public_git
/
nginx-ldap-auth
mirror of https://github.com/nginxinc/nginx-ldap-auth.git
1
0
Fork 1
Code Issues Releases Wiki Activity

Merge 94efea57a7 into b5de9a539c

This commit is contained in:
Michael Ludvig 2017-10-25 09:18:08 +00:00 committed by GitHub
parent b5de9a539c 94efea57a7
commit f3c35b5880
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nginx-ldap-auth-daemon.py
View File

@ -151,6 +151,7 @@ class LDAPAuthHandler(AuthHandler):
'template': ('X-Ldap-Template', '(cn=%(username)s)'), 'template': ('X-Ldap-Template', '(cn=%(username)s)'),
'binddn': ('X-Ldap-BindDN', ''), 'binddn': ('X-Ldap-BindDN', ''),
'bindpasswd': ('X-Ldap-BindPass', ''), 'bindpasswd': ('X-Ldap-BindPass', ''),
'cacertfile': ('X-Ldap-CACertFile', ''),
'cookiename': ('X-CookieName', '') 'cookiename': ('X-CookieName', '')
} }
@ -189,6 +190,10 @@ class LDAPAuthHandler(AuthHandler):
self.log_message('LDAP baseDN is not set!') self.log_message('LDAP baseDN is not set!')
return return
if ctx['cacertfile']:
self.log_message('Setting CA Certificate to: %s' % ctx['cacertfile'])
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ctx['cacertfile'])
ctx['action'] = 'initializing LDAP connection' ctx['action'] = 'initializing LDAP connection'
ldap_obj = ldap.initialize(ctx['url']); ldap_obj = ldap.initialize(ctx['url']);
@ -262,6 +267,8 @@ if __name__ == '__main__':
help="LDAP bind DN (Default: anonymous)") help="LDAP bind DN (Default: anonymous)")
group.add_argument('-w', metavar="passwd", dest="bindpw", default='', group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
help="LDAP password for the bind DN (Default: unset)") help="LDAP password for the bind DN (Default: unset)")
group.add_argument('-C', metavar="file", dest="cacertfile", default='',
help="LDAPS CA Certificate File (Default: unset)")
group.add_argument('-f', '--filter', metavar='filter', group.add_argument('-f', '--filter', metavar='filter',
default='(cn=%(username)s)', default='(cn=%(username)s)',
help="LDAP filter (Default: cn=%%(username)s)") help="LDAP filter (Default: cn=%%(username)s)")
@ -282,6 +289,7 @@ if __name__ == '__main__':
'template': ('X-Ldap-Template', args.filter), 'template': ('X-Ldap-Template', args.filter),
'binddn': ('X-Ldap-BindDN', args.binddn), 'binddn': ('X-Ldap-BindDN', args.binddn),
'bindpasswd': ('X-Ldap-BindPass', args.bindpw), 'bindpasswd': ('X-Ldap-BindPass', args.bindpw),
'cacertfile': ('X-Ldap-CACertFile', args.cacertfile),
'cookiename': ('X-CookieName', args.cookie) 'cookiename': ('X-CookieName', args.cookie)
} }
LDAPAuthHandler.set_params(auth_params) LDAPAuthHandler.set_params(auth_params)

5
nginx-ldap-auth.conf
View File

@ -64,6 +64,7 @@ http {
# basedn X-Ldap-BaseDN # basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN # binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass # bindpasswd X-Ldap-BindPass
# cacertfile X-Ldap-CACertFile
# cookiename X-CookieName # cookiename X-CookieName
# realm X-Ldap-Realm # realm X-Ldap-Realm
# template X-Ldap-Template # template X-Ldap-Template
@ -84,6 +85,10 @@ http {
# (Required) Set the Bind password, by replacing 'secret'. # (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret"; proxy_set_header X-Ldap-BindPass "secret";
# (Optional) Path to a custom LDAPS CA certificate, only needed if
# the system ca bundle doesn't contain the custom CA Root certificate.
#proxy_set_header X-Ldap-CACertFile "/etc/pki/tls/certs/custom-ca-chain.pem";
# (Required) The following directives set the cookie name and pass # (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based # it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic # authentication. Comment them out if using HTTP basic