Merge 8f36499a42 into 937def0caa
This commit is contained in:
Evgeny Kulev
GitHub
commit
5263e09300
11
README.md
11
README.md
|
|
@ -119,7 +119,7 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials.
|
|||
|
||||
<pre>http {
|
||||
...
|
||||
<strong>#</strong>proxy_cache_path cache/ keys_zone=auth_cache:10m;
|
||||
<strong>#</strong>proxy_cache_path cache/ levels=1:2 keys_zone=auth_cache:10m;
|
||||
...
|
||||
server {
|
||||
...
|
||||
|
|
@ -137,11 +137,20 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials.
|
|||
If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
|
||||
|
||||
<pre>proxy_set_header X-Ldap-Template "<strong>(cn=%(username)s)</strong>";</pre>
|
||||
OR
|
||||
<pre>proxy_set_header X-Ldap-Template "<strong>(&(objectClass=posixAccount)(uid=%(username)s))</strong>";</pre>
|
||||
|
||||
If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:
|
||||
|
||||
<pre>proxy_set_header X-Ldap-Realm "<strong>Restricted</strong>";</pre>
|
||||
|
||||
If you want to auth user and group - use these `groupdn` and `grptemplate` parameters that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
|
||||
|
||||
<pre>
|
||||
proxy_set_header X-Ldap-GroupDN "<strong>cn=mygroupname,ou=group,dc=test,dc=com</strong>";
|
||||
proxy_set_header X-Ldap-GrpTemplate "<strong>(memberUid=%(username)s)</strong>";</pre>
|
||||
|
||||
|
||||
### Authentication Server
|
||||
|
||||
To modify the ldap-auth daemon to communicate with a different (non-LDAP) type of authentication server, write a new authentication-handler class to replace `LDAPAuthHandler` in the **ngx-ldap-auth-daemon.py** script.
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
''''which python >/dev/null && exec python -u "$0" "$@" &>>$LOG # '''
|
||||
|
||||
# Copyright (C) 2014-2015 Nginx, Inc.
|
||||
# Add LDAP Group check support by Evgeny Kulev evgeny@kulev.ru 2016.
|
||||
|
||||
import sys, os, signal, base64, ldap, Cookie, argparse
|
||||
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
|
||||
|
|
@ -147,7 +148,9 @@ class LDAPAuthHandler(AuthHandler):
|
|||
# parameter header default
|
||||
'realm': ('X-Ldap-Realm', 'Restricted'),
|
||||
'url': ('X-Ldap-URL', None),
|
||||
'groupdn': ('X-Ldap-GroupDN', None),
|
||||
'basedn': ('X-Ldap-BaseDN', None),
|
||||
'grptemplate': ('X-Ldap-GrpTemplate', '(memberUid=%(username)s)'),
|
||||
'template': ('X-Ldap-Template', '(cn=%(username)s)'),
|
||||
'binddn': ('X-Ldap-BindDN', ''),
|
||||
'bindpasswd': ('X-Ldap-BindPass', ''),
|
||||
|
|
@ -199,6 +202,25 @@ class LDAPAuthHandler(AuthHandler):
|
|||
ctx['action'] = 'binding as search user'
|
||||
ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
|
||||
|
||||
if ctx['groupdn']:
|
||||
ctx['action'] = 'preparing group search filter'
|
||||
grpsearchfilter = ctx['grptemplate'] % { 'username': ctx['user'] }
|
||||
|
||||
self.log_message(('searching on server "%s" with group dn ' + \
|
||||
'"%s" with filter "%s"') %
|
||||
(ctx['url'], ctx['groupdn'], grpsearchfilter))
|
||||
|
||||
ctx['action'] = 'running group search query'
|
||||
grpresults = ldap_obj.search_s(ctx['groupdn'], ldap.SCOPE_SUBTREE,
|
||||
grpsearchfilter, ['objectclass'], 1)
|
||||
|
||||
ctx['action'] = 'verifying search query grpresults'
|
||||
if len(grpresults) < 1:
|
||||
self.auth_failed(ctx, 'no permission to user found in group')
|
||||
return
|
||||
else:
|
||||
self.log_message('Group OK for user "%s"' % (ctx['user']))
|
||||
|
||||
ctx['action'] = 'preparing search filter'
|
||||
searchfilter = ctx['template'] % { 'username': ctx['user'] }
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue