Changes

Jump to navigation Jump to search

Howto Ldap Auth (view source)

Revision as of 19:06, 22 January 2016

1,254 bytes added ,  19:06, 22 January 2016
→‎Nginx nginx-auth-ldap
Line 105: Line 105:  
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required.  More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
 
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required.  More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
   −
    Example configurations to come after implementing nginx authentication.
+
This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636.  A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD.  Do not use this configuration in production, or on off-site services.  Only for use in development environments, authenticating with bob from the local PS1 network.
    
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
 
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
Line 137: Line 137:     
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
 
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
 +
 +
Configuring nginx:
 +
* /etc/nginx/nginx.conf (add to http{} block)
 +
 +
        ##
 +
        #LDAP authentication Settings
 +
        ##
 +
 +
        auth_ldap_cache_enabled on;
 +
        auth_ldap_cache_expiration_time 10000;
 +
        auth_ldap_cache_size 1000;
 +
        ldap_server BOB {
 +
            url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)";
 +
            binddn "PS1\SERVICE-ACCOUNT";
 +
            binddn_passwd "SERVICE-ACCOUNT-PASSWORD";
 +
            connect_timeout 5s;
 +
            bind_timeout 5s;
 +
            request_timeout 5s;
 +
            satisfy any;
 +
            group_attribute member;
 +
            group_attribute_is_dn on;
 +
            require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org";
 +
        }
 +
 +
* /etc/nginx/sites-available/site.conf (add to your vhost's server{} block)
 +
 +
        auth_ldap "AD authentication";
 +
        auth_ldap_servers BOB;
Kuroishi
Domain Admins
136

edits

Retrieved from "https://ps1.mywikis.wiki/wiki/Special:MobileDiff/27511"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
More information

Navigation menu