Ldap auth in reverse proxy which is sending lots of groups in header


I have this use case:

I have reverse proxy, which will query the ldap based on kerberos auth, it will populate the headers with user name and all the groups from ldap. Everything is working fine, but i’m unable to google solution how to set up readonlyrest.yml with those groups.

For example i will have header X-Forwarded-Groups:grp1,grp2,grp3, i only care about grp2, because for grp2 i need to restrict access to some indices and actions.

So i want to extract those headers values and if it contains the grp2 then use this auth block in readonlyrest.yml.

Is this possible ? (I want to also have ldap auth in readonlyrest, but i cannot find if its possible to authentificate user with reverse proxy and then fire ldap to get groups in readonlyrest side)

Best Regards,

In theory, you can very well use LDAP authorization mixed with proxy_auth authentication. But why bother? If you have a proper LDAP connector with all bells and whistles within ReadonlyREST?

How about you just use ROR LDAP connector for authentication and authorization? Leave the proxy.

Yes, i know but, its requirement, because they want to auth without any promp of the username and password. So they want to have it like that.

How i can use it mixed ?

Thank you.

in the same block where you have proxy_auth, you add ldap_authorization (see Advanced: authentication and authorization in separate rules section).

It might look something like:

   - name: Accept requests to index1 from users with valid LDAP credentials, belonging to LDAP group 'team1' 
       proxy_auth_config: "proxy1"
       users: ["*"]

       name: "ldap1"                                       # ldap name from 'ldaps' section
       groups: ["g1", "g2"]                                # group within 'ou=Groups,dc=example,dc=com'
   - name: "proxy1"
     user_id_header: "X-Forwarded-User"

   - name: ldap1
     hosts:                                                        # HA style, alternative to "host"
     - "ldaps://ssl-ldap1.foo.com:636"                             # can use ldap:// or ldaps:// (for ssl)
     - "ldaps://ssl-ldap2.foo.com:636"                             # the port is declared in line
     ha: "ROUND_ROBIN"                                             # optional, default "FAILOVER"
     search_user_base_DN: "ou=People,dc=example2,dc=com"
     search_groups_base_DN: "ou=Groups,dc=example2,dc=com"

Thank you very much ! Its working like charm.

1 Like