add Group check support on LDAP Auth.

README.md

@@ -110,7 +110,7 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials.
 
 <pre>http {
   ...
-  <strong>#</strong>proxy_cache_path cache/ keys_zone=auth_cache:10m;
+  <strong>#</strong>proxy_cache_path cache/ levels=1:2 keys_zone=auth_cache:10m;
   ...
   server {
     ...
@@ -128,11 +128,20 @@ The **nginx-ldap-auth.conf** file enables caching of both data and credentials.
 If you want to change the value for the `template` parameter that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
 
 <pre>proxy_set_header X-Ldap-Template "<strong>(cn=%(username)s)</strong>";</pre>
+OR
+<pre>proxy_set_header X-Ldap-Template "<strong>(&(objectClass=posixAccount)(uid=%(username)s))</strong>";</pre>
 
 If you want to change the realm name from the default value (**Restricted**), uncomment and change the following directive:
 
 <pre>proxy_set_header X-Ldap-Realm "<strong>Restricted</strong>";</pre>
 
+If you want to auth user and group - use these `binddn` and `grptemplate` parameters that the ldap-auth daemon passes to the OpenLDAP server by default, uncomment the following directive as shown, and change the value:
+
+<pre>
+proxy_set_header X-Ldap-GroupDN "<strong>cn=mygroupname,ou=group,dc=test,dc=com</strong>";
+proxy_set_header X-Ldap-GrpTemplate "<strong>(memberUid=%(username)s)</strong>";</pre>
+
+
 ### Authentication Server
 
 To modify the ldap-auth daemon to communicate with a different (non-LDAP) type of authentication server, write a new authentication-handler class to replace `LDAPAuthHandler` in the **ngx-ldap-auth-daemon.py** script.

nginx-ldap-auth-daemon.py

@@ -3,6 +3,7 @@
 ''''which python  >/dev/null && exec python  "$0" "$@" # '''
 
 # Copyright (C) 2014-2015 Nginx, Inc.
+# Add LDAP Group check support by Evgeny Kulev evgeny@kulev.ru 2016.
 
 import sys, os, signal, base64, ldap, Cookie
 from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
@@ -142,7 +143,9 @@ class LDAPAuthHandler(AuthHandler):
              # parameter      header         default
              'realm': ('X-Ldap-Realm', 'Restricted'),
              'url': ('X-Ldap-URL', None),
+             'groupdn': ('X-Ldap-GroupDN', None),
              'basedn': ('X-Ldap-BaseDN', None),
+             'grptemplate': ('X-Ldap-GrpTemplate', '(memberUid=%(username)s)'),
              'template': ('X-Ldap-Template', '(cn=%(username)s)'),
              'binddn': ('X-Ldap-BindDN', ''),
              'bindpasswd': ('X-Ldap-BindPass', ''),
@@ -178,6 +181,25 @@ class LDAPAuthHandler(AuthHandler):
             ctx['action'] = 'binding as search user'
             ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
 
+            if ctx['groupdn']:
+                ctx['action'] = 'preparing group search filter'
+                grpsearchfilter = ctx['grptemplate'] % { 'username': ctx['user'] }
+
+                self.log_message(('searching on server "%s" with group dn ' + \
+                              '"%s" with filter "%s"') %
+                              (ctx['url'], ctx['groupdn'], grpsearchfilter))
+
+                ctx['action'] = 'running group search query'
+                grpresults = ldap_obj.search_s(ctx['groupdn'], ldap.SCOPE_SUBTREE,
+                                          grpsearchfilter, ['objectclass'], 1)
+
+                ctx['action'] = 'verifying search query grpresults'
+                if len(grpresults) < 1:
+                    self.auth_failed(ctx, 'no permission to user found in group')
+                    return
+                else:
+                    self.log_message('Group OK for user "%s"' % (ctx['user']))
+
             ctx['action'] = 'preparing search filter'
             searchfilter = ctx['template'] % { 'username': ctx['user'] }