Go-lang LDAP Authentication (GLAuth) is a secure, easy-to-use, LDAP server w/ configurable backends.

Overview

GLAuth: LDAP authentication server for developers

Go-lang LDAP Authentication (GLAuth) is a secure, easy-to-use, LDAP server w/ configurable backends.

Gitter Matrix

GitHub all releases Docker pulls

Travis (.com) branch Docker Automated build

GitHub last commit (branch) Code Climate maintainability

  • Centrally manage accounts across your infrastructure
  • Centrally manage SSH keys, Linux accounts, and passwords for cloud servers.
  • Lightweight alternative to OpenLDAP and Active Directory for development, or a homelab.
  • Store your user directory in a file, local or in S3; SQL database; or proxy to existing LDAP servers.
  • Two Factor Authentication (transparent to applications)
  • Multiple backends can be chained to inject features

Use it to centralize account management across your Linux servers, your OSX machines, and your support applications (Jenkins, Apache/Nginx, Graylog2, and many more!).

Contributing

  • Please base all Pull Requests on dev, not master.
  • Format your code autonmatically using gofmt -d ./ before committing

Quickstart

This quickstart is a great way to try out GLAuth in a non-production environment. Be warned that you should take the extra steps to setup SSL (TLS) for production use!

  1. Download a precompiled binary from the releases page.
  2. Download the example config file.
  3. Start the GLAuth server, referencing the path to the desired config file with -c.
    • ./glauth64 -c sample-simple.cfg
  4. Test with traditional LDAP tools
    • For example: ldapsearch -LLL -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com cn=hackers

Make Commands

Note - makefile uses git data to inject build-time variables. For best results, run in the context of the git repo.

make all - run build binaries for platforms

make fast - run build for only linux 64 bit

make run - wrapper for the 'go run' command, setting up the needed tooling

make plugins - build additional (SQL) plugin backends

make test - run the integration test on linux64 binary

Usage:

glauth: securely expose your LDAP for external auth

Usage:
  glauth [options] -c 
  glauth -h --help
  glauth --version

Options:
  -c, --config        Config file.
  -K            AWS Key ID.
  -S        AWS Secret Key.
  -r            AWS Region [default: us-east-1].
  --ldap 
Listen address for the LDAP server. --ldaps
Listen address for the LDAPS server. --ldaps-cert Path to cert file for the LDAPS server. --ldaps-key Path to key file for the LDAPS server. -h, --help Show this screen. --version Show version.

Configuration:

GLAuth can be deployed as a single server using only a local configuration file. This is great for testing, or for production if you use a tool like Puppet/Chef/Ansible:

glauth -c glauth.cfg

Here's a sample config wth hardcoded users and groups:

[backend]
  datastore = "config"
  baseDN = "dc=glauth,dc=com"
[[users]]
  name = "hackers"
  uidnumber = 5001
  primarygroup = 5501
  passsha256 = "6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a"   # dogood
  sshkeys = [ "ssh-dss AAAAB3..." ]
[[users]]
  name = "uberhackers"
  uidnumber = 5006
  primarygroup = 5501
  passbcrypt = "243261243130244B62463462656F7265504F762E794F324957746D656541326B4B46596275674A79336A476845764B616D65446169784E41384F4432"   # dogood
[[groups]]
  name = "superheros"
  gidnumber = 5501

To create the password SHA hash, use this command: echo -n "mysecret" | openssl dgst -sha256

Instead of a local configuration file, GLAuth can fetch its configuration from S3. This is an easy way to ensure redundant GLAuth servers are always in-sync.

glauth -c s3://bucketname/glauth.cfg

In order to use S3, you must set your AWS credentials. Either:

  1. set the -K and -S command-line flags OR
  2. set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

More configuration options are documented here: https://github.com/glauth/glauth/blob/master/sample-simple.cfg

Chaining backends

This can be used, for instance, to inject support for Two Factor Authentication for backends that do not support the feature natively:

[[backends]]
  datastore = "ldap"
  servers = ["ldap:s//localhost:390"]

[[backends]]
  datastore = "config"

...

[[users]]
  name = "hackers"
  otpsecret = "................"

Required Fields

  • Name
    • The user's username
  • ou
    • ID of the user's primary group
  • uidnumber
    • The user's unix user id
  • sshPublicKey
    • Specify an array of public keys

Optional Fields

  • otherGroups
    • Array of IDs of groups the user is a member of.
    • Example: [5501, 5002]
    • default = blank
  • givenname
    • First name
    • Example: John
    • default = blank
  • sn
    • Last name
    • Example: Doe
    • default = blank
  • disabled
    • Specify if account is active.
    • Set to 'true' (without quotes) to make the LDAP entry add 'AccountStatus = inactive'
    • default = false (active)
  • mail
  • loginshell
    • Specify a different login shell for the user
    • Example: /bin/sh, or /sbin/nologin
    • default = /bin/bash
  • homedirectory
    • Specify an overridden home directory for the user
    • Example: /home/itadmin
    • default = /home/[username]
  • otpsecret
    • Specify OTP secret used to validate OTP passcode
    • Example: 3hnvnk4ycv44glzigd6s25j4dougs3rk
    • default = blank
  • passappbcrypt
    • Specify an array of app passwords which can also succesfully bind - these bypass the OTP check. Hash the same way as password.
    • Example: ["c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa","4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88"]
    • default = blank
  • passappsha256
    • Specify an array of app passwords which can also succesfully bind - these bypass the OTP check. Hash the same way as password.
    • Example: ["c32255dbf6fd6b64883ec8801f793bccfa2a860f2b1ae1315cd95cdac1338efa","4939efa7c87095dacb5e7e8b8cfb3a660fa1f5edcc9108f6d7ec20ea4d6b3a88"]
    • default = blank
  • yubikey
    • Specify Yubikey ID for maching Yubikey OTP against the user
    • Example: cccjgjgkhcbb
    • default = blank

OpenSSH keys:

GLAuth can store a user's SSH authorized keys. Add one or more keys per user as shown above, then setup the goklp helper: https://github.com/appliedtrust/goklp

Strong Passwords

If you are currently using sha256 passwords (passsha256 or passappsha256) moving to strong, salted paswords is recommended. Simply switch to passbcrypt and/or passappbcrypt password types. Currently (2021) 212 is a reasonably good value, depending our your server's CPU.

