Welcome! Log In Create A New Profile

Advanced

allow/deny users to Webmail from Internet with nginx-auth-ldap

Posted by indunil75 
allow/deny users to Webmail from Internet with nginx-auth-ldap
January 20, 2014 11:25PM
I am using Nginx for reverse proxy for my zimbra backend server. My goal is to allow webmails to some users. Not to all users.

So I use nginx-auth-ldap on Freebsd 8.4 (64 bit) to get the authentication from Windows 2008 R2 Active Directory.


This is the configration I use in /usr/local/etc/nginx/nginx.conf file


auth_ldap_url "ldap://192.168.1.200/dc=example,dc=com?samaccountname?sub?(objectClass=user)";

auth_ldap_binddn "admin@example.com";

#auth_ldap_binddn cn=admin,ou=allowedgrp,dc=example,dc=com;

auth_ldap_binddn_passwd "mypassword";



auth_ldap_group_attribute uniquemember; # default 'member'

auth_ldap_group_attribute_is_dn on; # default on


location / {


## LDAP MODULE

auth_ldap "Restricted allowedgrp";

#auth_ldap_require valid_user;

#auth_ldap_satisfy any;

auth_ldap_require user 'CN=admin,OU=allowedgrp,DC=example,DC=com';

auth_ldap_satisfy any;

proxy_pass http://backend;




This works with auth_ldap_require user (i.e - auth_ldap_require user 'CN=admin,OU=allowedgrp,DC=example,DC=com'; )

Since all the ALLOWED webmail users are under OU=allowedgrp, I want a rule with auth_ldap_require group ( i.e - auth_ldap_require group 'OU=allowedgrp,DC=example,DC=com'; )

I added it , But user admin who is UNDER OU=allowedgrp,DC=example,DC=com could NOT log in? But user admin can log in with CN=admin,OU=allowedgrp,DC=example,DC=com

Where have I gone wrong? I am sure this can be done. There are documnets in the internet.

These are a few.

https://github.com/kvspb/nginx-auth-ldap/blob/master/example.conf

http://www.allgoodbits.org/articles/view/21


Why Can't I achieve it?



Edited 1 time(s). Last edit at 01/20/2014 11:28PM by indunil75.
Re: allow/deny users to Webmail from Internet with nginx-auth-ldap
February 03, 2014 06:29AM
This reminds me of a situation I had with a non-NginX set-up. Issues with OpenLDAP accessing nested groups on Active Directory.

Under Apache, you need to add a specific "AuthLDAPSubGroupDepth 1" to browse through nested groups.

I never used nginx-auth-ldap, but I guess you should have a similar option.

Jef
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 323
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready