Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove openldap dependencies from apisix #10176

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: remove openldap dependencies from apisix #10176

wants to merge 1 commit into from

Conversation

Zhenye-Na
Copy link

@Zhenye-Na Zhenye-Na commented Sep 8, 2023
edited

Description

Fixes #7865

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

Modified files checklist based on original issue:

  • .github/workflows/fuzzing-ci.yaml:53: sudo apt-get install -y git openresty curl openresty-openssl111-dev unzip make gcc libldap2-dev
  • ci/centos7-ci.sh:26: git sudo openldap-devel which libxml2-devel openssl-devel libxslt-devel
  • ci/common.sh:130: apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev libldap2-dev
  • ci/performance_test.sh:25: apt-get -y install lua5.1 liblua5.1-0-dev libldap2-dev
  • ci/pod/docker-compose.plugin.yml:148: openldap:
  • docs/en/latest/building-apisix.md:94: brew install openldap
    • did nt modify the documentation page since I am not too sure if I could remove the whole section of installing openldap or not
  • t/chaos/utils/Dockerfile:34: openldap-dev
  • utils/install-dependencies.sh:49: local common_dep="curl wget git gcc openresty-openssl111-devel unzip pcre pcre-devel openldap-devel"
  • utils/install-dependencies.sh:87: sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc libpcre3 libpcre3-dev libldap2-dev unzip
  • utils/install-dependencies.sh:93: brew install openresty/brew/openresty luarocks [email protected] wget curl git pcre openldap
  • utils/linux-install-openresty.sh:51:sudo apt-get install "$openresty" openresty-openssl111-debug-dev libldap2-dev
    • utils/linux-install-openresty.sh could not be found

@Zhenye-Na Zhenye-Na marked this pull request as ready for review September 8, 2023 06:45
@monkeyDluffy6017
Copy link
Contributor

monkeyDluffy6017 commented Sep 12, 2023
edited

  1. The utils/linux-install-openresty.sh is replaced by ci/linux-install-openresty.sh
  2. docs/en/latest/building-apisix.md and docs/zh/latest/building-apisix.md
    The openldap section could be removed, @kingluo please help to check this
  3. Need a new pr to remove ldap in build-tools
    https://github.com/api7/apisix-build-tools/blob/acedbc07990929efd066b1c25b53e09c6d0d085f/package-apisix.sh#L10
  4. please make the ci pass

@monkeyDluffy6017 monkeyDluffy6017 added the wait for update wait for the author's response in this issue/PR label Sep 12, 2023
@kingluo
Copy link
Contributor

kingluo commented Sep 12, 2023

Looks like some files are ignored.
Let's check which files involve ldap:

# cd to apisix repo dir
git grep -i ldap

Not all files need to remove ldap, .e.g. t/ldap-autht.t.
But you can get a full list of ldap for reference.

@Zhenye-Na
Copy link
Author

Zhenye-Na commented Sep 13, 2023
edited

  • The utils/linux-install-openresty.sh is replaced by ci/linux-install-openresty.sh
  • docs/en/latest/building-apisix.md and docs/zh/latest/building-apisix.md
  • please make the ci pass

Ack.

I will create a dedicated CR to address the following comments

Need a new pr to remove ldap in build-tools
api7/apisix-build-tools@acedbc0/package-apisix.sh#L10

Does this sound good to you ? @monkeyDluffy6017 Also, do you prefer if I create a new Issue regarding this change so that the CR will only fix that Issue instead of the current one ?

Thanks

@Zhenye-Na
Copy link
Author

Zhenye-Na commented Sep 13, 2023
edited

Hi @kingluo ,

Regarding the deletion of the documentation page, could you help me confirm that the following sections could be removed safely?

Thanks!

image

If I could safely remove those references, I guess it also applies to the other documentation page as well ? For example:

image

@monkeyDluffy6017
Copy link
Contributor

@Zhenye-Na What do you mean by CR ? I can't get your point

@kingluo
Copy link
Contributor

kingluo commented Sep 13, 2023

@Zhenye-Na Yes, you should look over all LDAP-related lines from the grep result and everything related to OpenLDAP (not LDAP) should be removed. Anyway, I'll review your output to ensure correctness if your PR passes the CI.

@Zhenye-Na
Copy link
Author

@Zhenye-Na What do you mean by CR ? I can't get your point

Sorry, I was referring to PR in GitHub

@Zhenye-Na
Copy link
Author

@Zhenye-Na Yes, you should look over all LDAP-related lines from the grep result and everything related to OpenLDAP (not LDAP) should be removed. Anyway, I'll review your output to ensure correctness if your PR passes the CI.

Thank you!

@Zhenye-Na
Copy link
Author

Converting this PR to be in draft mode for next revision

@Zhenye-Na Zhenye-Na marked this pull request as draft September 14, 2023 06:33
@Zhenye-Na
Copy link
Author

Hi @kingluo ,

I have executed the following commands to retrieve the list of files with ldap keyword reference

