Removed trailing spaces.
This commit is contained in:
Vladimir Homutov
parent
b5de9a539c
commit
9df349f98e
|
|
@ -98,7 +98,7 @@ If the authentication server runs Active Directory rather than OpenLDAP, uncomme
|
||||||
proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)";
|
proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)";
|
||||||
```
|
```
|
||||||
|
|
||||||
In addition, the **X-Ldap-Template** header can be used to create complex LDAP searches. The code in ldap-auth-daemon creates a search filter that is based on this template header. By default, template is empty, and does not make any effect on LDAP search. However, you may decide for instance to authenticate only users from a specific user group (see LDAP documentation for more information regarding filters).
|
In addition, the **X-Ldap-Template** header can be used to create complex LDAP searches. The code in ldap-auth-daemon creates a search filter that is based on this template header. By default, template is empty, and does not make any effect on LDAP search. However, you may decide for instance to authenticate only users from a specific user group (see LDAP documentation for more information regarding filters).
|
||||||
|
|
||||||
Suppose, your web resource should only be available for users from `group1` group.
|
Suppose, your web resource should only be available for users from `group1` group.
|
||||||
In such a case you can define `X-Ldap-Template` template as follows:
|
In such a case you can define `X-Ldap-Template` template as follows:
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,6 @@ Package: nginx-ldap-auth
|
||||||
Architecture: all
|
Architecture: all
|
||||||
Depends: systemd, python(>=2.6), python-ldap, python-argparse
|
Depends: systemd, python(>=2.6), python-ldap, python-argparse
|
||||||
Description: a reference implementation of an authentication helper for Nginx
|
Description: a reference implementation of an authentication helper for Nginx
|
||||||
This is a reference implementation of an authentication helper for Nginx.
|
This is a reference implementation of an authentication helper for Nginx.
|
||||||
It listens for incoming requests and uses parameters from headers
|
It listens for incoming requests and uses parameters from headers
|
||||||
to bind to a remote LDAP directory and try authenticating a person.
|
to bind to a remote LDAP directory and try authenticating a person.
|
||||||
|
|
|
||||||
|
|
@ -41,8 +41,8 @@ case "$1" in
|
||||||
|
|
||||||
SSDOPTS="--quiet --oknodo --background --no-close --make-pidfile --pidfile $PIDFILE --chuid $USER:$GROUP --exec $DAEMON"
|
SSDOPTS="--quiet --oknodo --background --no-close --make-pidfile --pidfile $PIDFILE --chuid $USER:$GROUP --exec $DAEMON"
|
||||||
DAEMON_ARGS="$URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM"
|
DAEMON_ARGS="$URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM"
|
||||||
|
|
||||||
if start-stop-daemon --start $SSDOPTS -- $DAEMON_ARGS &>$LOG
|
if start-stop-daemon --start $SSDOPTS -- $DAEMON_ARGS &>$LOG
|
||||||
then
|
then
|
||||||
echo "$NAME."
|
echo "$NAME."
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -182,12 +182,12 @@ class LDAPAuthHandler(AuthHandler):
|
||||||
try:
|
try:
|
||||||
# check that uri and baseDn are set
|
# check that uri and baseDn are set
|
||||||
# either from cli or a request
|
# either from cli or a request
|
||||||
if not ctx['url']:
|
if not ctx['url']:
|
||||||
self.log_message('LDAP URL is not set!')
|
self.log_message('LDAP URL is not set!')
|
||||||
return
|
return
|
||||||
if not ctx['basedn']:
|
if not ctx['basedn']:
|
||||||
self.log_message('LDAP baseDN is not set!')
|
self.log_message('LDAP baseDN is not set!')
|
||||||
return
|
return
|
||||||
|
|
||||||
ctx['action'] = 'initializing LDAP connection'
|
ctx['action'] = 'initializing LDAP connection'
|
||||||
ldap_obj = ldap.initialize(ctx['url']);
|
ldap_obj = ldap.initialize(ctx['url']);
|
||||||
|
|
@ -247,14 +247,14 @@ if __name__ == '__main__':
|
||||||
description="""Simple Nginx LDAP authentication helper.""")
|
description="""Simple Nginx LDAP authentication helper.""")
|
||||||
# Group for listen options:
|
# Group for listen options:
|
||||||
group = parser.add_argument_group("Listen options")
|
group = parser.add_argument_group("Listen options")
|
||||||
group.add_argument('--host', metavar="hostname",
|
group.add_argument('--host', metavar="hostname",
|
||||||
default="localhost", help="host to bind (Default: localhost)")
|
default="localhost", help="host to bind (Default: localhost)")
|
||||||
group.add_argument('-p', '--port', metavar="port", type=int,
|
group.add_argument('-p', '--port', metavar="port", type=int,
|
||||||
default=8888, help="port to bind (Default: 8888)")
|
default=8888, help="port to bind (Default: 8888)")
|
||||||
# ldap options:
|
# ldap options:
|
||||||
group = parser.add_argument_group(title="LDAP options")
|
group = parser.add_argument_group(title="LDAP options")
|
||||||
group.add_argument('-u', '--url', metavar="URL",
|
group.add_argument('-u', '--url', metavar="URL",
|
||||||
default="ldap://localhost:389",
|
default="ldap://localhost:389",
|
||||||
help=("LDAP URI to query (Default: ldap://localhost:389)"))
|
help=("LDAP URI to query (Default: ldap://localhost:389)"))
|
||||||
group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
|
group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
|
||||||
help="LDAP base dn (Default: unset)")
|
help="LDAP base dn (Default: unset)")
|
||||||
|
|
@ -262,18 +262,18 @@ if __name__ == '__main__':
|
||||||
help="LDAP bind DN (Default: anonymous)")
|
help="LDAP bind DN (Default: anonymous)")
|
||||||
group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
|
group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
|
||||||
help="LDAP password for the bind DN (Default: unset)")
|
help="LDAP password for the bind DN (Default: unset)")
|
||||||
group.add_argument('-f', '--filter', metavar='filter',
|
group.add_argument('-f', '--filter', metavar='filter',
|
||||||
default='(cn=%(username)s)',
|
default='(cn=%(username)s)',
|
||||||
help="LDAP filter (Default: cn=%%(username)s)")
|
help="LDAP filter (Default: cn=%%(username)s)")
|
||||||
# http options:
|
# http options:
|
||||||
group = parser.add_argument_group(title="HTTP options")
|
group = parser.add_argument_group(title="HTTP options")
|
||||||
group.add_argument('-R', '--realm', metavar='"Restricted Area"',
|
group.add_argument('-R', '--realm', metavar='"Restricted Area"',
|
||||||
default="Resticted", help='HTTP auth realm (Default: "Restricted")')
|
default="Resticted", help='HTTP auth realm (Default: "Restricted")')
|
||||||
group.add_argument('-c', '--cookie', metavar="cookiename",
|
group.add_argument('-c', '--cookie', metavar="cookiename",
|
||||||
default="", help="HTTP cookie name to set in (Default: unset)")
|
default="", help="HTTP cookie name to set in (Default: unset)")
|
||||||
|
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
global Listen
|
global Listen
|
||||||
Listen = (args.host, args.port)
|
Listen = (args.host, args.port)
|
||||||
auth_params = {
|
auth_params = {
|
||||||
'realm': ('X-Ldap-Realm', args.realm),
|
'realm': ('X-Ldap-Realm', args.realm),
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue