ldapgate 0.1.1__tar.gz

ldapgate-0.1.1/.gitignore

@@ -0,0 +1,46 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+.venv
+.venv/
+
+# pytest
+.pytest_cache/
+.coverage
+htmlcov/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Local testing
+ldapgate.yaml
+memory/

ldapgate-0.1.1/PKG-INFO

@@ -0,0 +1,140 @@
+Metadata-Version: 2.4
+Name: ldapgate
+Version: 0.1.1
+Summary: Lightweight LDAP/AD authentication proxy and FastAPI middleware
+Author-email: Anudeep D <anudeep@example.com>
+License: MIT
+Requires-Python: >=3.10
+Requires-Dist: click>=8.1.0
+Requires-Dist: fastapi>=0.111.0
+Requires-Dist: httpx>=0.27
+Requires-Dist: itsdangerous>=2.2.0
+Requires-Dist: jinja2>=3.1.0
+Requires-Dist: ldap3>=2.9.1
+Requires-Dist: pydantic-settings>=2.0
+Requires-Dist: pydantic>=2.7.0
+Requires-Dist: python-multipart>=0.0.9
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: uvicorn[standard]>=0.29.0
+Provides-Extra: dev
+Requires-Dist: httpx[http2]>=0.27; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.21; extra == 'dev'
+Requires-Dist: pytest>=7.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+<p align="center">
+  <img src="https://raw.githubusercontent.com/anudeepd/ldapgate/main/assets/logo.svg" alt="LDAPGate" width="120"/>
+</p>
+
+<h1 align="center">LDAPGate</h1>
+
+<p align="center">Lightweight LDAP/AD authentication gateway for Python web apps. Install it, configure it, done.</p>
+
+## Features
+
+- **Two deployment modes** — standalone reverse proxy or drop-in FastAPI middleware
+- **Pure Python LDAP** — no OS-level libs required, uses `ldap3`
+- **Signed cookie sessions** — stateless, no server-side session storage
+- **OpenLDAP and Active Directory** — `uid=` and `sAMAccountName=` out of the box
+- **Optional group gating** — restrict access to members of a specific LDAP group
+- **Header injection** — injects `X-Forwarded-User` for apps that support it
+- **Bundled login form** — responsive, dark/light mode, works air-gapped
+
+## Install
+
+```bash
+pip install ldapgate
+```
+
+## Config file
+
+Both modes share the same `ldapgate.yaml`:
+
+```yaml
+ldap:
+  url: ldaps://dc.example.com:636
+  bind_dn: CN=svc,CN=Users,DC=example,DC=com
+  bind_password: secret
+  base_dn: DC=example,DC=com
+  user_filter: "(sAMAccountName={username})"        # AD; OpenLDAP: (uid={username})
+  group_dn: CN=app-users,CN=Users,DC=example,DC=com # optional
+
+proxy:
+  listen_host: 0.0.0.0
+  listen_port: 9000
+  backend_url: http://localhost:8080
+  secret_key: change-me-to-something-random
+  session_ttl: 3600
+  user_header: X-Forwarded-User
+  login_path: /_auth/login
+  app_name: MyApp
+```
+
+All settings can also be provided via environment variables with `__` separators (e.g. `LDAP__URL`, `PROXY__SECRET_KEY`).
+
+## Mode 1 — Standalone Reverse Proxy
+
+Run ldapgate as a standalone process in front of any app. Only authenticated requests are forwarded to the backend.
+
+```
+Browser → ldapgate :9000 → backend app :8080
+```
+
+```bash
+ldapgate serve --config ldapgate.yaml
+```
+
+**Example: copyparty**
+
+Start copyparty with IDP header auth and point its logout at ldapgate:
+
+```bash
+copyparty -p 8080 --idp-h-usr X-Forwarded-User --idp-logout /_auth/logout -v ~/Documents:/:rw
+```
+
+copyparty trusts the `X-Forwarded-User` header injected by ldapgate, and its logout button redirects to `/_auth/logout` which clears the ldapgate session before sending the user back to the login page.
+
+## Mode 2 — FastAPI Middleware
+
+Drop ldapgate auth directly into an existing FastAPI app — no separate process needed.
+
+```python
+from fastapi import FastAPI
+from ldapgate.config import load_config
+from ldapgate.middleware import add_ldap_auth
+
+app = FastAPI()
+config = load_config("ldapgate.yaml")
+add_ldap_auth(app, config)
+
+@app.get("/api/data")
+async def data(request):
+    return {"user": request.state.user}  # authenticated username
+```
+
+**Example: lagun** — see [lagun](https://github.com/anudeepd/lagun) and [torrus](https://github.com/anudeepd/torrus) for real-world integrations.
+
+## CLI Options
+
+```
+ldapgate serve --config PATH   Path to ldapgate.yaml [default: ldapgate.yaml]
+               --host TEXT     Override listen host
+               --port INTEGER  Override listen port
+               --backend TEXT  Override backend URL
+               --reload        Enable auto-reload (dev)
+```
+
+## Development
+
+Requires [uv](https://github.com/astral-sh/uv).
+
+```bash
+git clone https://github.com/anudeepd/ldapgate
+cd ldapgate
+uv sync
+pytest tests/
+```
+
+## License
+
+MIT