This only outputs the filenames:

git grep --files-with-matches  -i ldap

CHANGELOG.md
apisix/plugins/ldap-auth.lua
ci/pod/openfunction/function-example/test-uri/go.sum
ci/redhat-ci.sh
conf/config-default.yaml
docs/en/latest/config.json
docs/en/latest/getting-started/key-authentication.md
docs/en/latest/plugins/ldap-auth.md
docs/en/latest/plugins/wolf-rbac.md
docs/en/latest/stream-proxy.md
docs/en/latest/tutorials/add-multiple-api-versions.md
docs/zh/latest/CHANGELOG.md
docs/zh/latest/config.json
docs/zh/latest/plugins/ldap-auth.md
docs/zh/latest/plugins/wolf-rbac.md
docs/zh/latest/stream-proxy.md
rockspec/apisix-2.11.0-0.rockspec
rockspec/apisix-2.12.0-0.rockspec
rockspec/apisix-2.12.1-0.rockspec
rockspec/apisix-2.13.0-0.rockspec
rockspec/apisix-2.13.1-0.rockspec
rockspec/apisix-2.13.2-0.rockspec
rockspec/apisix-2.13.3-0.rockspec
rockspec/apisix-2.14.0-0.rockspec
rockspec/apisix-2.14.1-0.rockspec
rockspec/apisix-2.15.0-0.rockspec
rockspec/apisix-2.15.1-0.rockspec
rockspec/apisix-2.15.2-0.rockspec
rockspec/apisix-2.15.3-0.rockspec
rockspec/apisix-2.99.0-0.rockspec
rockspec/apisix-3.0.0-0.rockspec
rockspec/apisix-3.1.0-0.rockspec
rockspec/apisix-3.2.0-0.rockspec
rockspec/apisix-3.2.1-0.rockspec
rockspec/apisix-3.3.0-0.rockspec
rockspec/apisix-3.4.0-0.rockspec
rockspec/apisix-3.5.0-0.rockspec
rockspec/apisix-master-0.rockspec
t/admin/plugins.t
t/chaos/utils/Dockerfile
t/plugin/ldap-auth.t

Here is the full list of filename + references

git grep -i ldap
CHANGELOG.md:- ldap-auth internal implementation, switching from lualdap to lua-resty-ldap: [#7590](https://github.com/apache/apisix/pull/7590)
CHANGELOG.md:- :sunrise: feat: Add ldap-auth plugin [#3894](https://github.com/apache/apisix/pull/3894)
apisix/plugins/ldap-auth.lua:local ldap = require("resty.ldap")
apisix/plugins/ldap-auth.lua:        ldap_uri = { type = "string" },
apisix/plugins/ldap-auth.lua:    required = {"base_dn","ldap_uri"},
apisix/plugins/ldap-auth.lua:local plugin_name = "ldap-auth"
apisix/plugins/ldap-auth.lua:    -- 2. try authenticate the user against the ldap server
apisix/plugins/ldap-auth.lua:    local ldap_host, ldap_port = core.utils.parse_addr(conf.ldap_uri)
apisix/plugins/ldap-auth.lua:    local ldapconf = {
apisix/plugins/ldap-auth.lua:        ldap_host = ldap_host,
apisix/plugins/ldap-auth.lua:        ldap_port = ldap_port or 389,
apisix/plugins/ldap-auth.lua:        ldaps = conf.use_tls,
apisix/plugins/ldap-auth.lua:    local res, err = ldap.ldap_authenticate(user.username, user.password, ldapconf)
apisix/plugins/ldap-auth.lua:        core.log.warn("ldap-auth failed: ", err)
ci/pod/openfunction/function-example/test-uri/go.sum:github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
ci/pod/openfunction/function-example/test-uri/go.sum:github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
ci/redhat-ci.sh:    wget tar gcc automake autoconf libtool make unzip git sudo openldap-devel hostname \
conf/config-default.yaml:  - ldap-auth                      # priority: 2540
docs/en/latest/config.json:            "plugins/ldap-auth",
docs/en/latest/getting-started/key-authentication.md:- [LDAP](https://apisix.apache.org/docs/apisix/plugins/ldap-auth/)
docs/en/latest/plugins/ldap-auth.md:title: ldap-auth
docs/en/latest/plugins/ldap-auth.md:  - LDAP Authentication
docs/en/latest/plugins/ldap-auth.md:  - ldap-auth
docs/en/latest/plugins/ldap-auth.md:description: This document contains information about the Apache APISIX ldap-auth Plugin.
docs/en/latest/plugins/ldap-auth.md:The `ldap-auth` Plugin can be used to add LDAP authentication to a Route or a Service.
docs/en/latest/plugins/ldap-auth.md:This Plugin works with the Consumer object and the consumers of the API can authenticate with an LDAP server using [basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
docs/en/latest/plugins/ldap-auth.md:This Plugin uses [lua-resty-ldap](https://github.com/api7/lua-resty-ldap) for connecting with an LDAP server.
docs/en/latest/plugins/ldap-auth.md:| user_dn | string | True     | User dn of the LDAP client. For example, `cn=user01,ou=users,dc=example,dc=org`. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
docs/en/latest/plugins/ldap-auth.md:| base_dn  | string  | True     |         | Base dn of the LDAP server. For example, `ou=users,dc=example,dc=org`. |
docs/en/latest/plugins/ldap-auth.md:| ldap_uri | string  | True     |         | URI of the LDAP server.                                                |
docs/en/latest/plugins/ldap-auth.md:| tls_verify| boolean  | False     | `false`        | Whether to verify the server certificate when `use_tls` is enabled; If set to `true`, you must set `ssl_trusted_certificate` in `config.yaml`, and make sure the host of `ldap_uri` matches the host in server certificate. |
docs/en/latest/plugins/ldap-auth.md:First, you have to create a Consumer and enable the `ldap-auth` Plugin on it:
docs/en/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/en/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/en/latest/plugins/ldap-auth.md:            "ldap_uri": "localhost:1389",
docs/en/latest/plugins/ldap-auth.md:To remove the `ldap-auth` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
docs/en/latest/plugins/wolf-rbac.md:`authType` is the authentication type—1 for password authentication (default) and 2 for LDAP authentication (v0.5.0+).
docs/en/latest/stream-proxy.md:A stream proxy operates at the transport layer, handling stream-oriented traffic based on TCP and UDP protocols. TCP is used for many applications and services, such as LDAP, MySQL, and RTMP. UDP is used for many popular non-transactional applications, such as DNS, syslog, and RADIUS.
docs/en/latest/tutorials/add-multiple-api-versions.md:      "oldapi:8081": 1
docs/en/latest/tutorials/add-multiple-api-versions.md:    "oldapi:8081": 1
docs/en/latest/tutorials/add-multiple-api-versions.md:In the scope of this tutorial, we will use _URI path-based versioning_ because it’s the most widespread. We are going to add `v1` version for our existing `oldapi` in this section.
docs/zh/latest/CHANGELOG.md:- ldap-auth 内部实现,由 lualdap 换成 lua-resty-ldap:[#7590](https://github.com/apache/apisix/pull/7590)
docs/zh/latest/CHANGELOG.md:- :sunrise: 新增 ldap-auth 插件 [#3894](https://github.com/apache/apisix/pull/3894)
docs/zh/latest/config.json:            "plugins/ldap-auth",
docs/zh/latest/plugins/ldap-auth.md:title: ldap-auth
docs/zh/latest/plugins/ldap-auth.md:  - LDAP Authentication
docs/zh/latest/plugins/ldap-auth.md:  - ldap-auth
docs/zh/latest/plugins/ldap-auth.md:description: 本篇文档介绍了 Apache APISIX ldap-auth 插件的相关信息。
docs/zh/latest/plugins/ldap-auth.md:`ldap-auth` 插件可用于给路由或服务添加 LDAP 身份认证,该插件使用 [lua-resty-ldap](https://github.com/api7/lua-resty-ldap) 连接 LDAP 服务器。
docs/zh/latest/plugins/ldap-auth.md:该插件需要与 Consumer 一起配合使用,API 的调用方可以使用 [basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) 与 LDAP 服务器进行认证。
docs/zh/latest/plugins/ldap-auth.md:| user_dn | string | 是     | LDAP 客户端的 dn,例如:`cn=user01,ou=users,dc=example,dc=org`。该字段支持
使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
docs/zh/latest/plugins/ldap-auth.md:| base_dn  | string  | 是     |         | LDAP 服务器的 dn,例如:`ou=users,dc=example,dc=org`。|
docs/zh/latest/plugins/ldap-auth.md:| ldap_uri | string  | 是     |         | LDAP 服务器的 URI。                                                |
docs/zh/latest/plugins/ldap-auth.md:| tls_verify| boolean  | 否     | false        | 是否校验 LDAP 服务器的证书。如果设置为 `true`,你必须设
置 `config.yaml` 里面的 `ssl_trusted_certificate`,并且确保 `ldap_uri` 里的 host 和服务器证书中的 host 匹配。 |
docs/zh/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/zh/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/zh/latest/plugins/ldap-auth.md:            "ldap_uri": "localhost:1389",
docs/zh/latest/plugins/ldap-auth.md:当你需要禁用 `ldap-auth` 插件时,可以通过以下命令删除相应的 JSON 配置。APISIX 将自动重新加载,无需重启服
务:
docs/zh/latest/plugins/wolf-rbac.md:`authType` 为认证类型,`1` 为密码认证(默认),`2` 为 LDAP 认证。`wolf` 从 0.5.0 版本开始支持了 LDAP 认证。
docs/zh/latest/stream-proxy.md:众多的闻名的应用和服务,像 LDAP、MYSQL 和 RTMP,选择 TCP 作为通信协议。但是像 DNS、syslog 和 RADIUS 这类非事务性的应用,他们选择了 UDP 协议。
rockspec/apisix-2.11.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.12.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.12.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.2-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.3-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.14.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.14.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.2-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.3-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.99.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.99.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.0.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.0.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.1.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.1.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.2.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.2.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.2.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.2.1-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.3.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.3.0-0.rockspec:    "lua-resty-ldap = 0.2.2-0"
rockspec/apisix-3.4.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.4.0-0.rockspec:    "lua-resty-ldap = 0.2.2-0"
rockspec/apisix-3.5.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.5.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0",
rockspec/apisix-master-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-master-0.rockspec:    "lua-resty-ldap = 0.1.0-0",
t/admin/plugins.t:ldap-auth
t/admin/plugins.t:qr/\[\{"name":"wolf-rbac","priority":2555\},\{"name":"ldap-auth","priority":2540\},\{"name":"hmac-auth","priority":2530\},\{"name":"basic-auth","priority":2520\},\{"name":"jwt-auth","priority":2510\},\{"name":"key-auth","priority":2500\}\]/
t/chaos/utils/Dockerfile:        openldap \
t/plugin/ldap-auth.t:            local plugin = require("apisix.plugins.ldap-auth")
t/plugin/ldap-auth.t:            local plugin = require("apisix.plugins.ldap-auth")
t/plugin/ldap-auth.t:            local ok, err = plugin.check_schema({base_dn = 123, ldap_uri = "127.0.0.1:1389"})
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:                            ["ldap-auth"] = case
t/plugin/ldap-auth.t:{"error_msg":"invalid plugins configuration: failed to check the configuration of plugin ldap-auth err: property \"user_dn\" is required"}
t/plugin/ldap-auth.t:{"error_msg":"invalid plugins configuration: invalid plugin conf \"blah\" for plugin [ldap-auth]"}
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth',
t/plugin/ldap-auth.t:{"title":"work with route or service object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"tls_verify":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer',
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer123123',
t/plugin/ldap-auth.t:{"title":"work with route or service object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"tls_verify":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}                ]]
t/plugin/ldap-auth.t:=== TEST 17: enable ldap-auth with tls
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "test.com:1636",
t/plugin/ldap-auth.t:=== TEST 19: enable ldap-auth with tls, verify CA
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "test.com:1636",
t/plugin/ldap-auth.t:=== TEST 21: set ldap-auth conf: user_dn uses secret ref
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:=== TEST 24: set ldap-auth conf with the token in an env var: user_dn uses secret ref
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",

I think you mentioned above that t/ldap-autht.t don't need to be removed, I am thinking you are referring to t/plugin/ldap-auth.t as well as other files that referenced ldap-auth.

