This fixes issue #40. User passwords should *always* be checked during authentication (except when a user fails to satisfy given requirements). Previously, the PHASE_CHECK_BIND step of authentication would not check passwords in any LDAP configuration where ``require valid_user`` was not specified (eg using ``require user`` or ``require group``).
Sometimes the authentication handler got called again just after the
search operation has been started, immediately failing because nothing
has been found yet. Added an extra safety check for these cases.
A connection is opened using nginx framework and then fed to OpenLDAP using
ldap_init_fd() call with custom SockBuf IO handlers. When some credentials
need to be validated, ngx_http_auth_ldap_authenticate() is called multiple
times, returning NGX_AGAIN each time the process is waiting for the LDAP
server to reply.
(Note: This only an initial implementation and as such, it is of course
very buggy and limited. Further work is needed to make it useful.)
A configured number of cached (server,username,password) entries is held
for a configured amount of time to avoid repeated authentications for
each of several requests quickly following each other.
The configuration can now contain a directive like this
require valid_user cn=$remote_user,dc=example,dc=com
which will result in the bind as the respective user to be the
only command sent to the server, skipping the search request.
The core fills both decoded user name and password into r->headers_in.user
or r->headers_in.passwd, respectively, when ngx_http_auth_basic_user() is
called. Maybe it did not work like this before, but there is definitely no
need to handle the decoding ourselves now (nginx 1.4.1).
- Renamed ngx_ldap_server to ngx_http_auth_ldap_server_t.
- Used NGX_CONF_ANY instead of many NGX_CONF_TAKExxxx for the configuration
option taking any number of arguments.
need ; after the password input, or else it give an error "invalid number of arguments in "auth_ldap_binddn_passwd" directive in /etc/nginx/nginx.conf"
Valery
Tomáš Golembiovský
David Beitey
Martin Englund
Prune
Robert Nelson
Tomáš Golembiovský
Jiri Hruska
Pavel Brylov
Chao