Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kvspb/nginx-auth-ldap

LDAP authentication module for nginx
https://github.com/kvspb/nginx-auth-ldap

Last synced: about 1 month ago
JSON representation

LDAP authentication module for nginx

Awesome Lists containing this project

README 

        
# LDAP Authentication module for nginx

LDAP module for nginx which supports authentication against multiple LDAP servers.



# How to install



## FreeBSD



```bash

cd /usr/ports/www/nginx && make config install clean

```



Check HTTP_AUTH_LDAP options



```

[*] HTTP_AUTH_LDAP        3rd party http_auth_ldap module

```



## Linux



```bash

cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap.git   

```



in nginx source folder



```bash

./configure --add-module=path_to_http_auth_ldap_module

make install

```



# Example configuration

Define list of your LDAP servers with required user/group requirements:



```bash

    http {

      ldap_server test1 {

        url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);

        binddn "TEST\\LDAPUSER";

        binddn_passwd LDAPPASSWORD;

        group_attribute uniquemember;

        group_attribute_is_dn on;

        require valid_user;

      }



      ldap_server test2 {

        url ldap://192.168.0.2:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);

        binddn "TEST\\LDAPUSER";

        binddn_passwd LDAPPASSWORD;

        group_attribute uniquemember;

        group_attribute_is_dn on;

        require valid_user;

      }

    }

```



And add required servers in correct order into your location/server directive:

```bash

    server {

        listen       8000;

        server_name  localhost;



        auth_ldap "Forbidden";

        auth_ldap_servers test1;

		auth_ldap_servers test2;



        location / {

            root   html;

            index  index.html index.htm;

        }



    }

```



# Available config parameters



## url

expected value: string



Available URL schemes: ldap://, ldaps://



## binddn

expected value: string



## binddn_passwd

expected value: string



## group_attribute

expected value: string



## group_attribute_is_dn

expected value: on or off, default off



## require

expected value: valid_user, user, group



## satisfy

expected value: all, any



## max_down_retries

expected value: a number, default 0



Retry count for attempting to reconnect to an LDAP server if it is considered

"DOWN".  This may happen if a KEEP-ALIVE connection to an LDAP server times 

out or is terminated by the server end after some amount of time.  



This can usually help with the following error:



```

http_auth_ldap: ldap_result() failed (-1: Can't contact LDAP server)

```



## connections

expected value: a number greater than 0



## ssl_check_cert

expected value: on or off, default off



Verify the remote certificate for LDAPs connections. If disabled, any remote certificate will be

accepted which exposes you to possible man-in-the-middle attacks. Note that the server's

certificate will need to be signed by a proper CA trusted by your system if this is enabled.

See below how to trust CAs without installing them system-wide.



This options needs OpenSSL >= 1.0.2; it is unavailable if compiled with older versions.



## ssl_ca_file

expected value: file path



Trust the CA certificate in this file (see ssl_check_cert above).



## ssl_ca_dir

expected value: directory path



Trust all CA certificates in this directory (see ssl_check_cert above).



Note that you need to provide hash-based symlinks in the directory for this to work;

you'll basically need to run OpenSSL's c_rehash command in this directory.



## referral

expected value: on, off



LDAP library default is on. This option disables usage of referral messages from

LDAP server. Useful for authenticating against read only AD server without access

to read write.