I have made additional changes like ci/redhat-ci.sh and will push the PR in a bit, but please feel free to let me know if there are additional changes need to be made.

Thanks!

@Zhenye-Na Zhenye-Na marked this pull request as ready for review September 14, 2023 07:17
@kingluo
Copy link
Contributor

kingluo commented Sep 14, 2023

@Zhenye-Na Please rerun git grep and recheck the results when you're done making changes, i.e. no openldap-related files anymore, then I'll run CI again.

@Zhenye-Na
Copy link
Author

Here are the outputs after I re-run git grep -i ldap

CHANGELOG.md:- ldap-auth internal implementation, switching from lualdap to lua-resty-ldap: [#7590](https://github.com/apache/apisix/pull/7590)
CHANGELOG.md:- :sunrise: feat: Add ldap-auth plugin [#3894](https://github.com/apache/apisix/pull/3894)
apisix/plugins/ldap-auth.lua:local ldap = require("resty.ldap")
apisix/plugins/ldap-auth.lua:        ldap_uri = { type = "string" },
apisix/plugins/ldap-auth.lua:    required = {"base_dn","ldap_uri"},
apisix/plugins/ldap-auth.lua:local plugin_name = "ldap-auth"
apisix/plugins/ldap-auth.lua:    -- 2. try authenticate the user against the ldap server
apisix/plugins/ldap-auth.lua:    local ldap_host, ldap_port = core.utils.parse_addr(conf.ldap_uri)
apisix/plugins/ldap-auth.lua:    local ldapconf = {
apisix/plugins/ldap-auth.lua:        ldap_host = ldap_host,
apisix/plugins/ldap-auth.lua:        ldap_port = ldap_port or 389,
apisix/plugins/ldap-auth.lua:        ldaps = conf.use_tls,
apisix/plugins/ldap-auth.lua:    local res, err = ldap.ldap_authenticate(user.username, user.password, ldapconf)
apisix/plugins/ldap-auth.lua:        core.log.warn("ldap-auth failed: ", err)
ci/pod/openfunction/function-example/test-uri/go.sum:github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
ci/pod/openfunction/function-example/test-uri/go.sum:github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
conf/config-default.yaml:  - ldap-auth                      # priority: 2540
docs/en/latest/config.json:            "plugins/ldap-auth",
docs/en/latest/getting-started/key-authentication.md:- [LDAP](https://apisix.apache.org/docs/apisix/plugins/ldap-auth/)
docs/en/latest/plugins/ldap-auth.md:title: ldap-auth
docs/en/latest/plugins/ldap-auth.md:  - LDAP Authentication
docs/en/latest/plugins/ldap-auth.md:  - ldap-auth
docs/en/latest/plugins/ldap-auth.md:description: This document contains information about the Apache APISIX ldap-auth Plugin.
docs/en/latest/plugins/ldap-auth.md:The `ldap-auth` Plugin can be used to add LDAP authentication to a Route or a Service.
docs/en/latest/plugins/ldap-auth.md:This Plugin works with the Consumer object and the consumers of the API can authenticate with an LDAP server using [basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
docs/en/latest/plugins/ldap-auth.md:This Plugin uses [lua-resty-ldap](https://github.com/api7/lua-resty-ldap) for connecting with an LDAP server.
docs/en/latest/plugins/ldap-auth.md:| user_dn | string | True     | User dn of the LDAP client. For example, `cn=user01,ou=users,dc=example,dc=org`. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
docs/en/latest/plugins/ldap-auth.md:| base_dn  | string  | True     |         | Base dn of the LDAP server. For example, `ou=users,dc=example,dc=org`. |
docs/en/latest/plugins/ldap-auth.md:| ldap_uri | string  | True     |         | URI of the LDAP server.                                                |
docs/en/latest/plugins/ldap-auth.md:| tls_verify| boolean  | False     | `false`        | Whether to verify the server certificate when `use_tls` is enabled; If set to `true`, you must set `ssl_trusted_certificate` in `config.yaml`, and make sure the host of `ldap_uri` matches the host in server certificate. |
docs/en/latest/plugins/ldap-auth.md:First, you have to create a Consumer and enable the `ldap-auth` Plugin on it:
docs/en/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/en/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/en/latest/plugins/ldap-auth.md:            "ldap_uri": "localhost:1389",
docs/en/latest/plugins/ldap-auth.md:To remove the `ldap-auth` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
docs/en/latest/plugins/wolf-rbac.md:`authType` is the authentication type—1 for password authentication (default) and 2 for LDAP authentication (v0.5.0+).
docs/en/latest/stream-proxy.md:A stream proxy operates at the transport layer, handling stream-oriented traffic based on TCP and UDP protocols. TCP is used for many applications and services, such as LDAP, MySQL, and RTMP. UDP is used for many popular non-transactional applications, such as DNS, syslog, and RADIUS.
docs/en/latest/tutorials/add-multiple-api-versions.md:      "oldapi:8081": 1
docs/en/latest/tutorials/add-multiple-api-versions.md:    "oldapi:8081": 1
docs/en/latest/tutorials/add-multiple-api-versions.md:In the scope of this tutorial, we will use _URI path-based versioning_ because it’s the most widespread. We are going to add `v1` version for our existing `oldapi` in this section.
docs/zh/latest/CHANGELOG.md:- ldap-auth 内部实现,由 lualdap 换成 lua-resty-ldap:[#7590](https://github.com/apache/apisix/pull/7590)
docs/zh/latest/CHANGELOG.md:- :sunrise: 新增 ldap-auth 插件 [#3894](https://github.com/apache/apisix/pull/3894)
docs/zh/latest/config.json:            "plugins/ldap-auth",
docs/zh/latest/plugins/ldap-auth.md:title: ldap-auth
docs/zh/latest/plugins/ldap-auth.md:  - LDAP Authentication
docs/zh/latest/plugins/ldap-auth.md:  - ldap-auth
docs/zh/latest/plugins/ldap-auth.md:description: 本篇文档介绍了 Apache APISIX ldap-auth 插件的相关信息。
docs/zh/latest/plugins/ldap-auth.md:`ldap-auth` 插件可用于给路由或服务添加 LDAP 身份认证,该插件使用 [lua-resty-ldap](https://github.com/api7/lua-resty-ldap) 连接 LDAP 服务器。
docs/zh/latest/plugins/ldap-auth.md:该插件需要与 Consumer 一起配合使用,API 的调用方可以使用 [basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) 与 LDAP 服务器进行认证。
docs/zh/latest/plugins/ldap-auth.md:| user_dn | string | 是     | LDAP 客户端的 dn,例如:`cn=user01,ou=users,dc=example,dc=org`。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
docs/zh/latest/plugins/ldap-auth.md:| base_dn  | string  | 是     |         | LDAP 服务器的 dn,例如:`ou=users,dc=example,dc=org`。|
docs/zh/latest/plugins/ldap-auth.md:| ldap_uri | string  | 是     |         | LDAP 服务器的 URI。                                                |
docs/zh/latest/plugins/ldap-auth.md:| tls_verify| boolean  | 否     | false        | 是否校验 LDAP 服务器的证书。如果设置为 `true`,你必须设置 `config.yaml` 里面的 `ssl_trusted_certificate`,并且确保 `ldap_uri` 里的 host 和服务器证书中的 host 匹配。 |
docs/zh/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/zh/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/zh/latest/plugins/ldap-auth.md:            "ldap_uri": "localhost:1389",
docs/zh/latest/plugins/ldap-auth.md:当你需要禁用 `ldap-auth` 插件时,可以通过以下命令删除相应的 JSON 配置。APISIX 将自动重新加载,无需重启服务:
docs/zh/latest/plugins/wolf-rbac.md:`authType` 为认证类型,`1` 为密码认证(默认),`2` 为 LDAP 认证。`wolf` 从 0.5.0 版本开始支持了 LDAP 认证。
docs/zh/latest/stream-proxy.md:众多的闻名的应用和服务,像 LDAP、MYSQL 和 RTMP,选择 TCP 作为通信协议。但是像 DNS、syslog 和 RADIUS 这类非事务性的应用,他们选择了 UDP 协议。
rockspec/apisix-2.11.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.12.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.12.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.2-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.3-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.14.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.14.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.2-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.3-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.99.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.99.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.0.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.0.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.1.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.1.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.2.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.2.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.2.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.2.1-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.3.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.3.0-0.rockspec:    "lua-resty-ldap = 0.2.2-0"
rockspec/apisix-3.4.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.4.0-0.rockspec:    "lua-resty-ldap = 0.2.2-0"
rockspec/apisix-3.5.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.5.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0",
rockspec/apisix-master-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-master-0.rockspec:    "lua-resty-ldap = 0.1.0-0",
t/admin/plugins.t:ldap-auth
t/admin/plugins.t:qr/\[\{"name":"wolf-rbac","priority":2555\},\{"name":"ldap-auth","priority":2540\},\{"name":"hmac-auth","priority":2530\},\{"name":"basic-auth","priority":2520\},\{"name":"jwt-auth","priority":2510\},\{"name":"key-auth","priority":2500\}\]/
t/chaos/utils/Dockerfile:        openldap \
t/plugin/ldap-auth.t:            local plugin = require("apisix.plugins.ldap-auth")
t/plugin/ldap-auth.t:            local plugin = require("apisix.plugins.ldap-auth")
t/plugin/ldap-auth.t:            local ok, err = plugin.check_schema({base_dn = 123, ldap_uri = "127.0.0.1:1389"})
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:                            ["ldap-auth"] = case
t/plugin/ldap-auth.t:{"error_msg":"invalid plugins configuration: failed to check the configuration of plugin ldap-auth err: property \"user_dn\" is required"}
t/plugin/ldap-auth.t:{"error_msg":"invalid plugins configuration: invalid plugin conf \"blah\" for plugin [ldap-auth]"}
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth',
t/plugin/ldap-auth.t:{"title":"work with route or service object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"tls_verify":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer',
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer123123',
t/plugin/ldap-auth.t:{"title":"work with route or service object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"tls_verify":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}                ]]
t/plugin/ldap-auth.t:=== TEST 17: enable ldap-auth with tls
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "test.com:1636",
t/plugin/ldap-auth.t:=== TEST 19: enable ldap-auth with tls, verify CA
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "test.com:1636",
t/plugin/ldap-auth.t:=== TEST 21: set ldap-auth conf: user_dn uses secret ref
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:=== TEST 24: set ldap-auth conf with the token in an env var: user_dn uses secret ref
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",