ldapgate-0.1.1/README.md

@@ -0,0 +1,116 @@
+<p align="center">
+  <img src="https://raw.githubusercontent.com/anudeepd/ldapgate/main/assets/logo.svg" alt="LDAPGate" width="120"/>
+</p>
+
+<h1 align="center">LDAPGate</h1>
+
+<p align="center">Lightweight LDAP/AD authentication gateway for Python web apps. Install it, configure it, done.</p>
+
+## Features
+
+- **Two deployment modes** — standalone reverse proxy or drop-in FastAPI middleware
+- **Pure Python LDAP** — no OS-level libs required, uses `ldap3`
+- **Signed cookie sessions** — stateless, no server-side session storage
+- **OpenLDAP and Active Directory** — `uid=` and `sAMAccountName=` out of the box
+- **Optional group gating** — restrict access to members of a specific LDAP group
+- **Header injection** — injects `X-Forwarded-User` for apps that support it
+- **Bundled login form** — responsive, dark/light mode, works air-gapped
+
+## Install
+
+```bash
+pip install ldapgate
+```
+
+## Config file
+
+Both modes share the same `ldapgate.yaml`:
+
+```yaml
+ldap:
+  url: ldaps://dc.example.com:636
+  bind_dn: CN=svc,CN=Users,DC=example,DC=com
+  bind_password: secret
+  base_dn: DC=example,DC=com
+  user_filter: "(sAMAccountName={username})"        # AD; OpenLDAP: (uid={username})
+  group_dn: CN=app-users,CN=Users,DC=example,DC=com # optional
+
+proxy:
+  listen_host: 0.0.0.0
+  listen_port: 9000
+  backend_url: http://localhost:8080
+  secret_key: change-me-to-something-random
+  session_ttl: 3600
+  user_header: X-Forwarded-User
+  login_path: /_auth/login
+  app_name: MyApp
+```
+
+All settings can also be provided via environment variables with `__` separators (e.g. `LDAP__URL`, `PROXY__SECRET_KEY`).
+
+## Mode 1 — Standalone Reverse Proxy
+
+Run ldapgate as a standalone process in front of any app. Only authenticated requests are forwarded to the backend.
+
+```
+Browser → ldapgate :9000 → backend app :8080
+```
+
+```bash
+ldapgate serve --config ldapgate.yaml
+```
+
+**Example: copyparty**
+
+Start copyparty with IDP header auth and point its logout at ldapgate:
+
+```bash
+copyparty -p 8080 --idp-h-usr X-Forwarded-User --idp-logout /_auth/logout -v ~/Documents:/:rw
+```
+
+copyparty trusts the `X-Forwarded-User` header injected by ldapgate, and its logout button redirects to `/_auth/logout` which clears the ldapgate session before sending the user back to the login page.
+
+## Mode 2 — FastAPI Middleware
+
+Drop ldapgate auth directly into an existing FastAPI app — no separate process needed.
+
+```python
+from fastapi import FastAPI
+from ldapgate.config import load_config
+from ldapgate.middleware import add_ldap_auth
+
+app = FastAPI()
+config = load_config("ldapgate.yaml")
+add_ldap_auth(app, config)
+
+@app.get("/api/data")
+async def data(request):
+    return {"user": request.state.user}  # authenticated username
+```
+
+**Example: lagun** — see [lagun](https://github.com/anudeepd/lagun) and [torrus](https://github.com/anudeepd/torrus) for real-world integrations.
+
+## CLI Options
+
+```
+ldapgate serve --config PATH   Path to ldapgate.yaml [default: ldapgate.yaml]
+               --host TEXT     Override listen host
+               --port INTEGER  Override listen port
+               --backend TEXT  Override backend URL
+               --reload        Enable auto-reload (dev)
+```
+
+## Development
+
+Requires [uv](https://github.com/astral-sh/uv).
+
+```bash
+git clone https://github.com/anudeepd/ldapgate
+cd ldapgate
+uv sync
+pytest tests/
+```
+
+## License
+
+MIT

