Add: Ldap Auth - testing

Signed-off-by: Siroco <siroco@sindominio.net>
master
siroco 4 months ago
parent b0893776b4
commit 5815bdf1a2
Signed by: siroco
GPG Key ID: 1324098302A514B0
  1. 16
      auth-ldap/Dockerfile
  2. 78
      auth-ldap/main.go
  3. 228
      config/icecast.xml
  4. 10
      docker-compose.yml
  5. 4
      entrypoint.sh

@ -0,0 +1,16 @@
FROM registry.sindominio.net/debian as gobuild
RUN apt-get update -y && apt-get full-upgrade -y \
&& apt install -y golang git
WORKDIR /root/go/
COPY . .
RUN export GOBIN=$GOPATH/bin && go get . && \
go build -o icecast-ldap && \
chmod +x icecast-ldap && \
cp icecast-ldap /usr/local/bin/
CMD ["/usr/local/bin/icecast-ldap"]

@ -0,0 +1,78 @@
// https://raw.githubusercontent.com/kuhball/icecast-ldap/master/app.go
package main
import (
"crypto/tls"
"github.com/go-ldap/ldap/v3"
"log"
"net/http"
"os"
"strings"
)
type user struct {
name string
password string
}
func check(err error) {
if err != nil {
panic(err)
}
}
// uses env variables for binding to ldap server
func ldapCheck(user user) bool {
var l *ldap.Conn
if os.Getenv("ICECAST_AUTH_LDAP_SECURE") != "" {
tlsConfig := &tls.Config{InsecureSkipVerify: true}
var err error
l, err = ldap.DialTLS("tcp", os.Getenv("ICECAST_AUTH_LDAP_SRV")+":636", tlsConfig)
check(err)
} else {
var err error
l, err = ldap.Dial("tcp", os.Getenv("ICECAST_AUTH_LDAP_SRV")+":389")
check(err)
}
err := l.Bind("uid="+user.name+","+os.Getenv("ICECAST_AUTH_LDAP_DN"), user.password)
if err != nil {
// error in ldap bind
log.Println(err)
return false
}
// successful bind
return true
}
//parses request and handles response for icecast
func handler(w http.ResponseWriter, r *http.Request) {
var user user
passUser := strings.SplitN(r.FormValue("pass"), ":", 2)
if len(passUser) == 2 {
user.name = passUser[0]
user.password = passUser[1]
} else {
w.Header().Set("Icecast-Auth-Message", "Please provide user name in form of 'user:name'")
return
}
if ldapCheck(user) {
w.Header().Set("icecast-auth-user", "1")
return
} else {
w.Header().Add("icecast-auth-user", "0")
w.Header().Add("Icecast-Auth-Message", "error")
return
}
}
func main() {
http.HandleFunc("/", handler)
err := http.ListenAndServe(":1337", nil)
check(err)
}

