Skip to content

auth-ldap: LDAP Authentication module for NGINX

Debian/Ubuntu installation

These docs apply to the APT package nginx-module-auth-ldap provided by the GetPageSpeed Extras repository.

  1. Configure the APT repository as described in APT repository setup.
  2. Install the module:
sudo apt-get update
sudo apt-get install nginx-module-auth-ldap

Warning

This module is not yet published as nginx-module-auth-ldap in the APT repositories. Stay tuned, or email [email protected] to request it.

LDAP module for nginx which supports authentication against multiple LDAP servers.

Example configuration

Define list of your LDAP servers with required user/group requirements:

    http {
      ldap_server test1 {
        url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
      }

      ldap_server test2 {
        url ldap://192.168.0.2:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
      }
    }

And add required servers in correct order into your location/server directive: 

    server {
        listen       8000;
        server_name  localhost;

        auth_ldap "Forbidden";
        auth_ldap_servers test1;
        auth_ldap_servers test2;

        location / {
            root   html;
            index  index.html index.htm;
        }

    }

Available config parameters

url

expected value: string

Available URL schemes: ldap://, ldaps://

binddn

expected value: string

binddn_passwd

expected value: string

group_attribute

expected value: string

group_attribute_is_dn

expected value: on or off, default off

require

expected value: valid_user, user, group

satisfy

expected value: all, any

max_down_retries

expected value: a number, default 0

Retry count for attempting to reconnect to an LDAP server if it is considered "DOWN". This may happen if a KEEP-ALIVE connection to an LDAP server times out or is terminated by the server end after some amount of time.

This can usually help with the following error:

http_auth_ldap: ldap_result() failed (-1: Can't contact LDAP server)

connections

expected value: a number greater than 0

ssl_check_cert

expected value: on or off, default off

Verify the remote certificate for LDAPs connections. If disabled, any remote certificate will be accepted which exposes you to possible man-in-the-middle attacks. Note that the server's certificate will need to be signed by a proper CA trusted by your system if this is enabled. See below how to trust CAs without installing them system-wide.

This options needs OpenSSL >= 1.0.2; it is unavailable if compiled with older versions.

ssl_ca_file

expected value: file path

Trust the CA certificate in this file (see ssl_check_cert above).

ssl_ca_dir

expected value: directory path

Trust all CA certificates in this directory (see ssl_check_cert above).

Note that you need to provide hash-based symlinks in the directory for this to work; you'll basically need to run OpenSSL's c_rehash command in this directory.

referral

expected value: on, off

LDAP library default is on. This option disables usage of referral messages from LDAP server. Usefull for authenticating against read only AD server without access to read write.