Implementing a custom Koobernaytis authentication method

April 2020

Koobernaytis supports several authentication methods out-of-the-box, such as X.509 client certificates, static HTTP bearer tokens, and OpenID Connect.

However, Koobernaytis also provides extension points that allow you to bind a cluster to any custom authentication method or user management system.

This article explains how you can implement LDAP authentication for your Koobernaytis cluster.

LDAP authentication means that users will be able to authenticate to the Koobernaytis cluster with their existing credentials from a Lightweight Directory Access Protocol (LDAP) directory:

The role of LDAP authentication in this tutorial is to serve as an illustrative example — the goal of the article is to show the general principles of how to implement a custom authentication method.

You can use the same knowledge that you gain in this article for integrating any other authentication technology.

Think of Kerberos, Keycloak, OAuth, SAML, custom certificates, custom tokens, and any kind of existing single-sign on infrastructure.

You can use all of them with Koobernaytis!

Let's start by briefly reviewing the fundamentals of how the access to the Koobernaytis API is controlled.

Contents

1. How access to the Koobernaytis API is controlled
2. Prerequisites
3. Setting up an LDAP directory
4. Creating an LDAP user entry
5. Using the Webhook Token authentication plugin
6. Implementing the webhook token authentication service
7. Deploying the webhook token authentication service
8. Creating the Koobernaytis cluster
9. Testing the LDAP authentication method
10. Cleaning up
11. Conclusion

How access to the Koobernaytis API is controlled

Every request to the Koobernaytis API passes through three stages in the API server: authentication, authorisation, and admission control:

Each stage has a well-defined purpose:

• Authentication checks whether the user is a legitimate user of the API and, if yes, establishes its user identity
• Authorisation checks whether the identified user has permission to execute the requested operation
• Admission control performs a variety of additional configurable checks on the request to enforce cluster policies

At each stage, a request may be rejected — only requests that successfully make it through all three stages are handled by the Koobernaytis API.

Let's have a closer look at the authentication stage.

The task of the authentication stage is to check whether a request comes from a legitimate user and to reject all requests that don't.

This is done by verifying some form of credentials in the request and establishing the identity of the user that these credentials belong to.

Internally, the authentication stage is organised as a sequence of authentication plugins:

Each authentication plugin implements a specific authentication method.

An incoming request is presented to each authentication plugin in sequence.

If any of the authentication plugins can successfully verify the credentials in the request, then authentication is complete and the request proceeds to the authorisation stage (the execution of the other authentication plugins is short-circuited).

If none of the authentication plugins can authenticate the request, the request is rejected with a 401 Unauthorized HTTP status code.

Note that the 401 Unauthorized status code is a long-standing misnomer as it indicates authentication errors and not authorisation errors. The HTTP status code for authorisation errors is 403 Forbidden.

So what authentication plugins do there exist?

First of all, Koobernaytis does not provide an open plugin mechanism that allows you to develop your own plugins and simply plug them in.

Rather, Koobernaytis provides a fixed set of in-tree authentication plugins that are compiled in the API server binary.

These plugins can be selectively enabled and configured with command-line flags on the API server binary at startup time.

You can find the list of available authentication plugins in the Koobernaytis documentation.

There are three "closed" authentication plugins that implement specific authentication methods:

• X.509 Client Certs
• Static Token File
• OpenID Connect Tokens

Up to and including Koobernaytis v1.15, there was additionally the Static Password File authentication plugin which implemented HTTP basic authentication, however, it was deprecated in Koobernaytis v1.16.

Furthermore, there are two "open-ended" authentication plugins that don't implement a specific authentication method but provide a point of extensibility for incorporating custom authentication logic:

• Webhook Token
• Authenticating Proxy

The flexibility of the Koobernaytis authentication mechanisms stems from these two open-ended authentication plugins.

They allow integrating any desired authentication method with Koobernaytis.

In this tutorial, you will use the Webhook Token authentication plugin to implement LDAP authentication for your Koobernaytis cluster.

To this end, you will create various components — an LDAP directory, an authentication service, and a Koobernaytis cluster — and you will wire them up to work smoothly together.

Let's get started!

Prerequisites

This tutorial assumes that you have a Google Cloud Platform (GCP) account and a working installation of the gcloud command-line tool on your system.

If you haven't a GCP account yet, you can create a new one, in which case you get USD 300 credits that you can use for this tutorial.

You can install gcloud by installing the Google Cloud SDK according to the GCP documentation.

The accumulated costs for the GCP resources created in this tutorial are no more than 10 US cents per hour.

All charges will be subtracted from the USD 300 free credits that you get when you create a new account.

Setting up an LDAP directory

The first thing you will do is creating an LDAP directory that will serve as the central user management system of your setup.

Lightweight Directory Access Protocol (LDAP) belongs to a type of application called directory services to which also the Domain Name System (DNS) belongs to.

You can think of an LDAP directory as a database that maps names to values.

In practice, LDAP is often used to centrally store user information, such as personal data (name, address, email address, etc.), usernames, passwords, group affiliations and so on, of all members of an organisation.

This information is then accessed by various applications and services for authentication purposes, such as validating the username and password supplied by the user.

This is called LDAP authentication.

In this tutorial, you will use OpenLDAP as your LDAP directory, which is one of the most popular LDAP directory implementations.

Let's start by creating the necessary GCP infrastructure for the LDAP directory.

First of all, create a new GCP VPC network and subnet:

gcloud compute networks create my-net --subnet-mode custom
gcloud compute networks subnets create my-subnet --network my-net --range 10.0.0.0/16

Next, create a GCP instance for hosting the LDAP directory:

gcloud compute instances create authn \
  --subnet my-subnet \
  --machine-type n1-standard-1  \
  --image-family ubuntu-1804-lts \
  --image-project ubuntu-os-cloud

By default, GCP instances can't accept any traffic unless you define firewall rules that explicitly allow certain types of traffic.

