-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build (bundler): Add LDAP Bundle #6721
base: master
Are you sure you want to change the base?
Conversation
ArtifactsThese changes are published for testing on Buildkite, DockerHub and GitHub Container Registry. Docker Container
|
WalkthroughThe recent updates introduce significant enhancements to the LDAP setup within a project, focusing on security and management. Key improvements include ignoring temporary files in version control, configuring password policy overlays for enhanced security, defining LDAP entries for detailed password policy settings, creating essential user and group entries, and refining access control measures. These changes collectively aim to bolster LDAP directory service's security, usability, and organization. Changes
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review Status
Actionable comments generated: 3
Configuration used: CodeRabbit UI
Files ignored due to path filters (2)
examples/compose/ldap/authelia/configuration.yml
is excluded by:!**/*.yml
examples/compose/ldap/docker-compose.yml
is excluded by:!**/*.yml
Files selected for processing (5)
- examples/compose/ldap/authelia/.gitignore (1 hunks)
- examples/compose/ldap/ldif/01-pp.ldif (1 hunks)
- examples/compose/ldap/ldif/02-ppcfg.ldif (1 hunks)
- examples/compose/ldap/ldif/03-base.ldif (1 hunks)
- examples/compose/ldap/ldif/04-access.ldif (1 hunks)
Files skipped from review due to trivial changes (1)
- examples/compose/ldap/authelia/.gitignore
Additional comments: 1
examples/compose/ldap/ldif/04-access.ldif (1)
- 1-5: The access control configuration uses placeholders (
{{ LDAP_BACKEND }}
and{{ LDAP_BASE_DN }}
) which should be replaced with actual values during deployment. Ensure that these placeholders are correctly replaced by deployment scripts or configuration management tools to avoid runtime errors.
dn: cn=module{0},cn=config | ||
changetype: modify | ||
add: olcModuleLoad | ||
olcModuleLoad: ppolicy | ||
|
||
dn: olcOverlay=ppolicy,olcDatabase={1}{{ LDAP_BACKEND }},cn=config | ||
changetype: add | ||
objectClass: olcOverlayConfig | ||
objectClass: olcPPolicyConfig | ||
olcOverlay: ppolicy | ||
olcPPolicyDefault: cn=password,ou=policies,{{ LDAP_BASE_DN }} | ||
olcPPolicyHashCleartext: TRUE | ||
olcPPolicyUseLockout: TRUE | ||
olcPPolicyForwardUpdates: FALSE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The configuration for the password policy overlay (ppolicy
) is correctly set up with attributes like olcPPolicyDefault
, olcPPolicyHashCleartext
, olcPPolicyUseLockout
, and olcPPolicyForwardUpdates
. However, ensure that olcPPolicyHashCleartext: TRUE
aligns with your security policies, as storing passwords in cleartext, even temporarily, can pose a security risk.
dn: ou=policies,{{ LDAP_BASE_DN }} | ||
ou: policies | ||
objectClass: organizationalUnit | ||
|
||
dn: cn=password,ou=policies,{{ LDAP_BASE_DN }} | ||
objectClass: pwdPolicy | ||
objectClass: person | ||
objectClass: top | ||
cn: passwordDefault | ||
sn: passwordDefault | ||
pwdAttribute: userPassword | ||
pwdCheckQuality: 1 | ||
pwdMinAge: 0 | ||
pwdMaxAge: 0 | ||
pwdMinLength: 3 | ||
pwdInHistory: 0 | ||
pwdMaxFailure: 5 | ||
pwdFailureCountInterval: 0 | ||
pwdLockout: TRUE | ||
pwdLockoutDuration: 0 | ||
pwdAllowUserChange: TRUE | ||
pwdExpireWarning: 0 | ||
pwdGraceAuthNLimit: 0 | ||
pwdMustChange: FALSE | ||
pwdSafeModify: FALSE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The password policy configuration in 02-ppcfg.ldif
sets a minimal password length (pwdMinLength: 3
) which might be too low for secure applications. Consider increasing this value to enhance security. Additionally, pwdMaxFailure: 5
and pwdLockout: TRUE
are good practices for preventing brute-force attacks, but ensure these settings align with your user experience and security requirements.
