public_git
/
nginx-ldap-auth
mirror of https://github.com/nginxinc/nginx-ldap-auth.git
1
0
Fork 1
Code Issues Releases Wiki Activity

Add STARTTLS support

This commit is contained in:
Matthieu Cerda 2017-10-26 10:39:47 +02:00 committed by Matthieu Cerda
parent ea2ebf210e
commit c228f39fa6
3 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -78,7 +78,10 @@ For detailed instructions, see [Configuring the Reference Implementation](https:
proxy_cache_valid 200 <strong>10m</strong>; proxy_cache_valid 200 <strong>10m</strong>;
# URL and port for connecting to the LDAP server # URL and port for connecting to the LDAP server
proxy_set_header X-Ldap-URL "<strong>ldaps</strong>://<strong>example.com</strong>:<strong>636</strong>"; proxy_set_header X-Ldap-URL "<strong>ldap</strong>://<strong>example.com</strong>";
# Negotiate a TLS-enabled (STARTTLS) connection before sending credentials
proxy_set_header X-Ldap-Starttls "true";
# Base DN # Base DN
proxy_set_header X-Ldap-BaseDN "<strong>cn=Users,dc=test,dc=local</strong>"; proxy_set_header X-Ldap-BaseDN "<strong>cn=Users,dc=test,dc=local</strong>";

19
nginx-ldap-auth-daemon.py
View File

@ -147,6 +147,7 @@ class LDAPAuthHandler(AuthHandler):
# parameter header default # parameter header default
'realm': ('X-Ldap-Realm', 'Restricted'), 'realm': ('X-Ldap-Realm', 'Restricted'),
'url': ('X-Ldap-URL', None), 'url': ('X-Ldap-URL', None),
'starttls': ('X-Ldap-Starttls', 'false'),
'basedn': ('X-Ldap-BaseDN', None), 'basedn': ('X-Ldap-BaseDN', None),
'template': ('X-Ldap-Template', '(cn=%(username)s)'), 'template': ('X-Ldap-Template', '(cn=%(username)s)'),
'binddn': ('X-Ldap-BindDN', ''), 'binddn': ('X-Ldap-BindDN', ''),
@ -192,6 +193,20 @@ class LDAPAuthHandler(AuthHandler):
ctx['action'] = 'initializing LDAP connection' ctx['action'] = 'initializing LDAP connection'
ldap_obj = ldap.initialize(ctx['url']); ldap_obj = ldap.initialize(ctx['url']);
# Python-ldap module documentation advises to always
# explicitely set the LDAP version to use after running
# initialize() and recommends using LDAPv3. (LDAPv2 is
# deprecated since 2003 as per RFC3494)
#
# Also, the STARTTLS extension requires the
# use of LDAPv3 (RFC2830).
ldap_obj.protocol_version=ldap.VERSION3
# Establish a STARTTLS connection if required by the
# headers.
if ctx['starttls'] == 'true':
ldap_obj.start_tls_s()
# See http://www.python-ldap.org/faq.shtml # See http://www.python-ldap.org/faq.shtml
# uncomment, if required # uncomment, if required
# ldap_obj.set_option(ldap.OPT_REFERRALS, 0) # ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
@ -255,6 +270,9 @@ if __name__ == '__main__':
group.add_argument('-u', '--url', metavar="URL", group.add_argument('-u', '--url', metavar="URL",
default="ldap://localhost:389", default="ldap://localhost:389",
help=("LDAP URI to query (Default: ldap://localhost:389)")) help=("LDAP URI to query (Default: ldap://localhost:389)"))
group.add_argument('-s', '--starttls', metavar="starttls",
default="false",
help=("Establish a STARTTLS protected session (Default: false)"))
group.add_argument('-b', metavar="baseDn", dest="basedn", default='', group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
help="LDAP base dn (Default: unset)") help="LDAP base dn (Default: unset)")
group.add_argument('-D', metavar="bindDn", dest="binddn", default='', group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
@ -277,6 +295,7 @@ if __name__ == '__main__':
auth_params = { auth_params = {
'realm': ('X-Ldap-Realm', args.realm), 'realm': ('X-Ldap-Realm', args.realm),
'url': ('X-Ldap-URL', args.url), 'url': ('X-Ldap-URL', args.url),
'starttls': ('X-Ldap-Starttls', args.starttls),
'basedn': ('X-Ldap-BaseDN', args.basedn), 'basedn': ('X-Ldap-BaseDN', args.basedn),
'template': ('X-Ldap-Template', args.filter), 'template': ('X-Ldap-Template', args.filter),
'binddn': ('X-Ldap-BindDN', args.binddn), 'binddn': ('X-Ldap-BindDN', args.binddn),

14
nginx-ldap-auth.conf
View File

@ -61,17 +61,25 @@ http {
# #
# Parameter Proxy header # Parameter Proxy header
# ----------- ---------------- # ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN # basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN # binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass # bindpasswd X-Ldap-BindPass
# cookiename X-CookieName # cookiename X-CookieName
# realm X-Ldap-Realm # realm X-Ldap-Realm
# template X-Ldap-Template # template X-Ldap-Template
# url X-Ldap-URL
# (Required) Set the URL and port for connecting to the LDAP server, # (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com' and '636'. # by replacing 'example.com'.
proxy_set_header X-Ldap-URL "ldaps://example.com:636"; # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://example.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in # (Required) Set the Base DN, by replacing the value enclosed in
# double quotes. # double quotes.