Added Template usage example to README.md

2017-05-17 14:46:03 +03:00 · 2017-05-17 14:46:03 +03:00 · 937def0caa
parent f9e1a42329
commit 937def0caa
1 changed files with 9 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -98,6 +98,15 @@ If the authentication server runs Active Directory rather than OpenLDAP, uncomme
 proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)";
 ```

+In addition, the **X-Ldap-Template** header can be used to create complex LDAP searches. The code in ldap-auth-daemon creates a search filter that is based on this template header. By default, template is empty, and does not make any effect on LDAP search. However, you may decide for instance to authenticate only users from a specific user group (see LDAP documentation for more information regarding filters). 
+
+Suppose, your web resource should only be available for users from `group1` group.
+In such a case you can define `X-Ldap-Template` template as follows:
+
+proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=group1,cn=Users,dc=example,dc=com))";
+
+The search filters can be combined from less complex filters using boolean operations and can be rather complex.
+
 The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives as shown:

 <pre><strong>#</strong>proxy_set_header X-CookieName "nginxauth";