Changes

Jump to navigation Jump to search

Howto Ldap Auth (view source)

Revision as of 14:04, 1 November 2018

3,411 bytes added ,  14:04, 1 November 2018
no edit summary
Line 1: Line 1:  +
{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }}
 +
 
External services that authenticate users often use Ldap for authentication.
 
External services that authenticate users often use Ldap for authentication.
   Line 74: Line 76:     
ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with:  
 
ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with:  
 +
 +
You may need to set LDAPTLS_REQCERT=allow before those commands.
    
   #list laser cutter certified:
 
   #list laser cutter certified:
   ldapsearch -ZZ -v -x -H ldap://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified"
+
   ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified"
 
   #list domain Admins
 
   #list domain Admins
   ldapsearch -ZZ -v -x -H ldap://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins"
+
   ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins"
 +
 
 +
 
 +
Remember you can use space.pumpingstationone.org if it is outside PS1 network.
    
== Apache mod_authnz_ldap ==
 
== Apache mod_authnz_ldap ==
Line 100: Line 107:  
         Require valid-user
 
         Require valid-user
 
     </Location>
 
     </Location>
 +
 +
== Nginx nginx-auth-ldap ==
 +
 +
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required.  More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
 +
 +
This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636.  A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD.  Do not use this configuration in production, or on off-site services.  Only for use in development environments, authenticating with bob from the local PS1 network.
 +
 +
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
 +
 +
    apt-get remove nginx
 +
    apt-get install libldap2-dev libpcre3-dev build-essential
 +
    wget http://nginx.org/download/nginx-1.8.0.tar.gz
 +
    git clone https://github.com/kvspb/nginx-auth-ldap.git
 +
    tar -zxvf nginx-1.8.0.tar.gz
 +
    cd nginx-1.8.0
 +
    ./configure --user=nginx                          \
 +
            --group=nginx                            \
 +
            --prefix=/etc/nginx                      \
 +
            --sbin-path=/usr/sbin/nginx              \
 +
            --conf-path=/etc/nginx/nginx.conf        \
 +
            --pid-path=/var/run/nginx.pid            \
 +
            --lock-path=/var/run/nginx.lock          \
 +
            --error-log-path=/var/log/nginx/error.log \
 +
            --http-log-path=/var/log/nginx/access.log \
 +
            --with-http_gzip_static_module            \
 +
            --with-http_stub_status_module            \
 +
            --with-http_ssl_module                    \
 +
            --with-pcre                              \
 +
            --with-file-aio                          \
 +
            --with-http_realip_module                \
 +
            --add-module=../nginx-auth-ldap          \
 +
            --with-ipv6                              \
 +
            --with-debug
 +
    make
 +
    make install
 +
 +
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
 +
 +
Configuring nginx:
 +
* /etc/nginx/nginx.conf (add to http{} block)
 +
 +
        ##
 +
        #LDAP authentication Settings
 +
        ##
 +
 +
        auth_ldap_cache_enabled on;
 +
        auth_ldap_cache_expiration_time 10000;
 +
        auth_ldap_cache_size 1000;
 +
        ldap_server BOB {
 +
            url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)";
 +
            binddn "PS1\SERVICE-ACCOUNT";
 +
            binddn_passwd "SERVICE-ACCOUNT-PASSWORD";
 +
            connect_timeout 5s;
 +
            bind_timeout 5s;
 +
            request_timeout 5s;
 +
            satisfy any;
 +
            group_attribute member;
 +
            group_attribute_is_dn on;
 +
            require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org";
 +
        }
 +
 +
* /etc/nginx/sites-available/site.conf (add to your vhost's server{} block)
 +
 +
        auth_ldap "AD authentication";
 +
        auth_ldap_servers BOB;
 +
 +
[[Category: Systems Group]]
Retrieved from "https://ps1.mywikis.wiki/wiki/Special:MobileDiff/27508...38286"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
More information

Navigation menu