diff --git a/README.md b/README.md index 99cd436..1877d5b 100644 --- a/README.md +++ b/README.md @@ -15,10 +15,9 @@ Another LDAP provides Authentication and Authorization for your applications run ## Features - Authentication and Authorization for applications. -- Authorization via LDAP groups. -- Supports regex in groups. -- Supports `ldap` and `ldaps` servers. -- Supports TLS via self-signed certificate. +- Authorization via LDAP groups, supports regex in groups list. +- Supports protocols `ldap://` and `ldaps://`. +- Enabled by design TLS via self-signed certificate. - Supports configuration via headers or via environment variables. - HTTP response headers with username and matched groups for the backend. - Brute force protection. @@ -130,7 +129,7 @@ spec: ``` ## Available parameters -All parameters are defined in the config-map and secret from the Kubernetes manifests. +All parameters are defined in the config-map and secret manifests. All values type are `string`. @@ -138,7 +137,7 @@ The parameter `LDAP_SEARCH_FILTER` supports variable expansion with the username The parameter `LDAP_BIND_DN` supports variable expansion with the username, you can do something like this `{username}@TESTMYLDAP.com` or `UID={username},OU=PEOPLE,DC=TESTMYLDAP,DC=COM` and `{username}` is going to be replaced by the username typed in the login form. -The parameter `COOKIE_DOMAIN` define the scope of the cookie, for example if you need to authentication/authorizate the domain `testmyldap.com` you should set `.testmyldap.com` in this parameter. +The parameter `COOKIE_DOMAIN` define the scope of the cookie, for example if you need to authentication/authorizate the domain `testmyldap.com` you should set the wildcard `.testmyldap.com` (notice the dot at the beginning). ## Supported HTTP request headers The variables send via HTTP headers take precedence over environment variables. - `Ldap-Allowed-Users` diff --git a/files/main.py b/files/main.py index 2ab9d20..8597fcc 100644 --- a/files/main.py +++ b/files/main.py @@ -33,7 +33,7 @@ SESSION_COOKIE_NAME = 'another-ldap' SESSION_COOKIE_DOMAIN = param.get('COOKIE_DOMAIN', None) SESSION_COOKIE_HTTPONLY = True -SESSION_COOKIE_SECURE = param.get('ENABLE_HTTPS', False, bool) +SESSION_COOKIE_SECURE = True PERMANENT_SESSION_LIFETIME = timedelta(days=7) SESSION_COOKIE_SAMESITE = 'Lax' app.config.from_object(__name__) @@ -169,6 +169,7 @@ def afterAll(response): session.clear() # Remove Session file and cookie response.headers['Server'] = '' # Remove Server header response.headers['X-Frame-Options'] = 'SAMEORIGIN' + response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains' return response @app.errorhandler(HTTPException) @@ -177,7 +178,4 @@ def handle_exception(e): return 'Not Found', 404 if __name__ == '__main__': - if param.get('ENABLE_HTTPS', False, bool): - app.run(host='0.0.0.0', port=9000, ssl_context='adhoc', debug=False, use_reloader=False) - else: - app.run(host='0.0.0.0', port=9000, debug=False, use_reloader=False) \ No newline at end of file + app.run(host='0.0.0.0', port=9000, ssl_context='adhoc', debug=False, use_reloader=False) \ No newline at end of file diff --git a/kubernetes/config-map.yaml b/kubernetes/config-map.yaml index 462a54c..68ecbd9 100644 --- a/kubernetes/config-map.yaml +++ b/kubernetes/config-map.yaml @@ -5,7 +5,6 @@ metadata: name: another-ldap namespace: another data: - ENABLE_HTTPS: "True" LDAP_ENDPOINT: "ldaps://testmyldap.com:636" LDAP_MANAGER_DN_USERNAME: "CN=john,OU=Administrators,DC=TESTMYLDAP,DC=COM" LDAP_BIND_DN: "{username}@TESTMYLDAP.com"