@kingluo
Copy link
Contributor

kingluo commented Sep 18, 2023

@Zhenye-Na Please check the CI errors.

@Zhenye-Na
Copy link
Author

Zhenye-Na commented Sep 20, 2023
edited

Acknowledged.

Meanwhile, I am wondering is there a way that I could initiated the CI testing on my own to reduce the communication back and forth?

Or perhaps, there is a way to test the codes locally and I didn't come across that page, could you help point me to it ?

Thanks!

@kingluo
Copy link
Contributor

kingluo commented Sep 20, 2023

Acknowledged.

Meanwhile, I am wondering is there a way that I could initiated the CI testing on my own to reduce the communication back and forth?

Or perhaps, there is a way to test the codes locally and I didn't come across that page, could you help point me to it ?

Thanks!

fork the repo, create a branch there to make code changes, and raise PR to the master branch of your fork.

@Zhenye-Na
Copy link
Author

Zhenye-Na commented Sep 23, 2023
edited

I was checking the errors of the CI Builds

apisix master-0 depends on lualdap 1.2.6-1 (not installed)
Installing https://luarocks.org/lualdap-1.2.6-1.src.rock

Error: Failed installing dependency: https://luarocks.org/lualdap-1.2.6-1.src.rock - Could not find header file for LDAP
  No file ldap.h in /usr/local/include
  No file ldap.h in /usr/include
  No file ldap.h in /include
You may have to install LDAP in your system and/or pass LDAP_DIR or LDAP_INCDIR to the luarocks command.
Example: luarocks install lualdap LDAP_DIR=/usr/local
Error: Process completed with exit code 1.

It looks like one of the dependencies lualdap-1.2.6-1 is not installed properly or is missing the ldap.h header file. However, when I search for this occurence, I only see it appeard in luaspec file which I assume this is the file that declares all of the dependencies which I did not touch. search results

Appreciate it if there are any pointers to invesitgate more on this issue.

