From d1dbca7d0d026fb1329496b2e5d5d8765f3f13b0 Mon Sep 17 00:00:00 2001
From: Andrii Moiseiev <amoiseiev@wayfair.com>
Date: Mon, 12 Jan 2015 14:02:44 -0500
Subject: [PATCH] fixing auth failure issue when CN of user or group doesn't
 exist

---
 example.conf                | 41 +++++++++++++++++++++++++------------
 ngx_http_auth_ldap_module.c |  2 +-
 2 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/example.conf b/example.conf
index 1a0dabf..01c4225 100644
--- a/example.conf
+++ b/example.conf
@@ -11,25 +11,41 @@ http {
     sendfile        on;
     keepalive_timeout  65;
 
-    auth_ldap_url ldap://ldap.example.com/dc=example,dc=com?uid?sub?(objectClass=person);
-    auth_ldap_binddn cn=nginx,ou=service,dc=example,dc=com;
-    auth_ldap_binddn_passwd mYsUperPas55W0Rd;
+    # define ldap server
+    ldap_server ad_1 {
+      # user search base.
+      url "ldap://<YOUR LDAP SERVER>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)";
+      # bind as
+      binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com";
+      # bind pw
+      binddn_passwd <PUT Operator PASSWORD HERE>;
+      # group attribute name which contains member object
+      group_attribute member;
+      # search for full DN in member object
+      group_attribute_is_dn on;
+      # matching algorithm (any / all)
+      satisfy any;
+      # list of allowed groups
+      require group "CN=Admins,OU=My Security Groups,DC=company,DC=com";
+      require group "CN=New York Users,OU=My Security Groups,DC=company,DC=com";
+      # list of allowed users
+      # require 'valid_user' cannot be used together with 'user' as valid user is a superset
+      # require valid_user;
+      require user "CN=Batman,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
+      require user "CN=Robocop,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
+    }
 
-    auth_ldap_group_attribute uniquemember; # default 'member'
-    auth_ldap_group_attribute_is_dn on; # default on
+}
 
-    server {
+server {
 	listen       8081;
 	server_name  localhost;
 
 	location / {
+      # adding ldap authentication
 	    auth_ldap "Closed content";
-	    
-	    #auth_ldap_require valid_user;
-	    auth_ldap_require user 'cn=Super User,ou=user,dc=example,dc=com';
-	    auth_ldap_require group 'cn=admins,ou=group,dc=example,dc=com';
-	    auth_ldap_require group 'cn=user,ou=group,dc=example,dc=com';
-	    auth_ldap_satisfy any;
+      auth_ldap_servers ad_1;
+
 	    root   html;
 	    index  index.html index.htm;
 	}
@@ -38,5 +54,4 @@ http {
 	location = /50x.html {
 	    root   html;
 	}
-    }
 }
diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c
index 40cca18..0e15162 100644
--- a/ngx_http_auth_ldap_module.c
+++ b/ngx_http_auth_ldap_module.c
@@ -1871,7 +1871,7 @@ ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *
                 ctx->outcome = OUTCOME_ALLOW;
                 return NGX_OK;
             }
-        } else if (ctx->error_code == LDAP_COMPARE_FALSE || ctx->error_code == LDAP_NO_SUCH_ATTRIBUTE) {
+        } else if (ctx->error_code == LDAP_COMPARE_FALSE || ctx->error_code == LDAP_NO_SUCH_ATTRIBUTE || ctx->error_code == LDAP_NO_SUCH_OBJECT) {
             if (ctx->server->satisfy_all == 1) {
                 ctx->outcome = OUTCOME_DENY;
                 return NGX_DECLINED;