In your case, traffic should be accepted from other instances in the same VPC network as well as from your local machine.

To realise this, create the following firewall rule:

gcloud compute firewall-rules create allow-internal-and-admin \
  --network my-net \
  --allow icmp,tcp,udp \
  --source-ranges 10.0.0.0/16,$(curl checkip.amazonaws.com)

If the public IP address of your local machine ever changes, you can update the firewall rule with gcloud compute firewall-rules update.

Now, log in to instance with SSH:

gcloud compute ssh root@authn

The next step is to install OpenLDAP on the instance.

OpenLDAP is distributed as the slapd Debian package.

Before you install this package, you should preset some of its settings, which will make the configuration easier:

cat <<EOF | debconf-set-selections
slapd slapd/password1 password adminpassword
slapd slapd/password2 password adminpassword
slapd slapd/domain string mycompany.com
slapd shared/organization string mycompany.com
EOF

The above command sets the password of the default LDAP admin user to adminpassword and the base of the LDAP database to mycompany.com.

Now, you can install the slapd package:

apt-get update
apt-get install -y slapd

That's it — OpenLDAP should now be installed and running!

You can now log out from the instance:

exit

Let's test if you can access the LDAP directory from your local machine.

To interact with LDAP directories, you can use the ldapsearch tool which allows making LDAP Search requests.

If you're on macOS, then ldapsearch should be albready installed — if you're on Linux, you can install it with:

sudo apt-get install ldap-utils

With ldapsearch installed, run the following command:

ldapsearch -LLL -H ldap://<AUTHN-EXTERNAL-IP> \
  -x -D cn=admin,dc=mycompany,dc=com -w adminpassword \
  -b dc=mycompany,dc=com

Please replace <AUTHN-EXTERNAL-IP> with the external IP address of the authn instance that you just created, which you can find out with gcloud compute instances list.

The above command might look cryptic, but it's the canonical way to interact with an LDAP directory, so here are some explanations:

• The -LLL option simplifies the output format be removing comments and other metadata
• The -H option specifies the URL of the LDAP directory
• The -x, -D, and -w options provide the authentication information for connecting to the LDAP directory: -D is the user to connect as, and -w is the corresponding password (note that is the LDAP admin user whose password you defined in the initial slapd package configuration).
• The -b option specifies the search base, that is, the node in the LDAP directory under which the search is performed.

In general, an LDAP directory is a tree-like hierarchical database (like DNS): a node like dc=mycompany,dc=com (dc stands for domain component) can be read as mycompany.com; so a node like cn=admin,dc=mycompany,dc=com (admin.mycompany.com) is one level under dc=mycompany,dc=com.

In any case, the output of the command should look like that:

dn: dc=mycompany,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: mycompany.com
dc: mycompany

dn: cn=admin,dc=mycompany,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9bHF4NGljTGlyL1BDSkhiYVVFMXcrQ2ZpM045S2laMzc=

These are the two LDAP entries that currently exist in your LDAP directory.

An LDAP entry is like at a DNS record, or a row in a relational database — the basic entity that contains the data.

In general, an LDAP entry consists of a unique identifier called dn (distinguished name) and a set of attributes, such as objectClass, cn (common name), o (organisation), or userPassword.

All in all, the above result tells you that your LDAP directory is working!

Creating an LDAP user entry

Currently, there's not much useful data in your LDAP directory — but let's change that.

Your next task is to create an LDAP entry for the user Alice — the following info should be saved about her:

• First name: Alice
• Last name: Wonderland
• Username: alice
• Password: alicepassword
• Group: dev

To store this information as an LDAP entry, you have to express it in the LDAP Data Interchange Format (LDIF) format.

Here's how this looks like (save the following in a file named alice.ldif):

dn: cn=alice,dc=mycompany,dc=com
objectClass: top
objectClass: inetOrgPerson
gn: Alice
sn: Wonderland
cn: alice
userPassword: alicepassword
ou: dev

The above specification defines an entry with a distinguished name (dn) of cn=alice,dc=mycompany,dc=com — this is the unique identifier of this entry in your LDAP directory.

Furthermore, the entry has the following attributes:

• objectClass defines the type of the entry and dictates which other attributes are allowed or mandatory; inetOrgPerson is a standard object class for storing user information.
• gn stands for given name
• sn stands for surname
• cn stands for common name and is often used for storing usernames
• userPassword is the user's password
• ou stands for organisational unit and is often used for storing affiliations

To create this entry, you can use the ldapadd tool which allows making LDAP Add requests to an LDAP directory.

If you installed ldapsearch, you should also have ldapadd because they are bundled together.

Run the following command:

ldapadd -H ldap://<AUTHN-EXTERNAL-IP> \
  -x -D cn=admin,dc=mycompany,dc=com -w adminpassword -f alice.ldif

Please replace <AUTHN-EXTERNAL-IP> with the external IP address of the authn instance.

The output should say:

adding new entry "cn=alice,dc=mycompany,dc=com"

Sounds good!

To be sure that the entry has been added, try to query it with the following command:

ldapsearch -LLL -H ldap://<AUTHN-EXTERNAL-IP> \
  -x -D cn=admin,dc=mycompany,dc=com -w adminpassword \
  -b dc=mycompany,dc=com cn=alice

This command is similar to the ldapsearch command from before, but it has an additional argument at the end (cn=alice) — this is the search filter and it causes only those entries to be returned that match the filter.

The output of the command s