    • Add shadow account support #84 - implements #81
    • owncloud10 backend graphapi #104

    Changes

    • Refactor packages #105 - allows better reuse of the packages

    Bugfixes

    • Expose LDAPS ports in Docker container #49
    • Fix wrong env for arm32 #52 - fixes #51
    • 9f349d1 - fixes String formatting not working #64
    • Update host #70 - for correct port forwarding in docker
    • Fix unkeyed fields #80 - fixes Fix Issues found using Go Vet #43
    • Fix mutex #88 - fixes Fix Issues found using Go Vet #43

    I also tried to use travis to deploy a draft release using a new machine user @glauth-ci which led to several unneeded merges to master after manually merging the dev branch, but it should work now.

    I'll set up a new dev branch now and cleanup the milestones.

    Cheers!

    @butonic - new co-maintainer, trying to help @benyanke get things rolling again.

    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(20.02 MB)
    glauth-arm32.sha256(79 bytes)
    glauth-arm64(22.17 MB)
    glauth-arm64.sha256(79 bytes)
    glauth-win32(20.54 MB)
    glauth-win32.sha256(79 bytes)
    glauth-win64(22.79 MB)
    glauth-win64.sha256(79 bytes)
    glauth32(20.74 MB)
    glauth32.sha256(75 bytes)
    glauth64(23.21 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(23.15 MB)
    glauthOSX.sha256(76 bytes)
  • v1.1.1(Dec 25, 2018)

    • added ldapsearch to container to enable using custom healthchecks at runtime
    • improving builds with auto retries
    • improving docs
    • App passwords
    • Logging bugfixes

    Release binary hashes (note - not the same as the container builds yet, unfortunately, just for the ones below):

    060300253f824d12f02e2722bd42c574957cb977ac91d9dc4ae667770d1b4293  glauth32
    ff8b1a82052c9bd8f380fdb23f63523c0a1b145d592a962c88b6461434ed86e9  glauth64
    4ec4f1c840cc3bc716c99f00db4c9691b56c73c2bcf16f7b1b666fd500a8496f  glauth-arm32
    43f5cfa344c0ec5703338baf10dae273f8de12e56826fa517a6fc3e3eb4f400a  glauth-arm64
    272a63300653ed92deb8308497d576648d418509d95793ca0635673f0636defb  glauthOSX
    1c27d6ea9cde9406cc0f1d2a840e8894dc4555702994d47b0fe5af1f92c46dcd  glauth-win32
    0aca8dd87c1861f41e022a9a990b72c374642695a7c6316a9da68d50574bf1f8  glauth-win64
    
    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(7.23 MB)
    glauth-arm64(8.05 MB)
    glauth-win32(7.00 MB)
    glauth-win64(8.02 MB)
    glauth32(7.11 MB)
    glauth64(8.23 MB)
    glauthOSX(8.25 MB)
  • v1.1.0(Jul 21, 2018)

    This release provides one main frontend feature: 2 factor authentication. Big thanks to @ryskov and the others who pushed this foward.

    Additionally, a number of minor improvements in the background:

    • Dockerfile imporvements
    • Removing repo cruft
    • Improving travis builds and integration tests
    • Fixing broken amazon s3 packages (thanks @ryskov)
    • Vastly improved version string - now autogenerates based on git status in the repo at the time of build
    • Starting on travis builds for releases (currently built on my workstation)
    • Starting framework for unit tests
    • Add codecov to CI
    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(7.12 MB)
    glauth-arm32.sha256(79 bytes)
    glauth-arm64(8.05 MB)
    glauth-arm64.sha256(79 bytes)
    glauth-win32(7.01 MB)
    glauth-win32.sha256(79 bytes)
    glauth-win64(8.03 MB)
    glauth-win64.sha256(79 bytes)
    glauth32(7.12 MB)
    glauth32.sha256(75 bytes)
    glauth64(8.23 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(8.25 MB)
    glauthOSX.sha256(76 bytes)
  • v1.0.1(May 11, 2018)

    • fixes to amazon s3 packages
    • dockerfiles (build was previously not yet working)
    • adding version number to bin so glauth --version reports correctly
    • Some Travis CI tweaks

    SHA256 Hashes:

    6619b9dc08c4c1cb686647fc1a11102db5b98de67f095532400daa4a0784cc87 glauth32 27428416a23c93d6379a15b0fd2a9ff7ed69d554833ed6b7359527fa8914555a glauth64 815aa53c99a9f43a0854620c94cbb4a3e66aba82df772c7136c6839f44c69cac glauthOSX

    Source code(tar.gz)
    Source code(zip)
    glauth32(6.94 MB)
    glauth32.sha256(75 bytes)
    glauth64(8.04 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(8.06 MB)
    glauthOSX.sha256(76 bytes)
Owner
GLAuth
Lightweight LDAP Server in Golang
GLAuth
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Go (lang) HTTP session authentication

Go Session Authentication See git tags/releases for information about potentially breaking change. This package uses the Gorilla web toolkit's session

Cameron Little 220 Sep 20, 2022
Goauth - Basic username password cookie based authentication with Go Lang

goauth [WIP] Basic username password cookie based authentication with Go Lang Overview Use a Postgres DB to store Sign-in and Sign-up info Redis for c

Joseph Chen 0 Jan 4, 2022
Fast, secure and efficient secure cookie encoder/decoder

Encode and Decode secure cookies This package provides functions to encode and decode secure cookie values. A secure cookie has its value ciphered and

Christophe Meessen 61 Sep 26, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Miroslav Šedivý 5 Jul 27, 2022
Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Dinesh Bhattarai 0 Aug 5, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

tarent 1.9k Sep 16, 2022
Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.

sessions gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends. The key features are: Simple API: us

Gorilla Web Toolkit 2.4k Oct 3, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd

login-service login-service is a standalone minimalistic login server providing a (JWT)[https://jwt.io/] login for multiple login backends. Abstract l

Loren Lisk 0 Feb 12, 2022
HTTP-server-with-auth# HTTP Server With Authentication

HTTP-server-with-auth# HTTP Server With Authentication Introduction You are to use gin framework package and concurrency in golang and jwt-go to imple

Saba Sahban 12 May 12, 2022
Authentication server for Docker Registry 2

The original Docker Registry server (v1) did not provide any support for authentication or authorization. Access control had to be performed externally, typically by deploying Nginx in the reverse proxy mode with Basic or other type of authentication. While performing simple user authentication is pretty straightforward, performing more fine-grained access control was cumbersome.

Cesanta Software 1.1k Sep 23, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
:key: Secure alternative to JWT. Authenticated Encrypted API Tokens for Go.

branca branca is a secure alternative to JWT, This implementation is written in pure Go (no cgo dependencies) and implements the branca token specific

Wesley Hill 167 Sep 20, 2022
Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Sanad Haj Yahya 401 Oct 1, 2022
Go login handlers for authentication providers (OAuth1, OAuth2)

gologin Package gologin provides chainable login http.Handler's for Google, Github, Twitter, Facebook, Bitbucket, Tumblr, or any OAuth1 or OAuth2 auth

Dalton Hubble 1.6k Sep 27, 2022
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Mark Bates 3.9k Oct 3, 2022
HTTP Authentication middlewares

goji/httpauth httpauth currently provides HTTP Basic Authentication middleware for Go. It is compatible with Go's own net/http, goji, Gin & anything t

Goji 214 Jun 6, 2022
[DEPRECATED] Go package authcookie implements creation and verification of signed authentication cookies.

Package authcookie import "github.com/dchest/authcookie" Package authcookie implements creation and verification of signed authentication cookies. Co

Dmitry Chestnykh 112 Nov 19, 2021