A fast, simple, in-memory caching proxy for ldap that allows limiting of dn's and their searches.
# /data/config.toml for containers.
# /etc/ldap-proxy/config.toml for packaged versions.
bind = "127.0.0.1:3636"
tls_chain = "/tmp/chain.pem"
tls_key = "/tmp/key.pem"
# Number of bytes of entries to store in the cache
# cache_bytes = 137438953472
# Seconds that entries remain valid in cache
# cache_entry_timeout = 1800
# The max ber size of requests from clients
# max_incoming_ber_size = 8388608
# The max ber size of responses from the upstream ldap server
# max_proxy_ber_size = 8388608
# By default only DNs listed in the bind-maps may bind. All other
# DNs that do not have a bind-map entry may not proceed. Setting
# this allows all DNs to bind through the server. When this is
# true, if the DN has a bind-map it will filter the queries of that
# DN. If the DN does not have a bind map, it allows all queries.
#
# Another way to think of this is that setting this to "false"
# makes this an ldap firewall. Setting this to "true" turns this
# into a search-caching proxy.
#
# allow_all_bind_dns = false
ldap_ca = "/tmp/ldap-ca.pem"
ldap_url = "ldaps://idm.example.com"
# Bind Maps
#
# This allows you to configure which DNs can bind, and what search
# queries they may perform.
#
# "" is the anonymous dn
[""]
allowed_queries = [
["", "base", "(objectclass=*)"],
["o=example", "subtree", "(objectclass=*)"],
]
# In some cases you may want to map anonymous to an authenticated dn. This allows
# setting the dn and credential that will be used in the mapping.
#
# map_to_dn: "uid=remote_user"
# map_to_secret: "12345"
["cn=Administrator"]
# If you don't specify allowed queries, all queries are granted
["cn=user"]
allowed_queries = [
["", "base", "(objectclass=*)"],
]
- docker:
docker pull firstyear/ldap-proxy:latest - podman:
podman pull docker.io/firstyear/ldap-proxy:latest