Two Factor Authentication

GLAuth can be configured to accept OTP tokens as appended to a users password. Support is added for both TOTP tokens (often known by it's most prominent implementation, "Google Authenticator") and Yubikey OTP tokens.

When using 2FA, append the 2FA code to the end of the password when authenticating. For example, if your password is "monkey" and your otp is "123456", enter "monkey123456" as your password.

TOTP Configuration

To enable TOTP authentication on a user, you can use a tool like this to generate a QR code (pick 'Timeout' and optionally let it generate a random secret for you), which can be scanned and used with the Google Authenticator app. To enable TOTP authentication, configure the otpsecret for the user with the TOTP secret.

App Passwords

Additionally, you can specify an array of password hashes using the passappsha256 for app passwords. These are not OTP validated, and are hashed in the same way as a password. This allows you to generate a long random string to be used in software which requires the ability to authenticate.

However, app passwords can be used without OTP as well.

Yubikey Configuration

For Yubikey OTP token authentication, first configure your Yubikey. After this, make sure to request a Client ID and Secret key pair.

Now configure the yubikeyclientid and yubikeysecret fields in the general section in the configuration file.

To enable Yubikey OTP authentication for a user, you must specify their Yubikey ID on the users yubikey field. The Yubikey ID is the first 12 characters of the Yubikey OTP, as explained in the below chart.

Yubikey OTP

When a user has been configured with either one of the OTP options, the OTP authentication is required for the user. If both are configured, either one will work.

Backends:

For advanced users, GLAuth supports pluggable backends. Currently, it can use a local file, S3 or an existing LDAP infrastructure. In the future, we hope to have backends that support Mongo, SQL, and other datastores.

[backend]
  datastore = "ldap"
  servers = [ "ldaps://server1:636", "ldaps://server2:636" ]

Production:

Any of the architectures above will work for production. Just remember:

  • Always use legit SSL certs for production!

Other Architectures

A small note about other architectures: while I expect the code is, for the most part, system-independent, there is not a good (and free) CI system which can be easily used to continuously test releases on ARM, BSD, Linux-32bit, and Windows. As such, all of the non-linux-64bit packages are provided as is. The extent of testing on these packages consists solely of cross-compiling for these architectures from a linux 64 bit system.

We will accept PRs which fix bugs on these platforms, but be aware these binaries will not be tested regularly, and instead are provided for the convenience of those who feel comfortable with this.

Building:

You'll need go-bindata to build GLAuth. Then use the Makefile.

go get github.com/jteeuwen/go-bindata/...
make all

Logging

  • using logr with increasing verbosity
    • 0 you always want to see this
    • 1 common logging that you might possibly want to turn off (error)
    • 2 warn
    • 3 notice
    • 4 info
    • 6 debug
    • 8 trace
    • 10 I would like to performance test your log collection stack
  • errors really are errors that cannot be handled or returned
    • returning a proper LDAP error code is handling an error

Testing

Of course, a core set of tests is being run by Travis CI. However, when developing new features/refactoring, a more comprehensive regression testing suite is needed.

You can run go test to execute the tests found in glauth_test.go -- better, if it is installed, you can run goconvey

Since some tests cover TOTP, you will first need to install oathtool in your environment.

In order to test GLAuth against an LDAP backend, you will need docker. Run this command:

docker run \
    --rm \
    -d \
    -p 389:389 \
    --name openldap-service \
    --hostname ldap-service \
    --env LDAP_ORGANISATION="GLauth" \
    --env LDAP_DOMAIN="glauth.com" \
    --env LDAP_ADMIN_PASSWORD="password" \
    --env LDAP_CONFIG_PASSWORD="password" \
    --env LDAP_BASE_DN="dc=glauth,dc=com" \
    -v $PWD/misc/openldap/config:/etc/ldap/slapd.d \
    -v $PWD/misc/openldap/db:/var/lib/ldap \
    osixia/openldap:latest

Refer to this page for a somewhat more in-depth overview of testing with OpenLDAP.

Compatibility

While our stated goal for GLAuth is to provide the simplest possible authentication server, we keep finding an increasing number of client appliances that are asking fairly "existential" questions of the server. We have been working on providing answers these clients will find satisfactory.

Root DSE

RFC 4512: "An LDAP server SHALL provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE"

Test: ldapsearch -LLL -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -s base "(objectclass=*)"

Subschema Discovery

RFC 4512: "To read schema attributes from the subschema (sub)entry, clients MUST issue a Search operation [RFC4511] where baseObject is the DN of the subschema (sub)entry..."

Test: ldapsearch -LLL -o ldif-wrap=no -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bcn=schema -s base

By default, this query will return a very minimal schema (~5 objects) -- you can ask GLAuth to return more comprehensive schemas by unpacking, in the schema/ directory, the OpenLDAP or FreeIPA schema archives found in the assets/ directory.

LDAP Backend: "1.1" attribute

RFC 4511: "A list containing only the OID "1.1" indicates that no attributes are to be returned."

Stargazers over time

Stargazers over time

Issues
  • Add TLS options for running both with TLS and without on the same time

    Add TLS options for running both with TLS and without on the same time

    This commit expands on the settings available for using TLS. It puts TLS settings under the [frontend.tls] section and adds a new setting to [frontend] called TLSExclusive (bool). TLSExclusive specifies whether or not to only run TLS when it is enabled, and is 'true' by default. Setting it to 'false' and having TLS enabled, causes the server to start both a LDAP and LDAPS server, and therefore requires two seperate 'listen' options (to run on different ports) - the Frontend.Listen and the Frontend.TLS.Listen. If TLSExclusive is set to 'true' and no Frontend.TLS.Listen is specified, it will use the Frontend.Listen.

    sample-simple.cfg is updated with example and comments

    incomplete 
    opened by ryskov 16
  • LDAP Result Code 49 - BindDN should have only one or two parts

    LDAP Result Code 49 - BindDN should have only one or two parts

    I working on the integration with GLAuth in https://github.com/greenpau/caddy-security/issues/32

    The LDAP library used is github.com/go-ldap/ldap/v3 v3.4.1.

