Howto Ldap Auth: Difference between revisions

From Pumping Station One
Browse history interactively
← Older editNewer edit →
VisualWikitext
Kuroishi (talk | contribs)
Domain Admins
136 edits
No edit summary
Kuroishi (talk | contribs)
Domain Admins
136 edits
Line 105: Line 105:
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required.  More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required.  More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/


    Example configurations to come after implementing nginx authentication.
This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636.  A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD.  Do not use this configuration in production, or on off-site services.  Only for use in development environments, authenticating with bob from the local PS1 network.


Building nginx 1.8.0 from source with LDAP support on Debian Jessie
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
Line 137: Line 137:


If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
Configuring nginx:
* /etc/nginx/nginx.conf (add to http{} block)
        ##
        #LDAP authentication Settings
        ##
        auth_ldap_cache_enabled on;
        auth_ldap_cache_expiration_time 10000;
        auth_ldap_cache_size 1000;
        ldap_server BOB {
            url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)";
            binddn "PS1\SERVICE-ACCOUNT";
            binddn_passwd "SERVICE-ACCOUNT-PASSWORD";
            connect_timeout 5s;
            bind_timeout 5s;
            request_timeout 5s;
            satisfy any;
            group_attribute member;
            group_attribute_is_dn on;
            require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org";
        }
* /etc/nginx/sites-available/site.conf (add to your vhost's server{} block)
        auth_ldap "AD authentication";
        auth_ldap_servers BOB;
Retrieved from "https://ps1.mywikis.net/wiki/Howto_Ldap_Auth"
Powered by MediaWiki
Powered by Semantic MediaWiki