|
|
@ -11,32 +11,48 @@ http { |
|
|
|
sendfile on; |
|
|
|
sendfile on; |
|
|
|
keepalive_timeout 65; |
|
|
|
keepalive_timeout 65; |
|
|
|
|
|
|
|
|
|
|
|
auth_ldap_url ldap://ldap.example.com/dc=example,dc=com?uid?sub?(objectClass=person); |
|
|
|
# define ldap server |
|
|
|
auth_ldap_binddn cn=nginx,ou=service,dc=example,dc=com; |
|
|
|
ldap_server ad_1 { |
|
|
|
auth_ldap_binddn_passwd mYsUperPas55W0Rd; |
|
|
|
# user search base. |
|
|
|
|
|
|
|
url "ldap://<YOUR LDAP SERVER>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)"; |
|
|
|
|
|
|
|
# bind as |
|
|
|
|
|
|
|
binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com"; |
|
|
|
|
|
|
|
# bind pw |
|
|
|
|
|
|
|
binddn_passwd <PUT Operator's PASSWORD HERE>; |
|
|
|
|
|
|
|
# group attribute name which contains member object |
|
|
|
|
|
|
|
group_attribute member; |
|
|
|
|
|
|
|
# search for full DN in member object |
|
|
|
|
|
|
|
group_attribute_is_dn on; |
|
|
|
|
|
|
|
# matching algorithm (any / all) |
|
|
|
|
|
|
|
satisfy any; |
|
|
|
|
|
|
|
# list of allowed groups |
|
|
|
|
|
|
|
require group "CN=Admins,OU=My Security Groups,DC=company,DC=com"; |
|
|
|
|
|
|
|
require group "CN=New York Users,OU=My Security Groups,DC=company,DC=com"; |
|
|
|
|
|
|
|
# list of allowed users |
|
|
|
|
|
|
|
# require 'valid_user' cannot be used together with 'user' as valid user is a superset |
|
|
|
|
|
|
|
# require valid_user; |
|
|
|
|
|
|
|
require user "CN=Batman,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com"; |
|
|
|
|
|
|
|
require user "CN=Robocop,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com"; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
auth_ldap_group_attribute uniquemember; # default 'member' |
|
|
|
} |
|
|
|
auth_ldap_group_attribute_is_dn on; # default on |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
server { |
|
|
|
server { |
|
|
|
listen 8081; |
|
|
|
listen 8081; |
|
|
|
server_name localhost; |
|
|
|
server_name localhost; |
|
|
|
|
|
|
|
|
|
|
|
location / { |
|
|
|
location / { |
|
|
|
|
|
|
|
# adding ldap authentication |
|
|
|
auth_ldap "Closed content"; |
|
|
|
auth_ldap "Closed content"; |
|
|
|
|
|
|
|
auth_ldap_servers ad_1; |
|
|
|
|
|
|
|
|
|
|
|
#auth_ldap_require valid_user; |
|
|
|
|
|
|
|
auth_ldap_require user 'cn=Super User,ou=user,dc=example,dc=com'; |
|
|
|
|
|
|
|
auth_ldap_require group 'cn=admins,ou=group,dc=example,dc=com'; |
|
|
|
|
|
|
|
auth_ldap_require group 'cn=user,ou=group,dc=example,dc=com'; |
|
|
|
|
|
|
|
auth_ldap_satisfy any; |
|
|
|
|
|
|
|
root html; |
|
|
|
root html; |
|
|
|
index index.html index.htm; |
|
|
|
index index.html index.htm; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
error_page 500 502 503 504 /50x.html; |
|
|
|
error_page 500 502 503 504 /50x.html; |
|
|
|
|
|
|
|
|
|
|
|
location = /50x.html { |
|
|
|
location = /50x.html { |
|
|
|
root html; |
|
|
|
root html; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|