    Working with the sample-simple.cfg provided in the getting started.

    The binding does not quite work.

    As user. I get: LDAP Result Code 49 "Invalid Credentials":

    In GLAuth logs I see: BindDN should have only one or two parts

    18:11:40.997631 Bind ▶ DEBU 023  "level"=6 "msg"="Bind request"  "basedn"="dc=glauth,dc=com" "binddn"="cn=serviceuser,ou=svcaccts,dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.997681 Bind ▶ DEBU 024  "level"=6 "msg"="Bind success"  "binddn"="cn=serviceuser,ou=svcaccts,dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.998060 Search ▶ DEBU 025  "level"=6 "msg"="Search request"  "basedn"="dc=glauth,dc=com" "binddn"="cn=serviceuser,ou=svcaccts,dc=glauth,dc=com" "filter"="(\u0026(|(uid=johndoe)(mail=johndoe))(objectClass=posixAccount))" "scope"=2 "searchbasedn"="dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.998076 searchMaybeTopLevelNodes ▶ DEBU 026  "level"=6 "msg"="Search request"  "special case"="top-level browse"
    18:11:40.998131 searchMaybeTopLevelNodes ▶ DEBU 027  "level"=6 "msg"="AP: Top-Level Browse OK"  "filter"="(\u0026(|(uid=johndoe)(mail=johndoe))(objectClass=posixAccount))"
    18:11:40.998388 Bind ▶ DEBU 028  "level"=6 "msg"="Bind request"  "basedn"="dc=glauth,dc=com" "binddn"="cn=johndoe,ou=superheros,ou=users,dc=glauth,dc=com" "src"={"IP":"127.0.0.1","Port":56898,"Zone":""}
    18:11:40.998404 findUser ▶ WARN 029  "level"=2 "msg"="BindDN should have only one or two parts"  "binddn"="cn=johndoe,ou=superheros,ou=users,dc=glauth,dc=com" "numparts"=3
    

    Please assist.

    opened by greenpau 14
  • Additional Backends

    Additional Backends

    From @benyanke on April 19, 2018 1:21

    This thread is for requests of additional backends.

    MySQL seems the first obvious one. Feel free to chime in if anyone has other ideas. I'll implement as I'm able or accept PRs.

    Currently tracked backends:

    • MySQL
    • Postgres
    • CockroachDB (would likely be the same as postgres)
    • Etcd
    • Amazon Cognito REST API

    Before implementing these backends, perhaps it would be useful to add an interface layer to cleanly specify the contract between a backend provider and glauth, and also move backend providers into their own directory.

    enhancement backend-request 
    opened by benyanke 13
  • Database plugins

    Database plugins

    Me again!

    Following your feedback, things are now much lighter: CGO dependencies are gone and, more importantly, I am now using Go's plugin mechanism so that the database backends are not compiled in GLAuth by default.

    I added 3 simple targets so that either of them can be easily compiled to a dynamically loadable plugin.

    You will also note that everything is self contained in its own package.

    opened by Fusion 12
  • ldap filter `memberOf` does not work

    ldap filter `memberOf` does not work

    I use glauth w/ ldap backend. The filter using memberOf doesn't seem to work. Example:

    ldapsearch -H ldaps://ldap-proxy.example.com:636 -b dc=example,dc=com -D uid=abc,cn=users,dc=example,dc=com -x -w PASS '(memberOf=cn=admin,cn=groups,dc=example,dc=com)'
    

    The same query works with the ldap backend.

    opened by Tony2 9
  •  Space in search BaseDN causes request to fail

    Space in search BaseDN causes request to fail

    I wanted to try out GLAuth instead of OpenLDAP for use with Authelia. GLAuth works perfectly with ldaptools, but with Authelia I always get "Authentication failed", so I started to debug the requests and found out Authelia puts a space between the request BaseDN so instead of dc=example,dc=com it sends dc=example, dc=com which causes the request to fail. I wasn't sure whether to submit this to GLAuth or to Authelia, so I'll just submit it to both.

    https://github.com/clems4ever/authelia/issues/306

    Example of working request (done with ldapsearch):

    14:13:12.879190 Bind ▶ DEBU 054 Bind request: bindDN: cn=admin,ou=admins,dc=example,dc=com, BaseDN: dc=example,dc=com, source: 192.168.0.68:54638
    14:13:12.879279 Bind ▶ DEBU 055 Bind success as %s from %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54638
    14:13:12.879753 Search ▶ DEBU 056 Search request as %s from %s for %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54638 (objectclass=*)
    14:13:12.879955 Search ▶ DEBU 057 AP: Search OK: %s (objectclass=*)
    

    Example of broken request

    
    14:13:27.437198 Bind ▶ DEBU 058 Bind request: bindDN: cn=admin,ou=admins,dc=example,dc=com, BaseDN: dc=example,dc=com, source: 192.168.0.68:54642
    14:13:27.437283 Bind ▶ DEBU 059 Bind success as %s from %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54642
    14:13:27.437730 Search ▶ DEBU 05a Search request as %s from %s for %s cn=admin,ou=admins,dc=example,dc=com 192.168.0.68:54642 (objectclass=*)
    2018/12/15 14:13:27 handleSearchRequest error LDAP Result Code 50 "Insufficient Access Rights": Search Error: search BaseDN dc=example, dc=com is not in our BaseDN dc=example,dc=com
    
    bug question 
    opened by ghost 9
  • glauth does not work with gitea

    glauth does not work with gitea

    Hi,

    I exposed a ldap server via glauth to public net, using the ldap backend connected to a ldap server in internal net. My intent is to use glauth as authentication source for a gitea server facing public net.

