I am using Nginx for reverse proxy for my zimbra backend server. My goal is to allow webmails to some users. Not to all users.

So I use nginx-auth-ldap on Freebsd 8.4 (64 bit) to get the authentication from Windows 2008 R2 Active Directory.


This is the configration I use in /usr/local/etc/nginx/nginx.conf file


auth_ldap_url "ldap://192.168.1.200/dc=example,dc=com?samaccountname?sub?(objectClass=user)";

auth_ldap_binddn "admin@example.com";

#auth_ldap_binddn cn=admin,ou=allowedgrp,dc=example,dc=com;

auth_ldap_binddn_passwd "mypassword";



auth_ldap_group_attribute uniquemember; # default 'member'

auth_ldap_group_attribute_is_dn on; # default on


location / {


## LDAP MODULE

auth_ldap "Restricted allowedgrp";

#auth_ldap_require valid_user;

#auth_ldap_satisfy any;

auth_ldap_require user 'CN=admin,OU=allowedgrp,DC=example,DC=com';

auth_ldap_satisfy any;

proxy_pass http://backend;




This works with auth_ldap_require user (i.e - auth_ldap_require user 'CN=admin,OU=allowedgrp,DC=example,DC=com'; )

Since all the ALLOWED webmail users are under OU=allowedgrp, I want a rule with auth_ldap_require group ( i.e - auth_ldap_require group 'OU=allowedgrp,DC=example,DC=com'; )

I added it , But user admin who is UNDER OU=allowedgrp,DC=example,DC=com could NOT log in? But user admin can log in with CN=admin,OU=allowedgrp,DC=example,DC=com

Where have I gone wrong? I am sure this can be done. There are documnets in the internet.

These are a few.

https://github.com/kvspb/nginx-auth-ldap/blob/master/example.conf

http://www.allgoodbits.org/articles/view/21


Why Can't I achieve it?



Edited 1 time(s). Last edit at 01/20/2014 11:28PM by indunil75.

This reminds me of a situation I had with a non-NginX set-up. Issues with OpenLDAP accessing nested groups on Active Directory.

Under Apache, you need to add a specific "AuthLDAPSubGroupDepth 1" to browse through nested groups.

I never used nginx-auth-ldap, but I guess you should have a similar option.

Jef