@ -0,0 +1,228 @@
<?xml version="1.0"?>
<icecast>
<!-- location and admin are two arbitrary strings that are e.g. visible
on the server info page of the icecast web interface
(server_version.xsl). -->
<location>Earth</location>
<admin>admin@sindominio.net</admin>
<!-- IMPORTANT!
Especially for inexperienced users:
Start out by ONLY changing all passwords and restarting Icecast.
For detailed setup instructions please refer to the documentation.
It's also available here: http://icecast.org/docs/
-->
<limits>
<clients>200</clients>
<sources>20</sources>
<queue-size>524288</queue-size>
<client-timeout>30</client-timeout>
<header-timeout>15</header-timeout>
<source-timeout>10</source-timeout>
<!-- If enabled, this will provide a burst of data when a client
first connects, thereby significantly reducing the startup
time for listeners that do substantial buffering. However,
it also significantly increases latency between the source
client and listening client. For low-latency setups, you
might want to disable this. -->
<burst-on-connect>1</burst-on-connect>
<!-- same as burst-on-connect, but this allows for being more
specific on how much to burst. Most people won't need to
change from the default 64k. Applies to all mountpoints -->
<burst-size>65535</burst-size>
</limits>
<authentication>
<!-- Sources log in with username 'source' -->
<source-password>secret2</source-password>
<!-- Relays log in with username 'relay' -->
<relay-password>hackme</relay-password>
<!-- Admin logs in with the username given below -->
<admin-user>admin</admin-user>
<admin-password>secret333</admin-password>
</authentication>
<!-- set the mountpoint for a shoutcast source to use, the default if not
specified is /stream but you can change it here if an alternative is
wanted or an extension is required
<shoutcast-mount>/live.nsv</shoutcast-mount>
-->
<!-- Uncomment this if you want directory listings -->
<!--
<directory>
<yp-url-timeout>15</yp-url-timeout>
<yp-url>http://dir.xiph.org/cgi-bin/yp-cgi</yp-url>
</directory>
-->
<!-- This is the hostname other people will use to connect to your server.
It affects mainly the urls generated by Icecast for playlists and yp
listings. You MUST configure it properly for YP listings to work!
-->
<hostname>radio.sindominio.net</hostname>
<!-- You may have multiple <listen-socket> elements -->
<listen-socket>
<port>8080</port>
<!-- <bind-address>127.0.0.1</bind-address> -->
<!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>
<!--
<listen-socket>
<port>8080</port>
</listen-socket>
-->
<!--
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
-->
<!-- Global header settings
Headers defined here will be returned for every HTTP request to Icecast.
The ACAO header makes Icecast public content/API by default
This will make streams easier embeddable (some HTML5 functionality needs it).
Also it allows direct access to e.g. /status-json.xsl from other sites.
If you don't want this, comment out the following line or read up on CORS.
-->
<http-headers>
<header name="Access-Control-Allow-Origin" value="*"/>
</http-headers>
<!-- Relaying
You don't need this if you only have one server.
Please refer to the documentation for a detailed explanation.
-->
<!--<master-server>127.0.0.1</master-server>-->
<!--<master-server-port>8001</master-server-port>-->
<!--<master-update-interval>120</master-update-interval>-->
<!--<master-password>hackme</master-password>-->
<!-- setting this makes all relays on-demand unless overridden, this is
useful for master relays which do not have <relay> definitions here.
The default is 0 -->
<!--<relays-on-demand>1</relays-on-demand>-->
<!--
<relay>
<server>127.0.0.1</server>
<port>8080</port>
<mount>/example.ogg</mount>
<local-mount>/different.ogg</local-mount>
<on-demand>0</on-demand>
<relay-shoutcast-metadata>0</relay-shoutcast-metadata>
</relay>
-->
<!-- Mountpoints
Only define <mount> sections if you want to use advanced options,
like alternative usernames or passwords
-->
<!-- Default settings for all mounts that don't have a specific <mount type="normal">.
-->
<mount>
<mount-name>/*</mount-name>
<authentication type="url">
<option name="stream_auth" value="http://icecast-ldap:1337/"/>
</authentication>
</mount>
<!--
<mount type="default">
<public>0</public>
<intro>/server-wide-intro.ogg</intro>
<max-listener-duration>3600</max-listener-duration>
<authentication type="url">
<option name="mount_add" value="http://auth.example.org/stream_start.php"/>
</authentication>
<http-headers>
<header name="foo" value="bar" />
</http-headers>
</mount>
-->
<!-- Normal mounts -->
<!--
<mount type="normal">
<mount-name>/example-complex.ogg</mount-name>
<username>othersource</username>
<password>hackmemore</password>
<max-listeners>1</max-listeners>
<dump-file>/tmp/dump-example1.ogg</dump-file>
<burst-size>65536</burst-size>
<fallback-mount>/example2.ogg</fallback-mount>
<fallback-override>1</fallback-override>
<fallback-when-full>1</fallback-when-full>
<intro>/example_intro.ogg</intro>
<hidden>1</hidden>
<public>1</public>
<authentication type="htpasswd">
<option name="filename" value="myauth"/>
<option name="allow_duplicate_users" value="0"/>
</authentication>
<http-headers>
<header name="Access-Control-Allow-Origin" value="http://webplayer.example.org" />
<header name="baz" value="quux" />
</http-headers>
<on-connect>/home/icecast/bin/stream-start</on-connect>
<on-disconnect>/home/icecast/bin/stream-stop</on-disconnect>
</mount>
-->
<!--
<mount type="normal">
<mount-name>/auth_example.ogg</mount-name>
<authentication type="url">
<option name="mount_add" value="http://myauthserver.net/notify_mount.php"/>
<option name="mount_remove" value="http://myauthserver.net/notify_mount.php"/>
<option name="listener_add" value="http://myauthserver.net/notify_listener.php"/>
<option name="listener_remove" value="http://myauthserver.net/notify_listener.php"/>
<option name="headers" value="x-pragma,x-token"/>
<option name="header_prefix" value="ClientHeader."/>
</authentication>
</mount>
-->
<fileserve>1</fileserve>
<paths>
<!-- basedir is only used if chroot is enabled -->
<basedir>/icecast2</basedir>
<!-- Note that if <chroot> is turned on below, these paths must both
be relative to the new root, not the original root -->
<logdir>/icecast2/logs</logdir>
<webroot>/usr/share/icecast2/web</webroot>
<adminroot>/usr/share/icecast2/admin</adminroot>
<!-- <pidfile>/usr/share/icecast2/icecast.pid</pidfile> -->
<!-- Aliases: treat requests for 'source' path as being for 'dest' path
May be made specific to a port or bound address using the "port"
and "bind-address" attributes.
-->
<!--
<alias source="/foo" destination="/bar"/>
-->
<!-- Aliases: can also be used for simple redirections as well,
this example will redirect all requests for http://server:port/ to
the status page
-->
<alias source="/" destination="/status.xsl"/>
<!-- The certificate file needs to contain both public and private part.
Both should be PEM encoded.
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
-->
</paths>
<logging>
<accesslog>access.log</accesslog>
<errorlog>error.log</errorlog>
<!-- <playlistlog>playlist.log</playlistlog> -->
<loglevel>3</loglevel>
<!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
<logsize>10000</logsize>
<!-- Max size of a logfile -->
<!-- If logarchive is enabled (1), then when logsize is reached
the logfile will be moved to [error|access|playlist].log.DATESTAMP,
otherwise it will be moved to [error|access|playlist].log.old.
Default is non-archive mode (i.e. overwrite)
-->
<!-- <logarchive>1</logarchive> -->
</logging>
<security>
<chroot>0</chroot>
<!--
<changeowner>
<user>nobody</user>
<group>nogroup</group>
</changeowner>
-->
</security>
</icecast>