    I have tested glauth successfully using ldapsearch as follows:

    ldapsearch -H ldaps://ldap-proxy.example.com:636 -b cn=users,dc=example,dc=com -D uid=abc,cn=users,dc=example,dc=com -x -w password -LLL '(uid=abc)'
    

    However I cannot get it work with gitea; glauth log says

    Jul  8 13:46:24 vm-ldap-proxy glauth64[61172]: 13:46:24.314141 Bind ▶ DEBU 34d Bind success as uid=abc,cn=users,dc=example,dc=com from 1.2.3.4:50578
    Jul  8 13:46:24 vm-ldap-proxy /usr/local/bin/glauth64[61172]: 13:46:24.314141 Bind ▶ DEBU 34d Bind success as uid=abc,cn=users,dc=example,dc=com from 1.2.3.4:50578
    

    but gitea web UI says "incorrect username or password". I looked into gitea log and saw:

    gitea  | 2021/07/08 13:23:09 ...dels/login_source.go:850:UserSignIn() [W] Failed to login 'abc' via 'ldap-proxy': user does not exist [uid: 0, name: abc, keyid: 0]
    gitea  | 2021/07/08 13:23:09 routers/user/auth.go:179:SignInPost() [I] Failed authentication attempt for abc from 172.19.0.1:63892: user does not exist [uid: 0, name: , keyid: 0]
    

    It seems to me more likely a problem with gitea than with glauth; however when I tried gitea to authenticate against the internal ldap server I could login. So perhaps the answer from glauth is slightly different than the one from the internal ldap, which makes gitea unhappy.

    Any hint or idea what can be tried to troubleshoot this?

    opened by hth2 8
  • Unable to integrate it with PAM

    Unable to integrate it with PAM

    I have enough services in my home lab to have a LDAP to try to centralize users but now enough to mount a full pledge LDAP like slapd or whatsever.

    I was doing a test on some VMs to test this and worked with some services like next cloud and nginx-ldap but now I'm trying to integrated with Linux at PAM level.

    I think Glauth is correctly configured:

    [ldap]
      enabled = true
      listen = "0.0.0.0:3893"
    [ldaps]
      enabled = false
    [api]
      enabled = true
      tls = false # enable TLS for production!!
      listen = "0.0.0.0:5555"
      cert = "cert.pem"
      key = "key.pem"
    
    debug = true
    
    [backend]
      datastore = "config"
      baseDN = "dc=h"
    
    ################# USERS #################
    [[users]]
      name = "root"
      givenname = "root"
      unixID = 0
      primaryGroup = 5501
      otherGroups = [ 5503 ]
      loginShell = "/bin/bash"
      homeDir = "/root"
      passsha256 = REDACTED
    
    # Home users
    [[users]]
      name = "kang"
      unixID = 10000
      primaryGroup = 5501
      otherGroups = [ 5503 ]
      loginShell = "/bin/bash"
      homeDir = "/home/kang"
      passsha256 = REDACTED
    
    ################# GROUPS #################
    [[groups]]
      name = "home"
      unixid = 5501
    

    % ldapsearch -x -H ldap://glauth.s -D cn=root,ou=home,dc=h -w "$pass" -b dc=h cn=kang

    # extended LDIF
    #
    # LDAPv3
    # base <dc=h> with scope subtree
    # filter: cn=kang
    # requesting: ALL
    #
    
    # kang, home, h
    dn: cn=kang,ou=home,dc=h
    cn: kang
    uid: kang
    ou: home
    uidNumber: 10000
    accountStatus: active
    objectClass: posixAccount
    objectClass: shadowAccount
    loginShell: /bin/bash
    homeDirectory: /home/kang
    description: kang
    gecos: kang
    gidNumber: 5501
    memberOf: cn=home,ou=groups,dc=h
    shadowExpire: -1
    shadowFlag: 134538308
    shadowInactive: -1
    shadowLastChange: 11000
    shadowMax: 99999
    shadowMin: -1
    shadowWarning: 7
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    So I configure PAM: # cat /etc/nsswitch.conf

    passwd:         files ldap
    group:          files ldap
    shadow:         files ldap
    gshadow:        files ldap
    

    # cat /etc/libnss-ldap.conf

    host glauth.s
    base dc=h
    ldap_version 3
    
    rootbinddn cn=root,ou=home,dc=h
    bindpw secret
    

    # cat /etc/libnss-ldap.secret

    REDACTED
    

    It seems to work: # getent passwd | grep kang

    kang:x:10000:5501:kang:/home/kang:/bin/bash
    

    # getent group | grep kang

    home:*:5501:kang,root,kang,root
    

    But when I try to the a passwd with getent passwd o simply su it fails. # getent shadow | grep kang | wc -l

    0
    

    These are the errors I find in the logs:

    2020/12/09 20:10:53 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(&(objectClass=shadowAccount)(uid=kang))]
    2020/12/09 20:10:53 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(&(objectClass=shadowAccount)(uid=kang))]
    2020/12/09 20:10:54 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(&(objectClass=shadowAccount)(uid=kang))]
    2020/12/09 20:13:02 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(objectClass=shadowAccount)]
    2020/12/09 20:13:58 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(objectClass=shadowAccount)]
    2020/12/09 20:15:39 handleSearchRequest error LDAP Result Code 1 "Operations Error": Search Error: unhandled filter type: shadowaccount [(objectClass=shadowAccount)]
    

    Any hint of when to start to debug to see if I can help?

    OS: Debian 10 Simply install libnss-ldap and libpam-ldapd on a fresh machine and change the files I mentioned to reproduce this bug/feature request.

    opened by kang-makes 8
  • Support applications that verify the password themselves

    Support applications that verify the password themselves

    Some applications don't try to connect to the ldap server as the user it's trying to authenticate but look for the password in the result they get and calculate/compare the hash itself. As far as I can tell, glauth does not give those applications enough data to finish authentication.

    Right now I only know of nextcloud that is acting this way, but I'm sure there are more things out there doing the same.