git grep -i ldap | cat
CHANGELOG.md:- ldap-auth internal implementation, switching from lualdap to lua-resty-ldap: [#7590](https://github.com/apache/apisix/pull/7590)
CHANGELOG.md:- :sunrise: feat: Add ldap-auth plugin [#3894](https://github.com/apache/apisix/pull/3894)
apisix/plugins/ldap-auth.lua:local ldap = require("resty.ldap")
apisix/plugins/ldap-auth.lua:        ldap_uri = { type = "string" },
apisix/plugins/ldap-auth.lua:    required = {"base_dn","ldap_uri"},
apisix/plugins/ldap-auth.lua:local plugin_name = "ldap-auth"
apisix/plugins/ldap-auth.lua:    -- 2. try authenticate the user against the ldap server
apisix/plugins/ldap-auth.lua:    local ldap_host, ldap_port = core.utils.parse_addr(conf.ldap_uri)
apisix/plugins/ldap-auth.lua:    local ldapconf = {
apisix/plugins/ldap-auth.lua:        ldap_host = ldap_host,
apisix/plugins/ldap-auth.lua:        ldap_port = ldap_port or 389,
apisix/plugins/ldap-auth.lua:        ldaps = conf.use_tls,
apisix/plugins/ldap-auth.lua:    local res, err = ldap.ldap_authenticate(user.username, user.password, ldapconf)
apisix/plugins/ldap-auth.lua:        core.log.warn("ldap-auth failed: ", err)
ci/pod/openfunction/function-example/test-uri/go.sum:github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
ci/pod/openfunction/function-example/test-uri/go.sum:github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
conf/config-default.yaml:  - ldap-auth                      # priority: 2540
docs/en/latest/config.json:            "plugins/ldap-auth",
docs/en/latest/getting-started/key-authentication.md:- [LDAP](https://apisix.apache.org/docs/apisix/plugins/ldap-auth/)
docs/en/latest/plugins/ldap-auth.md:title: ldap-auth
docs/en/latest/plugins/ldap-auth.md:  - LDAP Authentication
docs/en/latest/plugins/ldap-auth.md:  - ldap-auth
docs/en/latest/plugins/ldap-auth.md:description: This document contains information about the Apache APISIX ldap-auth Plugin.
docs/en/latest/plugins/ldap-auth.md:The `ldap-auth` Plugin can be used to add LDAP authentication to a Route or a Service.
docs/en/latest/plugins/ldap-auth.md:This Plugin works with the Consumer object and the consumers of the API can authenticate with an LDAP server using [basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
docs/en/latest/plugins/ldap-auth.md:This Plugin uses [lua-resty-ldap](https://github.com/api7/lua-resty-ldap) for connecting with an LDAP server.
docs/en/latest/plugins/ldap-auth.md:| user_dn | string | True     | User dn of the LDAP client. For example, `cn=user01,ou=users,dc=example,dc=org`. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
docs/en/latest/plugins/ldap-auth.md:| base_dn  | string  | True     |         | Base dn of the LDAP server. For example, `ou=users,dc=example,dc=org`. |
docs/en/latest/plugins/ldap-auth.md:| ldap_uri | string  | True     |         | URI of the LDAP server.                                                |
docs/en/latest/plugins/ldap-auth.md:| tls_verify| boolean  | False     | `false`        | Whether to verify the server certificate when `use_tls` is enabled; If set to `true`, you must set `ssl_trusted_certificate` in `config.yaml`, and make sure the host of `ldap_uri` matches the host in server certificate. |
docs/en/latest/plugins/ldap-auth.md:First, you have to create a Consumer and enable the `ldap-auth` Plugin on it:
docs/en/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/en/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/en/latest/plugins/ldap-auth.md:            "ldap_uri": "localhost:1389",
docs/en/latest/plugins/ldap-auth.md:To remove the `ldap-auth` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
docs/en/latest/plugins/wolf-rbac.md:`authType` is the authentication type—1 for password authentication (default) and 2 for LDAP authentication (v0.5.0+).
docs/en/latest/stream-proxy.md:A stream proxy operates at the transport layer, handling stream-oriented traffic based on TCP and UDP protocols. TCP is used for many applications and services, such as LDAP, MySQL, and RTMP. UDP is used for many popular non-transactional applications, such as DNS, syslog, and RADIUS.
docs/en/latest/terminology/consumer.md:Authentcation plugins that can be configured with a Consumer include `basic-auth`, `hmac-auth`, `jwt-auth`, `key-auth`, `ldap-auth`, and `wolf-rbac`.
docs/en/latest/tutorials/add-multiple-api-versions.md:      "oldapi:8081": 1
docs/en/latest/tutorials/add-multiple-api-versions.md:    "oldapi:8081": 1
docs/en/latest/tutorials/add-multiple-api-versions.md:In the scope of this tutorial, we will use _URI path-based versioning_ because it’s the most widespread. We are going to add `v1` version for our existing `oldapi` in this section.
docs/zh/latest/CHANGELOG.md:- ldap-auth 内部实现,由 lualdap 换成 lua-resty-ldap:[#7590](https://github.com/apache/apisix/pull/7590)
docs/zh/latest/CHANGELOG.md:- :sunrise: 新增 ldap-auth 插件 [#3894](https://github.com/apache/apisix/pull/3894)
docs/zh/latest/config.json:            "plugins/ldap-auth",
docs/zh/latest/getting-started/key-authentication.md:- [LDAP](https://apisix.apache.org/zh/docs/apisix/plugins/ldap-auth/)
docs/zh/latest/plugins/ldap-auth.md:title: ldap-auth
docs/zh/latest/plugins/ldap-auth.md:  - LDAP Authentication
docs/zh/latest/plugins/ldap-auth.md:  - ldap-auth
docs/zh/latest/plugins/ldap-auth.md:description: 本篇文档介绍了 Apache APISIX ldap-auth 插件的相关信息。
