Skip to content
/ ldap-proxy Public

A fast, simple, in-memory caching proxy for ldap that allows limiting of dn's and their searches.

License

MPL-2.0 license
8 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kanidm/ldap-proxy

1 Branch1 Tag

Folders and files

NameName
Last commit message
Last commit date

Latest commit

dependabot[bot]dependabot[bot]
Bump clap from 4.5.36 to 4.5.37 in the all group (#86)
Apr 21, 2025
be91412 · Apr 21, 2025

History

103 Commits
.github
.github
Mar 30, 2025
scripts
scripts
May 28, 2024
src
src
Apr 4, 2025
tests
tests
Apr 4, 2025
.gitignore
.gitignore
Dec 7, 2023
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
Sep 1, 2023
Cargo.lock
Cargo.lock
Apr 21, 2025
Cargo.toml
Cargo.toml
Apr 14, 2025
Dockerfile
Dockerfile
Sep 5, 2023
LICENSE.md
LICENSE.md
Sep 1, 2023
README.md
README.md
Sep 20, 2023
config.toml
config.toml
Sep 8, 2023
ldap-proxy.service
ldap-proxy.service
Dec 7, 2023
make.sh
make.sh
Dec 7, 2023

Repository files navigation

Ldap Proxy

A fast, simple, in-memory caching proxy for ldap that allows limiting of dn's and their searches.

# /data/config.toml for containers.
# /etc/ldap-proxy/config.toml for packaged versions.

bind = "127.0.0.1:3636"
tls_chain = "/tmp/chain.pem"
tls_key = "/tmp/key.pem"

# Number of bytes of entries to store in the cache
# cache_bytes = 137438953472
# Seconds that entries remain valid in cache
# cache_entry_timeout = 1800

# The max ber size of requests from clients
# max_incoming_ber_size = 8388608
# The max ber size of responses from the upstream ldap server
# max_proxy_ber_size = 8388608

# By default only DNs listed in the bind-maps may bind. All other
# DNs that do not have a bind-map entry may not proceed. Setting
# this allows all DNs to bind through the server. When this is
# true, if the DN has a bind-map it will filter the queries of that
# DN. If the DN does not have a bind map, it allows all queries.
#
# Another way to think of this is that setting this to "false"
# makes this an ldap firewall. Setting this to "true" turns this
# into a search-caching proxy.
#
# allow_all_bind_dns = false

ldap_ca = "/tmp/ldap-ca.pem"
ldap_url = "ldaps://idm.example.com"


# Bind Maps
#
# This allows you to configure which DNs can bind, and what search
# queries they may perform.
#
# "" is the anonymous dn
[""]
allowed_queries = [
    ["", "base", "(objectclass=*)"],
    ["o=example", "subtree", "(objectclass=*)"],
]

["cn=Administrator"]
# If you don't specify allowed queries, all queries are granted

["cn=user"]
allowed_queries = [
    ["", "base", "(objectclass=*)"],
]

Where do I get it?

  • OpenSUSE: zypper in ldap-proxy
  • docker: docker pull firstyear/ldap-proxy:latest

FAQ

Why can't ldap-proxy running under systemd read my certificates?

Because we use systemd dynamic users. This means that ldap-proxy is always isolated in a sandboxed user, and that user can dynamically change it's uid/gid.

To resolve this, you need to add ldap-proxy to have a supplemental group that can read your certs.

# systemctl edit ldap-proxy
[Service]
SupplementaryGroups=certbot

Then restart ldap-proxy. Also be sure to check that the group has proper execute bits along the directory paths and that the certs are readable to the group!

About

A fast, simple, in-memory caching proxy for ldap that allows limiting of dn's and their searches.

Resources

Readme

License

MPL-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

8 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 3

Languages