ngx_ldap_path2ldap_auth is a module for is a module for nginx auth request module that authenticates using an LDAP bind operation, and authorizes by file path and LDAP information.
On error, the process terminates with an unsuccessful status.
Run it on the command line like this:
ngx_ldap_path2ldap_auth <config file>
Since it does not provide background execution functions such as daemonization, start it via a process management system such as systemd.
See the auth request module documentation for how to configure nginx.
The ngx_ldap_path2ldap_auth configuration file is in TOML format, and the following is a sample configuration file.
socket_type = "tcp"
socket_path = "127.0.0.1:9203"
#cache_seconds = 0
#use_etag = true
auth_realm = "TEST Authentication"
path_header = "X-Authz-Path"
[ldap]
host_url = "ldaps://ldap.example.com"
start_tls = 0
#skip_cert_verify = 0
root_ca_files = [
"/etc/ssl/certs/Local-CA-Chain.cer",
]
base_dn = "DC=group,DC=example,DC=com"
bind_dn = "CN=%s,OU=Users,DC=group,DC=example,DC=com"
uniq_filter = "(&(objectCategory=person)(objectClass=user)(userPrincipalName=%[email protected]))"
timeout = 5000
[authz]
path_pattern = "^/([^/]+)/"
#ban_nomatch = false
nomatch_filter = "" # for root directory files
ban_default = true
#default_filter = ""
[authz.path_filter]
"test" = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Group1,DC=example,DC=com)(userPrincipalName=%[email protected]))"Each parameter of the configuration file is as follows.
| Parameter | Description |
|---|---|
| socket_type | Set this parameter to tcp(TCP socket) or unix(UNIX domain socket). |
| socket_path | Set the IP address and port number for tcp, and UNIX domain socket file path for unix. |
| cache_seconds | The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache. See Authentication Cache Control for details. |
| use_etag | Set to true to enable cache validation using ETag tags.See Authentication Cache Control for details. |
| auth_realm | HTTP realm string. |
| path_header | A HTTP header that sets the path used for authorization processing. The default value is X-Authz-Path. In the appropriate place of the nginx configuration file, use proxy_set_header directive to set the HTTP header. (Eg proxy_set_header X-Authz-Path $request_uri;) |
| Parameter | Description |
|---|---|
| host_url | The URL of the LDAP server connection address. The pass part is not used. |
| start_tls | Set to 1 when using TLS STARTTLS. |
| skip_cert_verify | Set to 1 to ignore the certificate check result. |
| root_ca_files | A list of PEM files for the CA certificate. Used when the LDAP server is using a certificate from a private CA. |
| base_dn | The base DN when connecting to the LDAP server. |
| bind_dn | This is the bind DN when performing LDAP bind processing. Rewrite %s as the remote user name and %% as %. |
| uniq_filter | Only if this value is set, search with this value filter. If the search result is one DN, the authentication will be successful. |
| timeout | Communication timeout(unit: ms) with the LDAP server. |
| Parameter | Description |
|---|---|
| path_pattern | A regular expression that extracts the authorization judgment string from the path of the header specified by path_header. The extracted string is used for the key in path_filter. Use the () subexpression regular expression only once to specify the extraction location. |
| ban_nomatch | If true, authorization will fail if the path_pattern regular expression does not match. (As a result, nomatch_filter is disabled.) |
| nomatch_filter | LDAP filter for authorization when the path_pattern regular expression is not matched. nomatch_filter results is processed in the same way as uniq_filter. |
| ban_default | If true, authorization will fail if the path_pattern regular expression does not match. (As a result, default_filter is disabled.) |
| default_filter | LDAP filter for authorization rights when it matches the path_pattern regular expression and is not specified in path_filter. default_filter results is processed in the same way as uniq_filter. |