ldapgate-0.1.1/assets/logo-full-dark.svg

@@ -0,0 +1,28 @@
+<svg viewBox="0 0 420 120" xmlns="http://www.w3.org/2000/svg">
+  <!-- Icon background -->
+  <rect x="4" y="4" width="112" height="112" rx="22" fill="#eff6ff"/>
+
+  <!-- Gate posts -->
+  <line x1="36" y1="94" x2="36" y2="52" stroke="#1d4ed8" stroke-width="5" stroke-linecap="round"/>
+  <line x1="84" y1="94" x2="84" y2="52" stroke="#1d4ed8" stroke-width="5" stroke-linecap="round"/>
+
+  <!-- Gate arch -->
+  <path d="M 36 52 Q 60 26 84 52" fill="none" stroke="#1d4ed8" stroke-width="5" stroke-linecap="round"/>
+
+  <!-- Gate crossbar -->
+  <line x1="36" y1="72" x2="84" y2="72" stroke="#1d4ed8" stroke-width="3.5" stroke-linecap="round"/>
+
+  <!-- Padlock shackle -->
+  <path d="M 51 72 L 51 64 Q 51 57 60 57 Q 69 57 69 64 L 69 72"
+    fill="none" stroke="#3b82f6" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"/>
+
+  <!-- Padlock body -->
+  <rect x="47" y="70" width="26" height="20" rx="4" fill="#eff6ff" stroke="#3b82f6" stroke-width="3"/>
+
+  <!-- Keyhole -->
+  <circle cx="60" cy="78" r="2.5" fill="#3b82f6"/>
+  <line x1="60" y1="80" x2="60" y2="84" stroke="#3b82f6" stroke-width="2" stroke-linecap="round"/>
+
+  <!-- Wordmark -->
+  <text x="136" y="74" font-family="'Inter', 'Helvetica Neue', sans-serif" font-size="52" font-weight="600" letter-spacing="-1" fill="#1e3a8a">LDAPGate</text>
+</svg>

ldapgate-0.1.1/assets/logo-full.svg

@@ -0,0 +1,28 @@
+<svg viewBox="0 0 420 120" xmlns="http://www.w3.org/2000/svg">
+  <!-- Icon background -->
+  <rect x="4" y="4" width="112" height="112" rx="22" fill="#eff6ff"/>
+
+  <!-- Gate posts -->
+  <line x1="36" y1="94" x2="36" y2="52" stroke="#1d4ed8" stroke-width="5" stroke-linecap="round"/>
+  <line x1="84" y1="94" x2="84" y2="52" stroke="#1d4ed8" stroke-width="5" stroke-linecap="round"/>
+
+  <!-- Gate arch -->
+  <path d="M 36 52 Q 60 26 84 52" fill="none" stroke="#1d4ed8" stroke-width="5" stroke-linecap="round"/>
+
+  <!-- Gate crossbar -->
+  <line x1="36" y1="72" x2="84" y2="72" stroke="#1d4ed8" stroke-width="3.5" stroke-linecap="round"/>
+
+  <!-- Padlock shackle -->
+  <path d="M 51 72 L 51 64 Q 51 57 60 57 Q 69 57 69 64 L 69 72"
+    fill="none" stroke="#3b82f6" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"/>
+
+  <!-- Padlock body -->
+  <rect x="47" y="70" width="26" height="20" rx="4" fill="#eff6ff" stroke="#3b82f6" stroke-width="3"/>
+
+  <!-- Keyhole -->
+  <circle cx="60" cy="78" r="2.5" fill="#3b82f6"/>
+  <line x1="60" y1="80" x2="60" y2="84" stroke="#3b82f6" stroke-width="2" stroke-linecap="round"/>
+
+  <!-- Wordmark -->
+  <text x="136" y="74" font-family="'Inter', 'Helvetica Neue', sans-serif" font-size="52" font-weight="600" letter-spacing="-1" fill="#dbeafe">LDAPGate</text>
+</svg>

