http-auth-ldap #
LDAP module for Nginx which supports authentication against multiple LDAP servers.
Source: upstream source
Directives
auth_ldap #
syntax: auth_ldap 1 arg; · context: http, server, location, limit_except
Enables LDAP authentication for a location and sets the realm message shown to clients.
auth_ldap_cache_enabled #
syntax: auth_ldap_cache_enabled 1 arg (on/off flag); · context: http
Boolean directive — set to "on" or "off".
auth_ldap_cache_expiration_time #
syntax: auth_ldap_cache_expiration_time 1 arg (duration in ms); · context: http
Duration in milliseconds; accepts ms / s / m suffixes.
auth_ldap_cache_size #
syntax: auth_ldap_cache_size 1 arg (size (k/m/g)); · context: http
Size in bytes; accepts k / m / g suffixes.
auth_ldap_servers #
syntax: auth_ldap_servers any args; · context: http, server, location, limit_except
References named ldap_server blocks to authenticate against for the current location.
auth_ldap_servers_size #
syntax: auth_ldap_servers_size 1 arg (integer); · context: http
Integer value.
ldap_server #
syntax: ldap_server 1 arg; · context: http
Defines an LDAP server block along with required user or group membership constraints.
Example
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# define ldap server
ldap_server ad_1 {
# user search base.
url "ldap://<YOUR LDAP SERVER>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)";
# bind as
binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com";
# bind pw
binddn_passwd <PUT Operator's PASSWORD HERE>;
# group attribute name which contains member object
group_attribute member;
# search for full DN in member object
group_attribute_is_dn on;
# matching algorithm (any / all)
satisfy any;
# list of allowed groups
require group "CN=Admins,OU=My Security Groups,DC=company,DC=com";
require group "CN=New York Users,OU=My Security Groups,DC=company,DC=com";
# list of allowed users
# require 'valid_user' cannot be used together with 'user' as valid user is a superset
# require valid_user;
require user "CN=Batman,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
require user "CN=Robocop,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";
}
}
server {
listen 8081;
server_name localhost;
location / {
# adding ldap authentication
auth_ldap "Closed content";
auth_ldap_servers ad_1;
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}