    Possibly related to #3, because I don't think any other ldap implementation out there uses plain sha256.

    opened by jcgruenhage 8
  • Allow using configmaps when deploying in kubernetes

    Allow using configmaps when deploying in kubernetes

    Hi

    The intent of this PR is to allow easier deployment using kubernetes. To me, a common way of doing this would be to configure glauth through a configmap or secret.

    When running glauth in kubernetes, I discovered that glauth doesn't pickup changes made to a configmap. It seems that this is due to the fact that kubernetes symlinks the configmap-data into the right place - https://www.martensson.io/go-fsnotify-and-kubernetes-configmaps/

    I made a small experiment and deployed to a local docker-desktop cluster and checked that when updating a configmap, an fsnotify watcher receives a chmod and remove event, hence this change reflects what I discovered.

    I hope this PR aligns with the philosophy of glauth and that it is useful, I'm hoping to get some useful feedback from the CI system :-)

    /Nicolai

    enhancement 
    opened by nwillems 7
  • SQLite3, MySQL, Postgres Support

    SQLite3, MySQL, Postgres Support

    UPDATE: Well, I added support for MySQL and Postgres. Hopefully this make needing CGO a bit more palatable!

    Hi,

    Apologies for the quality as I am not a Go programmer (yet) and some aspects of Go are surprising to me. Anyway, this is a SQLite backend, with the limitations described in the header I added to the top of 'sqlitebackend.go`

    I did not tag it as 'WIP' because I would like a review, but feel free to consider it as such because: a) it's not that great b) you may have a few suggestions for me c) you may not agree with file naming or content, etc.

    Now, this is my second attempt because I did not realize that, by requiring the SQLite library, I was creating a CGO dependency. This means that this additional feature is adding a lot of weight to the build process: Travis takes more than 10 minutes to build and you will see in the Makefile that we have to drag lots of dependencies in to build various targets. This means, too, that these targets are not directly buildable on their own platform: building for Darwin works better when running on Linux(!) -- this could be avoided by creating cross-compile targets vs native targets. And, yes, we have to juggle the cross-compilation packages because they are not compatible, especially the 'multilib' ones which mutually uninstall; and that is why we have to add package management to the Makefile itself.

    Regards

    opened by Fusion 7
  • Plugin: Unix PAM Authentication

    Plugin: Unix PAM Authentication

    I am using this PAM authentication mechanism using a patched version of glauth-v1 in production for a while now and just finished a rough v2 plugin port today.

    With the new plugin structure I believe this would fit quit nicely. Before I touch this up any further though I wanted to check if there was any interest to accept this plugin in the first place?

    Thanks!

    opened by emzeat 1
  • Possible Spring security ldap compatibility issue

    Possible Spring security ldap compatibility issue

    While using this image to replace replace red hats IDM on local, I have encountered an issue relating to the dirContextAdaptor user searchResult response

    Below is my config ` [backend] datastore = "config" baseDN = "cn=accounts,dc=myorg,dc=com"

    [[users]] name = "user1" uidnumber = 1234 primarygroup = 1234 passsha256 = "passphrase"

    [[users]] name = "userb" uidnumber = 1235 primarygroup = 1235 passsha256 = "passphrase"

    [[groups]] name = "mygroup" gidnumber = 1234

    [[groups]] name = "services" gidnumber = 1235

    With a userSearch and filter config like below ctxBaseDn: dc=myorg,dc=com filter: (uid={0}) base: cn=users,cn=accounts searchControls: searchScope=2

    The response I get back with the one searchResult of DirContextAdapter consists of dn: cn=user1,ou=mygroup,dc=myorg,dc=com base: ""

    This is in contrast to the exact same searchResponse from the real IDM dn: cn=user1,ou=mygroup base: cn=accounts,dc=myorg,dc=com

    Any ideas why there is a difference here and why the user dn contains the baseDn and also why the baseDn is empty?

    opened by Megagyger 2
  • SQL Plugins does not fetch SSHKeys

    SQL Plugins does not fetch SSHKeys

    Hi,

    i use gitea with glauth (postgres plugin). When gitea fetches the user info from glauth (basesqlhandler->FindPosixAccounts), SSHKeys are not supported / implemented. There is no field in the database table and the sql query does not fetch that field, so that sqlbasehandler->getAccount could assign the SSHKeys to the response. Some other Array-Fields are also missing. I tried to fix this for myself, but i failed at the moment. I'm new in go, coming from PHP, Ruby and C#.

    If anyone can fix this faster than me, would be nice. Or i will try it in the next days :-)

    Have a nice weekend.

    opened by maikelcoke 2
  • Push current images to docker hub

    Push current images to docker hub

    I really like glauth /w cockraochdb and it works fine with my own built docker image. But is there a way, that the latest glauth(-plugins) will be pushed to the glauth/glauth docker hub? Seems very outdated. Thanks.

    opened by maikelcoke 8
  • Ci/fix build pipeline for v2

    Ci/fix build pipeline for v2

    Unfortunately, PR https://github.com/glauth/glauth/pull/245 seems to have broken the push of docker images for v2 -> https://github.com/glauth/glauth/actions/runs/1907893346. This PR tries to fix it and contains the following changes:

    • Copy the working directory instead of the non-existent folder local/app
    • Don't change working directory to v2 in Github actions
    • Because of the change of the working directory, set the relative path (including v2) to the v2 Dockerfile when running docker build
    opened by AljoschaP 1
  • Invalid credentials (49) Issues

    Invalid credentials (49) Issues

    I've been trying to stand up glauth with a postgres backend using glauth/glauth-plugins:v2.1.0-rc1 and am running into issues when trying to run an ldapsearch.

    As per https://github.com/glauth/glauth/issues/208, I have been running:

    ldapsearch -LLL -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com cn=hackers

    Returns error ldap_bind: Invalid credentials (49)

    And logs WARN 010 "level"=2 "msg"="BindDN not part of our BaseDN" "basedn"="" "binddn"="cn=serviceuser,ou=svcaccts,dc=glauth,dc=com"

    Thanks in advance.