- pwdMinLength: 3
+ pwdMinLength: 8
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
dn: ou=policies,{{ LDAP_BASE_DN }} | |
ou: policies | |
objectClass: organizationalUnit | |
dn: cn=password,ou=policies,{{ LDAP_BASE_DN }} | |
objectClass: pwdPolicy | |
objectClass: person | |
objectClass: top | |
cn: passwordDefault | |
sn: passwordDefault | |
pwdAttribute: userPassword | |
pwdCheckQuality: 1 | |
pwdMinAge: 0 | |
pwdMaxAge: 0 | |
pwdMinLength: 3 | |
pwdInHistory: 0 | |
pwdMaxFailure: 5 | |
pwdFailureCountInterval: 0 | |
pwdLockout: TRUE | |
pwdLockoutDuration: 0 | |
pwdAllowUserChange: TRUE | |
pwdExpireWarning: 0 | |
pwdGraceAuthNLimit: 0 | |
pwdMustChange: FALSE | |
pwdSafeModify: FALSE | |
dn: ou=policies,{{ LDAP_BASE_DN }} | |
ou: policies | |
objectClass: organizationalUnit | |
dn: cn=password,ou=policies,{{ LDAP_BASE_DN }} | |
objectClass: pwdPolicy | |
objectClass: person | |
objectClass: top | |
cn: passwordDefault | |
sn: passwordDefault | |
pwdAttribute: userPassword | |
pwdCheckQuality: 1 | |
pwdMinAge: 0 | |
pwdMaxAge: 0 | |
pwdMinLength: 8 | |
pwdInHistory: 0 | |
pwdMaxFailure: 5 | |
pwdFailureCountInterval: 0 | |
pwdLockout: TRUE | |
pwdLockoutDuration: 0 | |
pwdAllowUserChange: TRUE | |
pwdExpireWarning: 0 | |
pwdGraceAuthNLimit: 0 | |
pwdMustChange: FALSE | |
pwdSafeModify: FALSE |
dn: cn=pwmanager,{{ LDAP_BASE_DN }} | ||
cn: Password Manager | ||
displayName: Password Manager | ||
givenName: Password | ||
objectClass: inetOrgPerson | ||
objectClass: top | ||
mail: password.manager@authelia.com | ||
sn: Manager | ||
uid: pwmanager | ||
userPassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ | ||
|
||
dn: ou=groups,{{ LDAP_BASE_DN }} | ||
objectClass: organizationalUnit | ||
objectClass: top | ||
ou: groups | ||
|
||
dn: ou=users,{{ LDAP_BASE_DN }} | ||
objectClass: organizationalUnit | ||
objectClass: top | ||
ou: users | ||
|
||
dn: cn=dev,ou=groups,{{ LDAP_BASE_DN }} | ||
cn: dev | ||
member: cn=John Doe (external),ou=users,{{ LDAP_BASE_DN }} | ||
member: cn=Bob Dylan,ou=users,{{ LDAP_BASE_DN }} | ||
objectClass: groupOfNames | ||
objectClass: top | ||
|
||
dn: cn=admins,ou=groups,{{ LDAP_BASE_DN }} | ||
cn: admins | ||
member: cn=John Doe (external),ou=users,{{ LDAP_BASE_DN }} | ||
objectClass: groupOfNames | ||
objectClass: top | ||
|
||
dn: cn=John Doe (external),ou=users,{{ LDAP_BASE_DN }} | ||
cn: John Doe (external) | ||
displayName: John Doe | ||
givenName: John | ||
objectClass: inetOrgPerson | ||
objectClass: top | ||
mail: john.doe@authelia.com | ||
sn: Doe | ||
uid: john | ||
userPassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ | ||
|
||
dn: cn=Harry Potter,ou=users,{{ LDAP_BASE_DN }} | ||
cn: Harry Potter | ||
displayName: Harry Potter | ||
givenName: Harry | ||
objectClass: inetOrgPerson | ||
objectClass: top | ||
mail: harry.potter@authelia.com | ||
sn: Potter | ||
uid: harry | ||
userPassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ | ||
|
||
dn: cn=Bob Dylan,ou=users,{{ LDAP_BASE_DN }} | ||
cn: Bob Dylan | ||
displayName: Bob Dylan | ||
givenName: Bob | ||
objectClass: inetOrgPerson | ||
objectClass: top | ||
mail: bob.dylan@authelia.com | ||
sn: Dylan | ||
uid: bob | ||
userPassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ | ||
|
||
dn: cn=James Dean,ou=users,{{ LDAP_BASE_DN }} | ||
cn: James Dean | ||
displayName: James Dean | ||
givenName: James | ||
objectClass: inetOrgPerson | ||
objectClass: top | ||
mail: james.dean@authelia.com | ||
sn: Dean | ||
uid: james | ||
userPassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The user and group creation in 03-base.ldif
is well-structured, with clear separation of users and groups. However, all users are assigned the same password hash, which is a security risk. Ensure that individual, strong passwords are set for each user in a secure manner, possibly through an automated, secure password setting process post-deployment.
work in progress
this PR will add an ldap example bundle to authelia
Summary by CodeRabbit
New Features
Chores
.gitignore
to excludedb.sqlite3
andnotification.txt
from version control.