ldapgate-0.1.1/assets/logo.svg

@@ -0,0 +1,25 @@
+<svg viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">
+  <!-- Rounded square background -->
+  <rect x="6" y="6" width="188" height="188" rx="36" fill="#eff6ff"/>
+
+  <!-- Gate posts -->
+  <line x1="58" y1="158" x2="58" y2="86" stroke="#1d4ed8" stroke-width="9" stroke-linecap="round"/>
+  <line x1="142" y1="158" x2="142" y2="86" stroke="#1d4ed8" stroke-width="9" stroke-linecap="round"/>
+
+  <!-- Gate arch -->
+  <path d="M 58 86 Q 100 40 142 86" fill="none" stroke="#1d4ed8" stroke-width="9" stroke-linecap="round"/>
+
+  <!-- Gate crossbar -->
+  <line x1="58" y1="120" x2="142" y2="120" stroke="#1d4ed8" stroke-width="6" stroke-linecap="round"/>
+
+  <!-- Padlock shackle -->
+  <path d="M 88 120 L 88 107 Q 88 94 100 94 Q 112 94 112 107 L 112 120"
+    fill="none" stroke="#3b82f6" stroke-width="5" stroke-linecap="round" stroke-linejoin="round"/>
+
+  <!-- Padlock body (fill covers crossbar behind it) -->
+  <rect x="83" y="117" width="34" height="27" rx="5" fill="#eff6ff" stroke="#3b82f6" stroke-width="5"/>
+
+  <!-- Keyhole -->
+  <circle cx="100" cy="128" r="3.5" fill="#3b82f6"/>
+  <line x1="100" y1="131" x2="100" y2="137" stroke="#3b82f6" stroke-width="3.5" stroke-linecap="round"/>
+</svg>

ldapgate-0.1.1/docker/Dockerfile

@@ -0,0 +1,15 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+RUN pip install uv
+
+COPY pyproject.toml uv.lock README.md ./
+COPY ldapgate/ ./ldapgate/
+COPY assets/ ./assets/
+
+RUN uv pip install --system .
+
+EXPOSE 9000
+
+CMD ["ldapgate", "serve", "--config", "/app/ldapgate.yaml"]

ldapgate-0.1.1/docker/alice.ldif

@@ -0,0 +1,16 @@
+dn: ou=users,dc=example,dc=org
+objectClass: organizationalUnit
+ou: users
+
+dn: uid=alice,ou=users,dc=example,dc=org
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: alice
+cn: Alice
+sn: Test
+mail: alice@example.org
+userPassword: alice123
+uidNumber: 1000
+gidNumber: 1000
+homeDirectory: /home/alice

ldapgate-0.1.1/docker/docker-compose.yml

@@ -0,0 +1,31 @@
+services:
+
+  openldap:
+    image: osixia/openldap:1.5.0
+    environment:
+      LDAP_ORGANISATION: "Example"
+      LDAP_DOMAIN: "example.org"
+      LDAP_ADMIN_PASSWORD: "admin"
+    volumes:
+      - ./alice.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/alice.ldif:ro
+    command: --copy-service
+    ports:
+      - "389:389"
+
+  httpbin:
+    image: kennethreitz/httpbin
+    ports:
+      - "8080:80"
+
+  ldapgate:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    volumes:
+      - ./ldapgate.local.yaml:/app/ldapgate.yaml:ro
+    ports:
+      - "9000:9000"
+    depends_on:
+      - openldap
+      - httpbin
+    command: ["ldapgate", "serve", "--config", "/app/ldapgate.yaml"]

ldapgate-0.1.1/docker/ldapgate.local.yaml

@@ -0,0 +1,19 @@
+ldap:
+  url: ldap://openldap:389
+  bind_dn: cn=admin,dc=example,dc=org
+  bind_password: "admin"
+  base_dn: dc=example,dc=org
+  user_filter: "(uid={username})"
+  timeout: 10
+  follow_referrals: false
+
+proxy:
+  listen_host: 0.0.0.0
+  listen_port: 9000
+  backend_url: http://httpbin:80
+  secret_key: local-dev-secret-not-for-production
+  session_ttl: 3600
+  user_header: X-Forwarded-User
+  login_path: /_auth/login
+  app_name: ldapgate-local
+  secure_cookies: false