    ====================================================================

    My docker-compose is

    version: "3.7"
    
    volumes:
      glauth_db:
    
    services:
      glauth:
        image: glauth/glauth-plugins:v2.1.0-rc1
        container_name: glauth
        volumes:
          - ./config.cfg:/app/config/
        depends_on:
          - glauth_db
        ports:
          - 389:389
          - 3893:3893
          - 636:636
    
      glauth_db:
        container_name: glauth_db
        image: postgres:12-alpine
        restart: unless-stopped
        environment:
          POSTGRES_USER: glauth
          POSTGRES_PASSWORD: secret
          POSTGRES_DB: glauth
        volumes:
          - glauth_db:/var/lib/postgresql/data
        ports:
          - 5432:5432
    

    My config.cfg file is:

            debug = true
            [ldap]
              enabled = true
              listen = "0.0.0.0:3893"
            [ldaps]
              enabled = false
              listen = "0.0.0.0:3894"
              cert = "/app/config/certs/cert"
              key = "/app/config/certs/cert.key"
            [backend]
              datastore = "plugin"
              plugin = "postgres.so"
              pluginhandler = "NewPostgresHandler"
              database = "postgres://glauth:[email protected]_db:5432/glauth?sslmode=disable"
            [behaviors]
              IgnoreCapabilities = false
              LimitFailedBinds = true
              NumberOfFailedBinds = 3
              PeriodOfFailedBinds = 10
              BlockFailedBindsFor = 60
              PruneSourceTableEvery = 600
              PruneSourcesOlderThan = 600
            [api]
              enabled = false
    

    I have populated the database with this sql:

    INSERT INTO groups(name, gidnumber) VALUES
      ('superheros', 5501),
      ('svcaccts', 5502),
      ('civilians', 5503),
      ('caped', 5504),
      ('lovesailing', 5505),
      ('smoker', 5506);
    
    INSERT INTO includegroups(parentgroupid, includegroupid) VALUES
      (5503, 5501),
      (5504, 5502),
      (5504, 5501);
    
    INSERT INTO users(name, uidnumber, primarygroup, passsha256) VALUES
      ('hackers', 5001, 5501,'6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a'),
      ('johndoe', 5002, 5502,'6478579e37aff45f013e14eeb30b3cc56c72ccdc310123bcdf53e0333e3f416a'),
      ('serviceuser', 5003, 5502, '652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0');
    
    INSERT INTO users(name, uidnumber, primarygroup, passsha256, othergroups) VALUES
      ('user4', 5004, 5504,'652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0','5505,5506');
    
    INSERT INTO capabilities(userid, action, object) VALUES
      (5001, 'search', 'ou=superheros,dc=glauth,dc=com'),
      (5003, 'search', '*');
    
    opened by abbiewade 2
Releases(v2.1.0)
  • v2.1.0(Feb 28, 2022)

    Warning

    While this release does not introduce breaking changes, if you are using database plugins you should ensure that the database schema is correct.

    Enhancements

    • Custom Attributes #240
    • Multi Cfg #233
    • V2 hierarchy #228
    • 'Airgapping' web assets for security and preventing breakage #227
    • Assets: use stdlib "embed" package (thanks @hdonnay!) #200
    • Internal Stats -- performance view #221
    • Docker with plugins, distroless #217
    • Capabilities #214
    • Create and push docker image using podman #209
    • Getting rid of Travis CI now that it doesn't support FOSS anymore.
    • Any way to change objectClass? #239
    • Restrict service login #231
    • employeeType attribute #232
    • jpegPhoto attribute #225
    • Support multiple configuration files via a conf.d like directory (Beta!) #223

    Bugfixes

    • Cant enumerate groups or members of groups #86
    • With the database plugins, the database config line is printed to syslog if syslog is enabled #213
    • User serviceuser primary group is not svcaccts. #208
    • Fix 'ou' regression #246 #252
    Source code(tar.gz)
    Source code(zip)
    darwinamd64.zip(14.08 MB)
    darwinarm64.zip(14.47 MB)
    linux386.zip(4.83 MB)
    linuxamd64.zip(16.96 MB)
    linuxarm.zip(4.77 MB)
    linuxarm64.zip(4.84 MB)
    win386.zip(4.98 MB)
    winamd64.zip(5.24 MB)
  • v2.1.0-RC1(Nov 26, 2021)

    Warning

    While this release does not introduce breaking changes, if you are using database plugins you should ensure that the database schema is correct.

    Enhancements

    • Custom Attributes #240
    • Multi Cfg #233
    • V2 hierarchy #228
    • 'Airgapping' web assets for security and preventing breakage #227
    • Assets: use stdlib "embed" package (thanks @hdonnay!) #200
    • Internal Stats -- performance view #221
    • Docker with plugins, distroless #217
    • Capabilities #214
    • Create and push docker image using podman #209
    • Getting rid of Travis CI now that it doesn't support FOSS anymore.
    • Any way to change objectClass? #239
    • Restrict service login #231
    • employeeType attribute #232
    • jpegPhoto attribute #225
    • Support multiple configuration files via a conf.d like directory (Beta!) #223

    Bugfixes

    • Cant enumerate groups or members of groups #86
    • With the database plugins, the database config line is printed to syslog if syslog is enabled #213
    • User serviceuser primary group is not svcaccts. #208
    Source code(tar.gz)
    Source code(zip)
    darwinamd64.zip(14.07 MB)
    darwinarm64.zip(14.47 MB)
    linux386.zip(4.83 MB)
    linuxamd64.zip(16.96 MB)
    linuxarm.zip(4.77 MB)
    linuxarm64.zip(4.84 MB)
    win386.zip(4.98 MB)
    winamd64.zip(5.24 MB)
  • v2.0.0(Aug 13, 2021)

    The long-awaited v2.0.0 release, ready to rock after two weeks in RC status.