@ -1,5 +1,13 @@
version: "2.4"
services:
icecast-ldap:
build: ./auth-ldap
image: registry.sindominio.net/icecast-ldap
user: "${USERGROUP}"
environment:
- ICECAST_AUTH_LDAP_SECURE
- ICECAST_AUTH_LDAP_SRV
- ICECAST_AUTH_LDAP_DN
icecast:
build: .
image: registry.sindominio.net/icecast2
@ -7,6 +15,7 @@ services:
ports:
- 0.0.0.0:8080:8080
volumes:
- ./config/icecast.xml:/etc/icecast2/icecast.xml:ro
- ./data:/icecast2
environment:
- ICE_LIMITS_CLIENTS
@ -18,3 +27,4 @@ services:
- ICE_HOSTNAME
- ICE_PORT
- ICE_BASEDIR
- ICE_SSL

@ -6,7 +6,7 @@ mkdir -p /icecast2/logs
cd /icecast2
[ -f icecast.xml ] || cp /tmp/icecast.xml icecast.xml
[ -f icecast.xml ] || cp /etc/icecast.xml icecast.xml
xmlstarlet ed -L -u 'icecast/admin' -v $ICE_ADMIN_EMAIL icecast.xml
xmlstarlet ed -L -u 'icecast/limits/clients' -v $ICE_LIMITS_CLIENTS icecast.xml
@ -21,4 +21,6 @@ xmlstarlet ed -L -u 'icecast/paths/basedir' -v $ICE_BASEDIR icecast.xml
xmlstarlet ed -L -u 'icecast/paths/logdir' -v $ICE_BASEDIR/logs icecast.xml
xmlstarlet ed -L -u 'icecast/paths/pidfile' -v $ICE_BASEDIR/icecast.pid icecast.xml
[ -n $ICE_SSL ] || xmlstarlet ed -L -i 'icecast/listen-socket/port' -t elem -n ssl -v 1 icecast.xml && xmlstarlet ed -L -d 'icecast/listen-socket/ssl' icecast.xml
exec $@

Loading…
Cancel
Save