docs/zh/latest/plugins/ldap-auth.md:`ldap-auth` 插件可用于给路由或服务添加 LDAP 身份认证,该插件使用 [lua-resty-ldap](https://github.com/api7/lua-resty-ldap) 连接 LDAP 服务器。
docs/zh/latest/plugins/ldap-auth.md:该插件需要与 Consumer 一起配合使用,API 的调用方可以使用 [basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) 与 LDAP 服务器进行认证。
docs/zh/latest/plugins/ldap-auth.md:| user_dn | string | 是     | LDAP 客户端的 dn,例如:`cn=user01,ou=users,dc=example,dc=org`。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
docs/zh/latest/plugins/ldap-auth.md:| base_dn  | string  | 是     |         | LDAP 服务器的 dn,例如:`ou=users,dc=example,dc=org`。|
docs/zh/latest/plugins/ldap-auth.md:| ldap_uri | string  | 是     |         | LDAP 服务器的 URI。                                                |
docs/zh/latest/plugins/ldap-auth.md:| tls_verify| boolean  | 否     | false        | 是否校验 LDAP 服务器的证书。如果设置为 `true`,你必须设置 `config.yaml` 里面的 `ssl_trusted_certificate`,并且确保 `ldap_uri` 里的 host 和服务器证书中的 host 匹配。 |
docs/zh/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/zh/latest/plugins/ldap-auth.md:        "ldap-auth": {
docs/zh/latest/plugins/ldap-auth.md:            "ldap_uri": "localhost:1389",
docs/zh/latest/plugins/ldap-auth.md:当你需要禁用 `ldap-auth` 插件时,可以通过以下命令删除相应的 JSON 配置。APISIX 将自动重新加载,无需重启服务:
docs/zh/latest/plugins/wolf-rbac.md:`authType` 为认证类型,`1` 为密码认证(默认),`2` 为 LDAP 认证。`wolf` 从 0.5.0 版本开始支持了 LDAP 认证。
docs/zh/latest/stream-proxy.md:众多的闻名的应用和服务,像 LDAP、MYSQL 和 RTMP,选择 TCP 作为通信协议。但是像 DNS、syslog 和 RADIUS 这类非事务性的应用,他们选择了 UDP 协议。
docs/zh/latest/terminology/consumer.md:目前,可以与 Consumer 配置的身份验证插件包括 `basic-auth` 、`hmac-auth`、`jwt-auth`、`key-auth`、`ldap-auth` 和 `wolf-rbac`。
rockspec/apisix-2.11.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.12.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.12.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.2-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.13.3-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.14.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.14.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.2-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.15.3-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.99.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-2.99.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.0.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.0.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.1.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.1.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.2.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.2.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.2.1-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.2.1-0.rockspec:    "lua-resty-ldap = 0.1.0-0"
rockspec/apisix-3.3.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.3.0-0.rockspec:    "lua-resty-ldap = 0.2.2-0"
rockspec/apisix-3.4.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.4.0-0.rockspec:    "lua-resty-ldap = 0.2.2-0"
rockspec/apisix-3.5.0-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-3.5.0-0.rockspec:    "lua-resty-ldap = 0.1.0-0",
rockspec/apisix-master-0.rockspec:    "lualdap = 1.2.6-1",
rockspec/apisix-master-0.rockspec:    "lua-resty-ldap = 0.1.0-0",
t/admin/plugins.t:ldap-auth
t/admin/plugins.t:qr/\[\{"name":"wolf-rbac","priority":2555\},\{"name":"ldap-auth","priority":2540\},\{"name":"hmac-auth","priority":2530\},\{"name":"basic-auth","priority":2520\},\{"name":"jwt-auth","priority":2510\},\{"name":"key-auth","priority":2500\}\]/
t/plugin/ldap-auth.t:            local plugin = require("apisix.plugins.ldap-auth")
t/plugin/ldap-auth.t:            local plugin = require("apisix.plugins.ldap-auth")
t/plugin/ldap-auth.t:            local ok, err = plugin.check_schema({base_dn = 123, ldap_uri = "127.0.0.1:1389"})
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:                            ["ldap-auth"] = case
t/plugin/ldap-auth.t:{"error_msg":"invalid plugins configuration: failed to check the configuration of plugin ldap-auth err: property \"user_dn\" is required"}
t/plugin/ldap-auth.t:{"error_msg":"invalid plugins configuration: invalid plugin conf \"blah\" for plugin [ldap-auth]"}
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth',
t/plugin/ldap-auth.t:{"title":"work with route or service object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"tls_verify":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer',
t/plugin/ldap-auth.t:            local code, body = t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer123123',
t/plugin/ldap-auth.t:{"title":"work with route or service object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"tls_verify":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}                ]]
t/plugin/ldap-auth.t:=== TEST 17: enable ldap-auth with tls
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "test.com:1636",
t/plugin/ldap-auth.t:=== TEST 19: enable ldap-auth with tls, verify CA
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "test.com:1636",
t/plugin/ldap-auth.t:=== TEST 21: set ldap-auth conf: user_dn uses secret ref
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",
t/plugin/ldap-auth.t:=== TEST 24: set ldap-auth conf with the token in an env var: user_dn uses secret ref
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                        "ldap-auth": {
t/plugin/ldap-auth.t:                            "ldap_uri": "127.0.0.1:1389",

