mainnika
/
nginx-auth-ldap
mirror of https://github.com/mainnika/nginx-auth-ldap
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
slightly patched fork of LDAP authentication module for nginx
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
102 Commits
1 Branch
1 Tag
289 KiB
 
Tag: Branch: Tree: acb13cffaf
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'acb13cffaf'
${ noResults }
Victor Hahn acb13cffaf
Amend documentation 		10 years ago
LICENSE Amend documentation 10 years ago
README.md Amend documentation 10 years ago
config Compile cleanly on FreeBSD 10 years ago
example.conf replacing tabs with spaces to fix example.conf formating 10 years ago
ngx_http_auth_ldap_module.c Expose SSL certificate verification as config option 10 years ago

README.md

LDAP Authentication module for nginx

LDAP module for nginx which supports authentication against multiple LDAP servers.

How to install

FreeBSD

cd /usr/ports/www/nginx && make config install clean

Check HTTP_AUTH_LDAP options

[*] HTTP_AUTH_LDAP        3rd party http_auth_ldap module

Linux

cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap.git

in nginx source folder

./configure --add-module=path_to_http_auth_ldap_module
make install

Example configuration

Define list of your LDAP servers with required user/group requirements:

    http {
      ldap_server test1 {
        url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
      }

      ldap_server test2 {
        url ldap://192.168.0.2:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
      }
    }

And add required servers in correct order into your location/server directive:

    server {
        listen       8000;
        server_name  localhost;

        auth_ldap "Forbidden";
        auth_ldap_servers test1;
		auth_ldap_servers test2;

        location / {
            root   html;
            index  index.html index.htm;
        }

    }

Available config parameters

url

expected value: string

Available URL schemes: ldap://, ldaps://

binddn

expected value: string

binddn_passwd

expected value: string

group_attribute

expected value: string

group_attribute_is_dn

expected value: on or off, default off

require

expected value: valid_user, user, group

satisfy

expected value: all, any

connections

expected value: a number greater than 0

ssl_check_cert

expected value: on or off, default off

Verify the remote certificate for LDAPs connections. If disabled, any remote ceritificate will be accepted which exposes you to possible man-in-the-middle attacks. Note that the server's certificate will need to be signed by a proper CA trusted by your system if this is enabled. See below how to trust CAs without installing them system-wide.

ssl_ca_file

expected value: file path

Trust the CA certificate in this file (see ssl_check_cert above).

ssl_ca_dir

expected value: directory path

Trust all CA certificates in this directory (see ssl_check_cert above).

Note that you need to provide hash-based symlinks in the directory for this to work; you'll basically need to run OpenSSL's c_rehash command in this directory.