    Enhancements

    • Backends: Support for Database Backends Plugins (starting with MySQL, SQLite, Postgres) Database plugins #133

    • Backends: Backends acting as middleware: added the [[Backends]] configuration directive while retaining backward compatibility with [Backend] Database plugins #133

    • Backends: When chaining backends, any backend can be used to inject OTP value in password, before reaching a non-OTP-aware backend Database plugins #133

    • Backends: Add provisional support for writeable backends (those that will support write operations only) -- no commitment to support write operations at this time add support for writehandlers #135

    • Compatibility: Enable root DSE query #158

    • Compatibility: Allow bind operations with no group provided #205

    • Compatibility: Support for userPrincipalName binding and browsing. #206

    • Compatibility: Handling of special "1.1" attributes filter meaning "I do not want attributes" (RFC 4511, 4.5.1.8)

    • Compatibility: Support for "want types only" queries, even when proxying

    • Compatibility: Augmented root DSS and schema discovery based on content of schema directory

    • Compatibility: SubSchema query can return a minimal set, freeipa or openldap's schemas

    • Configuration: Variable "unixid" is now respectively "UIDNumber" and "GIDNumber" for… #201

    • Configuration: (@fanlix) Config file hot reload doesn't work #132

    • Configuration: Add LDAP listen flags #169

    • Platforms: Mac M1 Support and LDAP Req Attributes #192

    • Platforms: Bulid and push multiarch docker images #142

    • Testing: Introducing goconvey testing and refactoring of config and ... #204

    • Security: Stronger, salted paswords using bcrypt. #195

    Bugfixes

    • ldap filter memberOf does not work #186

    • Empty BaseDN when searhing with Python ldap3 Empty BaseDN when searhing with Python ldap3 #168

    • uidnumber or unixid? #144

    • ARM (multiarch) docker image #141

    • config: match shadowaccount objectclass #136

    • UserPrincipalName support as User attribute #129

    • Config backend should allow users to bind without specifying group name #98

    • Space in search BaseDN causes request to fail #68

    • postgres backend #118

    • mysql backend #117

    • Additional Backends #11

    • fix owncloud backend issues #128

    • check owncloud status code is ok #153

    • Implement Password Salting and Hash Incrementing #3

    • Suggestion: add bcrypt / Argon2 password hashing #179

    • Not able to connect glAuth server #147

    • Config file hot reload doesn't work #132

    • allow clean shutdown #126

    • glauth does not work with gitea #183

    • Invalid AWS region: ap-south-1 #182

    • Add Configuration Option to Allow Annon Binding #5

    • Need fix Travis CI API wiring #193

    • Allow using configmaps when deploying in kubernetes #161

    • Makefile compatiblility #134

    • unable to build on ubuntu 18.04.4 LTS #130

    • Write Unit Tests #10

    • Link to a public chat, eg gitter or matrix #166

    • Suggestion: enable wiki for documentation #127

    • Set up simple site #34

    Under the hood

    • Updated LDAP library to support UTF8 and case insensitive chars Feature/upgrade ldap library version #194 FYI updated LDAP library #188
    • LDAP backend: req. attribute injected in response if missing
    • Use functional options for handlers and the server use functional options pattern to inject logr #124
      • logr interface is passed around for logging
      • a wrapper for the go-logging lib is provided
    • Refactored non-proxied backends Introducing goconvey testing and refactoring of config and ... #204
    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(13.18 MB)
    glauth-arm32.sha256(79 bytes)
    glauth-arm64(14.81 MB)
    glauth-arm64.sha256(79 bytes)
    glauth-win32(14.27 MB)
    glauth-win32.sha256(79 bytes)
    glauth-win64(16.20 MB)
    glauth-win64.sha256(79 bytes)
    glauth32(13.83 MB)
    glauth32.sha256(75 bytes)
    glauth64(15.86 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(19.48 MB)
    glauthOSX-arm64(19.18 MB)
    glauthOSX-arm64.sha256(82 bytes)
    glauthOSX.sha256(76 bytes)
    plugins_darwin_amd64.zip(8.69 MB)
    plugins_darwin_arm64.zip(8.91 MB)
    plugins_linux_amd64.zip(9.41 MB)
  • v1.1.2(Feb 24, 2020)

    This release fixes a few bugs, refactors the codebase to make it reusable in other projects and adds an (experimental) ownCloud backend. Scraping the v1.1.2 dev PR we can see these interesting commits:

    Enhancements

    • Add support for including groups in groups #23
    • Add App Password Support #60 - implements #54
    • Allow for configuring DN format #57
    • Add shadow account support #84 - implements #81
    • owncloud10 backend graphapi #104

    Changes

    • Refactor packages #105 - allows better reuse of the packages

    Bugfixes

    • Expose LDAPS ports in Docker container #49
    • Fix wrong env for arm32 #52 - fixes #51
    • 9f349d1 - fixes String formatting not working #64
    • Update host #70 - for correct port forwarding in docker
    • Fix unkeyed fields #80 - fixes Fix Issues found using Go Vet #43
    • Fix mutex #88 - fixes Fix Issues found using Go Vet #43

    I also tried to use travis to deploy a draft release using a new machine user @glauth-ci which led to several unneeded merges to master after manually merging the dev branch, but it should work now.

    I'll set up a new dev branch now and cleanup the milestones.

    Cheers!

    @butonic - new co-maintainer, trying to help @benyanke get things rolling again.

