add Group check support on LDAP Auth.

2016-09-01 20:14:05 +03:00 · 2016-09-01 20:14:05 +03:00 · d2d4300d4f
parent 52d5cba3e9
commit d2d4300d4f
2 changed files with 32 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -110,7 +110,7 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials.

 <pre>http {
  ...
-  <strong>#</strong>proxy_cache_path cache/ keys_zone=auth_cache:10m;
+  <strong>#</strong>proxy_cache_path cache/ levels=1:2 keys_zone=auth_cache:10m;
  ...
  server {
    ...
@ -128,11 +128,20 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials.
 If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:

 <pre>proxy_set_header X-Ldap-Template "<strong>(cn=%(username)s)</strong>";</pre>
+OR
+<pre>proxy_set_header X-Ldap-Template "<strong>(&(objectClass=posixAccount)(uid=%(username)s))</strong>";</pre>

 If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:

 <pre>proxy_set_header X-Ldap-Realm "<strong>Restricted</strong>";</pre>

+If you want to auth user and group - use these `binddn` and `grptemplate` parameters that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
+
+<pre>
+proxy_set_header X-Ldap-GroupDN "<strong>cn=mygroupname,ou=group,dc=test,dc=com</strong>";
+proxy_set_header X-Ldap-GrpTemplate "<strong>(memberUid=%(username)s)</strong>";</pre>
+
+
 ### Authentication Server

 To modify the ldap-auth daemon to communicate with a different (non-LDAP) type of authentication server, write a new authentication-handler class to replace `LDAPAuthHandler` in the **ngx-ldap-auth-daemon.py** script.
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@ -3,6 +3,7 @@
 ''''which python  >/dev/null && exec python  "$0" "$@" # '''

 # Copyright (C) 2014-2015 Nginx, Inc.
+# Add LDAP Group check support by Evgeny Kulev evgeny@kulev.ru 2016.

 import sys, os, signal, base64, ldap, Cookie
 from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
@ -142,7 +143,9 @@ class LDAPAuthHandler(AuthHandler):
             # parameter      header         default
             'realm': ('X-Ldap-Realm', 'Restricted'),
             'url': ('X-Ldap-URL', None),
+             'groupdn': ('X-Ldap-GroupDN', None),
             'basedn': ('X-Ldap-BaseDN', None),
+             'grptemplate': ('X-Ldap-GrpTemplate', '(memberUid=%(username)s)'),
             'template': ('X-Ldap-Template', '(cn=%(username)s)'),
             'binddn': ('X-Ldap-BindDN', ''),
             'bindpasswd': ('X-Ldap-BindPass', ''),
@ -178,6 +181,25 @@ class LDAPAuthHandler(AuthHandler):
            ctx['action'] = 'binding as search user'
            ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)

+            if ctx['groupdn']:
+                ctx['action'] = 'preparing group search filter'
+                grpsearchfilter = ctx['grptemplate'] % { 'username': ctx['user'] }
+
+                self.log_message(('searching on server "%s" with group dn ' + \
+                              '"%s" with filter "%s"') %
+                              (ctx['url'], ctx['groupdn'], grpsearchfilter))
+
+                ctx['action'] = 'running group search query'
+                grpresults = ldap_obj.search_s(ctx['groupdn'], ldap.SCOPE_SUBTREE,
+                                          grpsearchfilter, ['objectclass'], 1)
+
+                ctx['action'] = 'verifying search query grpresults'
+                if len(grpresults) < 1:
+                    self.auth_failed(ctx, 'no permission to user found in group')
+                    return
+                else:
+                    self.log_message('Group OK for user "%s"' % (ctx['user']))
+
            ctx['action'] = 'preparing search filter'
            searchfilter = ctx['template'] % { 'username': ctx['user'] }