Hello,
here is another version. It supports an user for searching the required
dn. The config statements are auth_ldap_bind_dn and
auth_ldap_bind_passwd.
E.g.:
http {
auth_ldap_uri “ldap://127.0.0.1”;
auth_ldap_bind_dn “cn=Manager,dc=chaos,dc=jmt”;
auth_ldap_bind_passwd “xxxxxxx”;
server {
listen 80;
server_name localhost;
location / {
auth_ldap "LDAP Request";
#auth_ldap_uri "ldap://127.0.0.1";
auth_ldap_dn "ou=People,dc=chaos,dc=jmt";
auth_ldap_attribute "uid";
require ldap-user;
root html;
index index.html index.htm;
}
One comment on the require statement: I implemented it this way,
because I like to add a “require ldap-group” feature later. But next
step
is async and bugfix.
best regards,
Markus Teichmann
On Tue, Aug 19, 2008 at 06:39:54PM -0400, Michael wrote:
Wouldn’t it be better to do the bind as the user authenticating? There’s no
need to do the extra step of performing an administrator bind, then look up the
user in an additional operation.
The look up is needed if the user authenticates not with it’s dn.
Sometimes the uid is used for authenticating. Therefore the lookup is
needed.
The additionl bind should solve some active directory issues. At least
that’s how I understands Kon’s mail…
Best regards,
Markus Teichmann
On Tue, Aug 19, 2008 at 23:52:13, Markus Teichmann said…
here is another version. It supports an user for searching the required dn.
The config statements are auth_ldap_bind_dn and auth_ldap_bind_passwd.
E.g.:
http {
auth_ldap_uri “ldap://127.0.0.1”;
auth_ldap_bind_dn “cn=Manager,dc=chaos,dc=jmt”;
auth_ldap_bind_passwd “xxxxxxx”;
Wouldn’t it be better to do the bind as the user authenticating?
There’s no
need to do the extra step of performing an administrator bind, then look
up the
user in an additional operation.
On Wed, Aug 20, 2008 at 09:47:12AM -0400, Michael wrote:
Ah yes, that’s a good point, I tend to use unix usernames as the dn myself.
I’m doing this (on apache) this way now.
You should also consider adding a filter, like apache does this, eg:
Require ldap-filter |(employeeType=Staff)(employeeType=Freelance)
I do not know LDAP syntax, but in nginx style it’s better to use
variables:
auth_ldap_query
“ou=People,dc=chaos,dc=jmt,uid=$remote_user,…|(employeeType=Staff)…”;
On Wed, Aug 20, 2008 at 17:57:45, Igor S. said…
You should also consider adding a filter, like apache does this, eg:
Require ldap-filter |(employeeType=Staff)(employeeType=Freelance)
I do not know LDAP syntax, but in nginx style it’s better to use variables:
auth_ldap_query
“ou=People,dc=chaos,dc=jmt,uid=$remote_user,…|(employeeType=Staff)…”;
Oh certainly, I was just pasting in what Apache uses, since it already
does
this. I agree, doing the query like you used would be better.
On Wed, Aug 20, 2008 at 14:49:41, Markus Teichmann said…
Wouldn’t it be better to do the bind as the user authenticating? There’s no
need to do the extra step of performing an administrator bind, then look up
the user in an additional operation.
The look up is needed if the user authenticates not with it’s dn.
Sometimes the uid is used for authenticating. Therefore the lookup is
needed.
Ah yes, that’s a good point, I tend to use unix usernames as the dn
myself.
I’m doing this (on apache) this way now.
You should also consider adding a filter, like apache does this, eg:
Require ldap-filter |(employeeType=Staff)(employeeType=Freelance)
The additionl bind should solve some active directory issues. At least
that’s how I understands Kon’s mail…
Sure, if it solves problems like that, I’m all for it. I was just
thinking in
terms of efficency, and from a unix/OpenLDAP perspective. I’ve no AD
experience.