diff --git a/README.md b/README.md index b68bc2a..548d77e 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials. 
http {
   ...
-  #proxy_cache_path cache/ keys_zone=auth_cache:10m;
+  #proxy_cache_path cache/ levels=1:2 keys_zone=auth_cache:10m;
   ...
   server {
     ...
@@ -137,11 +137,20 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials.
 If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
 
 
proxy_set_header X-Ldap-Template "(cn=%(username)s)";

+OR
+
proxy_set_header X-Ldap-Template "(&(objectClass=posixAccount)(uid=%(username)s))";

 
 If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:
 
 
proxy_set_header X-Ldap-Realm "Restricted";

 
+If you want to auth user and group - use these `groupdn` and `grptemplate` parameters that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
+
+
+proxy_set_header X-Ldap-GroupDN "cn=mygroupname,ou=group,dc=test,dc=com";
+proxy_set_header X-Ldap-GrpTemplate "(memberUid=%(username)s)";

+
+
 ### Authentication Server
 
 To modify the ldap-auth daemon to communicate with a different (non-LDAP) type of authentication server, write a new authentication-handler class to replace `LDAPAuthHandler` in the **ngx-ldap-auth-daemon.py** script.
diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
index 31626d1..2683858 100755
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@@ -3,6 +3,7 @@
 ''''which python  >/dev/null && exec python  -u "$0" "$@" &>>$LOG # '''
 
 # Copyright (C) 2014-2015 Nginx, Inc.
+# Add LDAP Group check support by Evgeny Kulev evgeny@kulev.ru 2016.
 
 import sys, os, signal, base64, ldap, Cookie, argparse
 from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
@@ -147,7 +148,9 @@ class LDAPAuthHandler(AuthHandler):
              # parameter      header         default
              'realm': ('X-Ldap-Realm', 'Restricted'),
              'url': ('X-Ldap-URL', None),
+             'groupdn': ('X-Ldap-GroupDN', None),
              'basedn': ('X-Ldap-BaseDN', None),
+             'grptemplate': ('X-Ldap-GrpTemplate', '(memberUid=%(username)s)'),
              'template': ('X-Ldap-Template', '(cn=%(username)s)'),
              'binddn': ('X-Ldap-BindDN', ''),
              'bindpasswd': ('X-Ldap-BindPass', ''),
@@ -199,6 +202,25 @@ class LDAPAuthHandler(AuthHandler):
             ctx['action'] = 'binding as search user'
             ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
 
+            if ctx['groupdn']:
+                ctx['action'] = 'preparing group search filter'
+                grpsearchfilter = ctx['grptemplate'] % { 'username': ctx['user'] }
+
+                self.log_message(('searching on server "%s" with group dn ' + \
+                              '"%s" with filter "%s"') %
+                              (ctx['url'], ctx['groupdn'], grpsearchfilter))
+
+                ctx['action'] = 'running group search query'
+                grpresults = ldap_obj.search_s(ctx['groupdn'], ldap.SCOPE_SUBTREE,
+                                          grpsearchfilter, ['objectclass'], 1)
+
+                ctx['action'] = 'verifying search query grpresults'
+                if len(grpresults) < 1:
+                    self.auth_failed(ctx, 'no permission to user found in group')
+                    return
+                else:
+                    self.log_message('Group OK for user "%s"' % (ctx['user']))
+
             ctx['action'] = 'preparing search filter'
             searchfilter = ctx['template'] % { 'username': ctx['user'] }