292
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: + + Line 74:
Line 76: + + − + − + + + + Line 105:
Line 112: − Example configurations to come after implementing nginx authentication.+ Line 137:
Line 144: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }}
External services that authenticate users often use Ldap for authentication.
External services that authenticate users often use Ldap for authentication.
ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with:
ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with:
You may need to set LDAPTLS_REQCERT=allow before those commands.
#list laser cutter certified:
#list laser cutter certified:
ldapsearch -ZZ -v -x -H ldap://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified"
ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified"
#list domain Admins
#list domain Admins
ldapsearch -ZZ -v -x -H ldap://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins"
ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins"
Remember you can use space.pumpingstationone.org if it is outside PS1 network.
== Apache mod_authnz_ldap ==
== Apache mod_authnz_ldap ==
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636. A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD. Do not use this configuration in production, or on off-site services. Only for use in development environments, authenticating with bob from the local PS1 network.
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
Building nginx 1.8.0 from source with LDAP support on Debian Jessie
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
Configuring nginx:
* /etc/nginx/nginx.conf (add to http{} block)
##
#LDAP authentication Settings
##
auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 10000;
auth_ldap_cache_size 1000;
ldap_server BOB {
url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)";
binddn "PS1\SERVICE-ACCOUNT";
binddn_passwd "SERVICE-ACCOUNT-PASSWORD";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
satisfy any;
group_attribute member;
group_attribute_is_dn on;
require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org";
}
* /etc/nginx/sites-available/site.conf (add to your vhost's server{} block)
auth_ldap "AD authentication";
auth_ldap_servers BOB;
[[Category: Systems Group]]