Welcome! Log In Create A New Profile

Advanced

Re: difference between auth_basic and auth_ldap

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
January 03, 2021 05:18PM
Hello!

On Fri, Jan 01, 2021 at 08:39:01PM +0100, A. Schulze wrote:

> Hello & happy new year!
>
> my goal is to configure nginx to deny access from most client-ip but allow access from special ip's
> for authenticated users. This work for basic_authentication as expect but behave different with auth_ldap
> I use https://github.com/kvspb/nginx-auth-ldap.
>
> simplified configuration with no allowed IPs at all:
>
> server {
> listen *:80;
> deny all;
> location /auth_basic {
> auth_basic "auth_basic";
> auth_basic_user_file /path/to/auth_basic_user_file;
> }
> }
>
> $ curl -v http://nginx/auth_basic
> $ curl -v -u user:pass http://nginx/auth_basic
> $ curl -v -u user:wrong http://nginx/auth_basic
>
> all three calls return "403 Forbidden", which is ok and acceptable to me.
>
> switching to auth_ldap the results are different:
>
> ldap_server ldap-server {
> url ldap://ldap-server/dc=example?cn?sub?(objectclass=top);
> require valid_user;
> }
> server {
> listen *:80;
> deny all;
> location /auth_ldap {
> auth_ldap "auth_ldap";
> auth_ldap_servers "ldap-server";
> }
> }
>
> $ curl -v http://nginx/auth_ldap
> $ curl -v -u user:wrong http://nginx/auth_ldap
> return "401 Unauthorized" expected: "403 Forbidden"
>
> $ curl -v -u user:pass http://nginx/auth_ldap
> return "403 Forbidden"
>
> Is there anything wrong with my configuration or is the unexpected request for authentication
> a result of how https://github.com/kvspb/nginx-auth-ldap is written?

This is a result of how nginx-auth-ldap is written. Or, more
strictly, how it adds itself into nginx request processing
pipeline - it simply adds itself as an HTTP module, and ends up
called before the access module.

It is relatively easily to fix assuming dynamic module linking
(that is, if you are using the "load_module" directive to load the
module), just using

ngx_module_order="ngx_http_auth_ldap_module ngx_http_access_module"

should do the trick. For static linking it wouldn't be that easy
though, as static linking does not support module order selection
via ngx_module_order, and appropriate configure variables with
lists of modules needs to be adjusted directly instead.

Quick-and-dirty workaround would be to use auth_request as a
"proxy" for auth_ldap.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

difference between auth_basic and auth_ldap

A. Schulze January 01, 2021 02:42PM

Re: difference between auth_basic and auth_ldap

Maxim Dounin January 03, 2021 05:18PM

Re: difference between auth_basic and auth_ldap

A. Schulze January 04, 2021 02:32PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 142
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready