You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
145 lines
3.5 KiB
145 lines
3.5 KiB
# LDAP Authentication module for nginx
|
|
LDAP module for nginx which supports authentication against multiple LDAP servers.
|
|
|
|
# How to install
|
|
|
|
## FreeBSD
|
|
|
|
```bash
|
|
cd /usr/ports/www/nginx && make config install clean
|
|
```
|
|
|
|
Check HTTP_AUTH_LDAP options
|
|
|
|
|
|
```
|
|
[*] HTTP_AUTH_LDAP 3rd party http_auth_ldap module
|
|
```
|
|
|
|
## Linux
|
|
|
|
```bash
|
|
cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap.git
|
|
```
|
|
|
|
in nginx source folder
|
|
|
|
```bash
|
|
./configure --add-module=path_to_http_auth_ldap_module
|
|
make install
|
|
```
|
|
|
|
# Example configuration
|
|
Define list of your LDAP servers with required user/group requirements:
|
|
|
|
```bash
|
|
http {
|
|
ldap_server test1 {
|
|
url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
|
|
binddn "TEST\\LDAPUSER";
|
|
binddn_passwd LDAPPASSWORD;
|
|
group_attribute uniquemember;
|
|
group_attribute_is_dn on;
|
|
require valid_user;
|
|
}
|
|
|
|
ldap_server test2 {
|
|
url ldap://192.168.0.2:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
|
|
binddn "TEST\\LDAPUSER";
|
|
binddn_passwd LDAPPASSWORD;
|
|
group_attribute uniquemember;
|
|
group_attribute_is_dn on;
|
|
require valid_user;
|
|
}
|
|
}
|
|
```
|
|
|
|
And add required servers in correct order into your location/server directive:
|
|
```bash
|
|
server {
|
|
listen 8000;
|
|
server_name localhost;
|
|
|
|
auth_ldap "Forbidden";
|
|
auth_ldap_servers test1;
|
|
auth_ldap_servers test2;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html index.htm;
|
|
}
|
|
|
|
}
|
|
```
|
|
|
|
# Available config parameters
|
|
|
|
## url
|
|
expected value: string
|
|
|
|
Available URL schemes: ldap://, ldaps://
|
|
|
|
## binddn
|
|
expected value: string
|
|
|
|
## binddn_passwd
|
|
expected value: string
|
|
|
|
## group_attribute
|
|
expected value: string
|
|
|
|
## group_attribute_is_dn
|
|
expected value: on or off, default off
|
|
|
|
## require
|
|
expected value: valid_user, user, group
|
|
|
|
## satisfy
|
|
expected value: all, any
|
|
|
|
## max_down_retries_count
|
|
expected value: a number, default 0
|
|
|
|
Retry count for attempting to reconnect to an LDAP server if it is considered
|
|
"DOWN". This may happen if a KEEP-ALIVE connection to an LDAP server times
|
|
out or is terminated by the server end after some amount of time.
|
|
|
|
This can usually help with the following error:
|
|
|
|
```
|
|
http_auth_ldap: ldap_result() failed (-1: Can't contact LDAP server)
|
|
```
|
|
|
|
## connections
|
|
expected value: a number greater than 0
|
|
|
|
## ssl_check_cert
|
|
expected value: on or off, default off
|
|
|
|
Verify the remote certificate for LDAPs connections. If disabled, any remote certificate will be
|
|
accepted which exposes you to possible man-in-the-middle attacks. Note that the server's
|
|
certificate will need to be signed by a proper CA trusted by your system if this is enabled.
|
|
See below how to trust CAs without installing them system-wide.
|
|
|
|
This options needs OpenSSL >= 1.0.2; it is unavailable if compiled with older versions.
|
|
|
|
## ssl_ca_file
|
|
expected value: file path
|
|
|
|
Trust the CA certificate in this file (see ssl_check_cert above).
|
|
|
|
## ssl_ca_dir
|
|
expected value: directory path
|
|
|
|
Trust all CA certificates in this directory (see ssl_check_cert above).
|
|
|
|
Note that you need to provide hash-based symlinks in the directory for this to work;
|
|
you'll basically need to run OpenSSL's c_rehash command in this directory.
|
|
|
|
## referral
|
|
expected value: on, off
|
|
|
|
LDAP library default is on. This option disables usage of referral messages from
|
|
LDAP server. Usefull for authenticating against read only AD server without access
|
|
to read write.
|
|
|
|
|