ldapgate-0.1.1/ldapgate/__init__.py

@@ -0,0 +1,19 @@
+"""ldapgate - LDAP/AD authentication proxy and FastAPI middleware"""
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "LDAPAuthenticator",
+    "LDAPConfig",
+    "LDAPAuthMiddleware",
+    "SessionManager",
+    "create_proxy_app",
+    "create_login_router",
+    "add_ldap_auth",
+]
+
+from ldapgate.config import LDAPConfig
+from ldapgate.ldap import LDAPAuthenticator
+from ldapgate.middleware import LDAPAuthMiddleware, add_ldap_auth
+from ldapgate.proxy import create_proxy_app, create_login_router
+from ldapgate.sessions import SessionManager

ldapgate-0.1.1/ldapgate/cli.py

@@ -0,0 +1,121 @@
+"""CLI for ldapgate reverse proxy."""
+
+import os
+from pathlib import Path
+
+import click
+import uvicorn
+
+from ldapgate.config import load_config
+from ldapgate.proxy import create_proxy_app
+
+# Env var used to pass config path to the module-level app factory for --reload mode
+_CONFIG_ENV_VAR = "LDAPGATE_CONFIG_PATH"
+
+
+@click.group()
+def cli():
+    """ldapgate - LDAP/AD authentication proxy."""
+    pass
+
+
+@cli.command()
+@click.option(
+    "--config",
+    type=click.Path(path_type=Path),
+    default=None,
+    help="Path to ldapgate.yaml config file (reads env vars if omitted)",
+)
+@click.option(
+    "--host",
+    default=None,
+    help="Override listen host (default: 0.0.0.0)",
+)
+@click.option(
+    "--port",
+    type=int,
+    default=None,
+    help="Override listen port (default: 9000)",
+)
+@click.option(
+    "--backend",
+    default=None,
+    help="Override backend URL",
+)
+@click.option(
+    "--reload",
+    is_flag=True,
+    help="Enable auto-reload on code changes",
+)
+def serve(config: Path, host: str, port: int, backend: str, reload: bool):
+    """Start ldapgate reverse proxy server.
+
+    Example:
+        ldapgate serve --config ldapgate.yaml
+        ldapgate serve --backend http://localhost:3923
+    """
+    try:
+        cfg = load_config(config)
+
+        if host:
+            cfg.proxy.listen_host = host
+        if port:
+            cfg.proxy.listen_port = port
+        if backend:
+            cfg.proxy.backend_url = backend
+
+        click.echo(
+            f"Starting ldapgate proxy on {cfg.proxy.listen_host}:{cfg.proxy.listen_port}"
+        )
+        click.echo(f"Backend: {cfg.proxy.backend_url}")
+        click.echo(f"Login path: {cfg.proxy.login_path}")
+
+        if reload:
+            # Reload mode requires an import string; pass config + overrides via env vars
+            # so the factory in this module can reconstruct the app identically.
+            if config:
+                os.environ[_CONFIG_ENV_VAR] = str(config)
+            if backend:
+                os.environ["LDAPGATE_BACKEND_URL"] = backend
+            uvicorn.run(
+                "ldapgate.cli:_reload_app_factory",
+                factory=True,
+                host=cfg.proxy.listen_host,
+                port=cfg.proxy.listen_port,
+                reload=True,
+                log_level="info",
+            )
+        else:
+            app = create_proxy_app(cfg)
+            uvicorn.run(
+                app,
+                host=cfg.proxy.listen_host,
+                port=cfg.proxy.listen_port,
+                log_level="info",
+            )
+
+    except FileNotFoundError as e:
+        click.echo(f"Error: {e}", err=True)
+        raise SystemExit(1)
+    except Exception as e:
+        click.echo(f"Error: {e}", err=True)
+        raise SystemExit(1)
+
+
+def _reload_app_factory():
+    """App factory used by uvicorn --reload (needs importable callable)."""
+    config_path = os.environ.get(_CONFIG_ENV_VAR)
+    cfg = load_config(config_path)
+    backend = os.environ.get("LDAPGATE_BACKEND_URL")
+    if backend:
+        cfg.proxy.backend_url = backend
+    return create_proxy_app(cfg)
+
+
+def main():
+    """Entry point for ldapgate CLI."""
+    cli()
+
+
+if __name__ == "__main__":
+    main()