@Zhenye-Na Zhenye-Na mentioned this pull request Oct 8, 2023
Open
@monkeyDluffy6017
Copy link
Contributor

@Zhenye-Na The ci is still failing

@Zhenye-Na
Copy link
Author

@Zhenye-Na The ci is still failing

I understood. please see comment in api7/apisix-build-tools#337 (comment), before I push out the fix for this

kingluo
kingluo requested changes Oct 9, 2023
View reviewed changes
ci/common.sh Outdated
@@ -20,6 +20,7 @@ set -ex
export_or_prefix() {
export OPENRESTY_PREFIX="/usr/local/openresty-debug"
export APISIX_MAIN="https://raw.githubusercontent.com/apache/incubator-apisix/master/rockspec/apisix-master-0.rockspec"
export APISIX_LDAP_DEPRECATION="https://raw.githubusercontent.com/Zhenye-Na/apisix/remove-openldap/rockspec/apisix-master-0.rockspec"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the personal link and use the local file apisix-master-0.rockspec.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I remove this reference to use the apache/apisix master branch, lualdap will be included during the dependencies installation. This will cause the issue happened before, which is lualdap.h is missing the configuration

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though I am not too sure regarding the ldap-auth testing failures as I was not touching any files that are referencing the dependencies of ldap-auth. Maybe I am missing something ?

ci/linux_apisix_master_luarocks_runner.sh Outdated
@@ -39,7 +39,7 @@ script() {
cp -r ../utils ./

# install APISIX by luarocks
luarocks install $APISIX_MAIN > build.log 2>&1 || (cat build.log && exit 1)
luarocks install $APISIX_LDAP_DEPRECATION > build.log 2>&1 || (cat build.log && exit 1)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack, will be replacing the reference of my own branch to mainline, once we are ready to merge this PR

@monkeyDluffy6017
Copy link
Contributor

@Zhenye-Na What else does this pr need in order to be merged?

@Zhenye-Na
Copy link
Author

@Zhenye-Na What else does this pr need in order to be merged?

From my point of view, this PR and api7/apisix-build-tools#337 need to be merged together as you mentioned the following in this PR comment above ^

Need a new pr to remove ldap in build-tools
api7/apisix-build-tools@acedbc0/package-apisix.sh#L10

@monkeyDluffy6017
Copy link
Contributor

@kingluo Could you help check if there is any remaining work pending?

@kingluo
Copy link
Contributor

kingluo commented Oct 13, 2023

@Zhenye-Na merge api7/apisix-build-tools#337 first, and the ci here will pass, right?

@Zhenye-Na
Copy link
Author

Zhenye-Na commented Oct 15, 2023
edited

@Zhenye-Na merge api7/apisix-build-tools#337 first, and the ci here will pass, right?

Hey @kingluo , sorry for the late reply here. To be honest the CI test cases failed in this PR, I could see that most of them is for ldap-auth

Test Summary Report
-------------------
t/plugin/ldap-auth.t (Wstat: 9728 Tests: 144 Failed: 38)
  Failed tests:  51, 54-60, 67-72, 97-102, 109-114, 127-132
                139-144
  Non-zero exit status: 38
t/plugin/request-id.t (Wstat: 256 Tests: 45 Failed: 1)
  Failed test:  44
  Non-zero exit status: 1

I did not change anything related to ldap-auth as you mentioned initially, so I am not too confident if this is due to the dependency change in this PR or the other one (api7/apisix-build-tools#337)

As long as api7/apisix-build-tools#337 makes sense to you, we could merge that PR first and either you or me could re-trigger the CI testing to verify

@monkeyDluffy6017
Copy link
Contributor

@Zhenye-Na I will continue to review this pr, Thanks!

@Zhenye-Na
Copy link
Author

@Zhenye-Na I will continue to review this pr, Thanks!

No worries, let's work together to sort this out.

Thanks

@github-actions GitHub Actions
Copy link

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions.

@github-actions github-actions bot added the stale label Dec 19, 2023
@shreemaan-abhishek
Copy link
Contributor

@Zhenye-Na are you going to work on this?

@Revolyssup
Copy link
Contributor

@Zhenye-Na Do you need this api7/apisix-build-tools#337 PR merged in order to go forward with this PR?

@Zhenye-Na
Copy link
Author

@Zhenye-Na Do you need this api7/apisix-build-tools#337 PR merged in order to go forward with this PR?

Hello @Revolyssup ,

If I remember this clearly, hese two PRs are circular dependent on each other. So I believe the PR to build-tool package is better to be merged first

@Revolyssup
Copy link
Contributor

api7/apisix-build-tools#337

Makes sense

@Zhenye-Na
Copy link
Author

@Revolyssup

I just cleaned up the merge conflicts here as well, thanks!

@github-actions GitHub Actions
Copy link

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions.

@github-actions github-actions bot added the stale label May 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kingluo kingluo kingluo requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
stale user responded wait for update wait for the author's response in this issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: remove openldap dependencies from apisix
5 participants
@Zhenye-Na @monkeyDluffy6017 @kingluo @shreemaan-abhishek @Revolyssup