http-auth-ldap #

LDAP module for Nginx which supports authentication against multiple LDAP servers.

Source: upstream source

Directives

auth_ldap #

syntax: auth_ldap 1 arg;  ·  context: http, server, location, limit_except

Enables LDAP authentication for a location and sets the realm message shown to clients.

auth_ldap_cache_enabled #

syntax: auth_ldap_cache_enabled 1 arg (on/off flag);  ·  context: http

Boolean directive — set to "on" or "off".

auth_ldap_cache_expiration_time #

syntax: auth_ldap_cache_expiration_time 1 arg (duration in ms);  ·  context: http

Duration in milliseconds; accepts ms / s / m suffixes.

auth_ldap_cache_size #

syntax: auth_ldap_cache_size 1 arg (size (k/m/g));  ·  context: http

Size in bytes; accepts k / m / g suffixes.

auth_ldap_servers #

syntax: auth_ldap_servers any args;  ·  context: http, server, location, limit_except

References named ldap_server blocks to authenticate against for the current location.

auth_ldap_servers_size #

syntax: auth_ldap_servers_size 1 arg (integer);  ·  context: http

Integer value.

ldap_server #

syntax: ldap_server 1 arg;  ·  context: http

Defines an LDAP server block along with required user or group membership constraints.

Example

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    # define ldap server
    ldap_server ad_1 {
      # user search base.
      url "ldap://<YOUR LDAP SERVER>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)";
      # bind as
      binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com";
      # bind pw
      binddn_passwd <PUT Operator's PASSWORD HERE>;
      # group attribute name which contains member object
      group_attribute member;
      # search for full DN in member object
      group_attribute_is_dn on;
      # matching algorithm (any / all)
      satisfy any;
      # list of allowed groups
      require group "CN=Admins,OU=My Security Groups,DC=company,DC=com";
      require group "CN=New York Users,OU=My Security Groups,DC=company,DC=com";
      # list of allowed users
      # require 'valid_user' cannot be used together with 'user' as valid user is a superset
      # require valid_user;
      require user "CN=Batman,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
      require user "CN=Robocop,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
    }

}

server {
  listen       8081;
  server_name  localhost;

  location / {
    # adding ldap authentication
    auth_ldap "Closed content";
    auth_ldap_servers ad_1;

    root html;
    index index.html index.htm;
  }

  error_page   500 502 503 504  /50x.html;

  location = /50x.html {
    root html;
  }
}

↑ back to index