    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(20.02 MB)
    glauth-arm32.sha256(79 bytes)
    glauth-arm64(22.17 MB)
    glauth-arm64.sha256(79 bytes)
    glauth-win32(20.54 MB)
    glauth-win32.sha256(79 bytes)
    glauth-win64(22.79 MB)
    glauth-win64.sha256(79 bytes)
    glauth32(20.74 MB)
    glauth32.sha256(75 bytes)
    glauth64(23.21 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(23.15 MB)
    glauthOSX.sha256(76 bytes)
  • v1.1.1(Dec 25, 2018)

    • added ldapsearch to container to enable using custom healthchecks at runtime
    • improving builds with auto retries
    • improving docs
    • App passwords
    • Logging bugfixes

    Release binary hashes (note - not the same as the container builds yet, unfortunately, just for the ones below):

    060300253f824d12f02e2722bd42c574957cb977ac91d9dc4ae667770d1b4293  glauth32
    ff8b1a82052c9bd8f380fdb23f63523c0a1b145d592a962c88b6461434ed86e9  glauth64
    4ec4f1c840cc3bc716c99f00db4c9691b56c73c2bcf16f7b1b666fd500a8496f  glauth-arm32
    43f5cfa344c0ec5703338baf10dae273f8de12e56826fa517a6fc3e3eb4f400a  glauth-arm64
    272a63300653ed92deb8308497d576648d418509d95793ca0635673f0636defb  glauthOSX
    1c27d6ea9cde9406cc0f1d2a840e8894dc4555702994d47b0fe5af1f92c46dcd  glauth-win32
    0aca8dd87c1861f41e022a9a990b72c374642695a7c6316a9da68d50574bf1f8  glauth-win64
    
    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(7.23 MB)
    glauth-arm64(8.05 MB)
    glauth-win32(7.00 MB)
    glauth-win64(8.02 MB)
    glauth32(7.11 MB)
    glauth64(8.23 MB)
    glauthOSX(8.25 MB)
  • v1.1.0(Jul 21, 2018)

    This release provides one main frontend feature: 2 factor authentication. Big thanks to @ryskov and the others who pushed this foward.

    Additionally, a number of minor improvements in the background:

    • Dockerfile imporvements
    • Removing repo cruft
    • Improving travis builds and integration tests
    • Fixing broken amazon s3 packages (thanks @ryskov)
    • Vastly improved version string - now autogenerates based on git status in the repo at the time of build
    • Starting on travis builds for releases (currently built on my workstation)
    • Starting framework for unit tests
    • Add codecov to CI
    Source code(tar.gz)
    Source code(zip)
    glauth-arm32(7.12 MB)
    glauth-arm32.sha256(79 bytes)
    glauth-arm64(8.05 MB)
    glauth-arm64.sha256(79 bytes)
    glauth-win32(7.01 MB)
    glauth-win32.sha256(79 bytes)
    glauth-win64(8.03 MB)
    glauth-win64.sha256(79 bytes)
    glauth32(7.12 MB)
    glauth32.sha256(75 bytes)
    glauth64(8.23 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(8.25 MB)
    glauthOSX.sha256(76 bytes)
  • v1.0.1(May 11, 2018)

    • fixes to amazon s3 packages
    • dockerfiles (build was previously not yet working)
    • adding version number to bin so glauth --version reports correctly
    • Some Travis CI tweaks

    SHA256 Hashes:

    6619b9dc08c4c1cb686647fc1a11102db5b98de67f095532400daa4a0784cc87 glauth32 27428416a23c93d6379a15b0fd2a9ff7ed69d554833ed6b7359527fa8914555a glauth64 815aa53c99a9f43a0854620c94cbb4a3e66aba82df772c7136c6839f44c69cac glauthOSX

    Source code(tar.gz)
    Source code(zip)
    glauth32(6.94 MB)
    glauth32.sha256(75 bytes)
    glauth64(8.04 MB)
    glauth64.sha256(75 bytes)
    glauthOSX(8.06 MB)
    glauthOSX.sha256(76 bytes)
Owner
GLAuth
Lightweight LDAP Server in Golang
GLAuth
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Go (lang) HTTP session authentication

Go Session Authentication See git tags/releases for information about potentially breaking change. This package uses the Gorilla web toolkit's session

Cameron Little 221 Apr 7, 2022
Goauth - Basic username password cookie based authentication with Go Lang

goauth [WIP] Basic username password cookie based authentication with Go Lang Overview Use a Postgres DB to store Sign-in and Sign-up info Redis for c

Joseph Chen 0 Jan 4, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Miroslav Šedivý 4 Jan 31, 2022
Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Dinesh Bhattarai 0 Jan 30, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

tarent 1.9k May 6, 2022
Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.

sessions gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends. The key features are: Simple API: us

Gorilla Web Toolkit 2.3k May 17, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd

login-service login-service is a standalone minimalistic login server providing a (JWT)[https://jwt.io/] login for multiple login backends. Abstract l

Loren Lisk 0 Feb 12, 2022
Fast, secure and efficient secure cookie encoder/decoder

Encode and Decode secure cookies This package provides functions to encode and decode secure cookie values. A secure cookie has its value ciphered and

Christophe Meessen 56 May 18, 2022
HTTP-server-with-auth# HTTP Server With Authentication

HTTP-server-with-auth# HTTP Server With Authentication Introduction You are to use gin framework package and concurrency in golang and jwt-go to imple

Saba Sahban 12 May 12, 2022
Authentication server for Docker Registry 2

The original Docker Registry server (v1) did not provide any support for authentication or authorization. Access control had to be performed externally, typically by deploying Nginx in the reverse proxy mode with Basic or other type of authentication. While performing simple user authentication is pretty straightforward, performing more fine-grained access control was cumbersome.

Cesanta Software 1.1k May 2, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Sanad Haj Yahya 366 May 14, 2022
Go login handlers for authentication providers (OAuth1, OAuth2)

gologin Package gologin provides chainable login http.Handler's for Google, Github, Twitter, Facebook, Bitbucket, Tumblr, or any OAuth1 or OAuth2 auth

Dalton Hubble 1.5k May 4, 2022
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Mark Bates 3.7k May 16, 2022
HTTP Authentication middlewares

goji/httpauth httpauth currently provides HTTP Basic Authentication middleware for Go. It is compatible with Go's own net/http, goji, Gin & anything t

Goji 213 Dec 15, 2021
[DEPRECATED] Go package authcookie implements creation and verification of signed authentication cookies.

Package authcookie import "github.com/dchest/authcookie" Package authcookie implements creation and verification of signed authentication cookies. Co

Dmitry Chestnykh 112 Nov 19, 2021
Basic and Digest HTTP Authentication for golang http

HTTP Authentication implementation in Go This is an implementation of HTTP Basic and HTTP Digest authentication in Go language. It is designed as a si

Lev Shamardin 516 May 9, 2022