I am trying to create a testing env that would help me implement a SSO authentication using kerberos (production env is customers, so I don't have direct access to it). I started to setup an own env in a docker. Application is based on react in frontend and calls node.js REST API (express)
My plan is to setup
I successfully made steps 1-3. I am using a OpenLdap image for active directory which running in a docker (it is accessed by domain name lets say ldap.example.com
). I can manage users and groups, also I can access LDAP from backend with admin/tech user and retrieve data. I can authenticate user with his ldap username (uid) and password.
Problem is kerberos. I use kerberos docker image, and I am trying to setup it to authenticate a LDAP users.
krb5.conf
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = LDAP.EXAMPLE.COM
[realms]
LDAP.EXAMPLE.COM = {
kdc = ldap.example.com
admin_server = admin
}
Another problem is add a PC to domain. I tried this only on mac. I can see Network Account server and I can successfully add it, but when I open Directory utility and I try to add active directory domain, it fail with a generic error Authentication server could not be contacted
.
But main problem is a connection between a LDAP and kerberos image, I tried several several confiigurations but still cant figure out how to use ldap user credentials in a kerberos auth.
I made a full-featured Docker test environment for these problems, which consists:
I suggest to use dpage/pgadmin4 image for LDAP manual configuration (users,groups,etc).
The LDAP user/password fallback is a bad practice within this architecture. Nevertheless, you can build up your authentication process via Passport in that manner as well, I haven't tried it out but passport-ldapauth package seems good for this.