Skip to content

Latest commit

 

History

History
64 lines (49 loc) · 2.88 KB

ngx_ldap_auth.md

File metadata and controls

64 lines (49 loc) · 2.88 KB
Raw

ngx_ldap_auth

ngx_ldap_auth is a module for nginx auth request module that authenticates using an LDAP bind operation.

Error handling

On error, the process terminates with an unsuccessful status.

How to start

Run it on the command line like this: ngx_header_path_auth

ngx_ldap_auth <config file>

Since it does not provide background execution functions such as daemonization, start it via a process management system such as systemd.

If you want to limit authenticated users by LDAP information, use the LDAP search processing filter (use the uniq_filter config parameter).

Configuration file format

See the auth request module documentation for how to configure nginx.

The ngx_ldap_auth configuration file is in TOML format, and the following is a sample configuration file.

socket_type = "tcp"
socket_path = "127.0.0.1:9200"
#cache_seconds = 0
#use_etag = true
auth_realm = "TEST Authentication"

host_url = "ldaps://ldap.example.com"
start_tls = 0
#skip_cert_verify = 0
root_ca_files = [
	"/etc/ssl/certs/Local-CA-Chain.cer",
]

base_dn = "DC=example,DC=com"
bind_dn = "CN=%s,OU=Users,DC=example,DC=com"
uniq_filter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Group1,DC=example,DC=com)(userPrincipalName=%[email protected]))"
timeout = 5000

Each parameter of the configuration file is as follows.

Parameter Description
socket_type Set this parameter to tcp(TCP socket) or unix(UNIX domain socket).
socket_path Set the IP address and port number for tcp, and UNIX domain socket file path for unix.
cache_seconds The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache.
See Authentication Cache Control for details.
use_etag Set to true to enable cache validation using ETag tags.
See Authentication Cache Control for details.
auth_realm HTTP realm string.
host_url The URL of the LDAP server connection address. The pass part is not used.
start_tls Set to 1 when using TLS STARTTLS.
skip_cert_verify Set to 1 to ignore the certificate check result.
root_ca_files A list of PEM files for the CA certificate. Used when the LDAP server is using a certificate from a private CA.
base_dn The base DN when connecting to the LDAP server.
bind_dn This is the bind DN when performing LDAP bind processing. Rewrite %s as the remote user name and %% as %.
uniq_filter Only if this value is set, search with this value filter. If the search result is one DN, the authentication will be successful.
timeout Communication timeout(unit: ms) with the LDAP server.