Nginx LDAP doesn't work in Jessie nginx-extras 1.10.1-1~dotdeb+8.2

[mig5]

Hi,

I upgraded to Nginx 1.10.1 on via an upgrade of a Wheezy machine to Jessie, but now it seems nginx-auth-ldap module doesn't work, even though it says it's included.

root@example:~# apt-cache policy nginx
nginx:
  Installed: 1.10.1-1~dotdeb+8.2

root@example:~# nginx -V
nginx version: nginx/1.10.1
built with OpenSSL 1.0.1k 8 Jan 2015 (running with OpenSSL 1.0.1t  3 May 2016)
TLS SNI support enabled
configure arguments: --add-module=/usr/src/builddir/debian/modules/naxsi/naxsi_src --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-file-aio --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --add-module=/usr/src/builddir/debian/modules/headers-more-nginx-module --add-dynamic-module=/usr/src/builddir/debian/modules/nginx-auth-pam --add-module=/usr/src/builddir/debian/modules/nginx-cache-purge --add-module=/usr/src/builddir/debian/modules/nginx-dav-ext-module --add-dynamic-module=/usr/src/builddir/debian/modules/nginx-development-kit --add-module=/usr/src/builddir/debian/modules/nginx-echo --add-module=/usr/src/builddir/debian/modules/ngx-fancyindex --add-module=/usr/src/builddir/debian/modules/nginx-push-stream-module --add-dynamic-module=/usr/src/builddir/debian/modules/nginx-lua --add-module=/usr/src/builddir/debian/modules/nginx-upload-progress --add-module=/usr/src/builddir/debian/modules/nginx-upstream-fair --add-module=/usr/src/builddir/debian/modules/ngx_http_substitutions_filter_module --add-module=/usr/src/builddir/debian/modules/nginx-auth-ldap --add-module=/usr/src/builddir/debian/modules/ngx_http_pinba_module --add-module=/usr/src/builddir/debian/modules/ngx_pagespeed --add-module=/usr/src/builddir/debian/modules/nginx-x-rid-header --add-module=/usr/src/builddir/debian/modules/nginx-rtmp-module --with-ld-opt=-lossp-uuid

Nginx won't start:

2016/06/08 04:46:03 [emerg] 15618#15618: unknown directive " auth_ldap_servers" in /etc/nginx/sites-enabled/example.com.conf:37

'strings /usr/sbin/nginx' shows the auth_ldap_servers stuff.

In my /etc/nginx/nginx.conf inside the http { } block I have:

    ldap_server ldap1 {
        url ldaps://ldap.example.com/dc=example,dc=com?uid?sub?(objectClass=person);
        group_attribute memberUid; # default 'member'
        group_attribute_is_dn off; # default on
        require valid_user;
                require group "cn=staff,ou=Groups,dc=example,dc=com";
                satisfy any;
    }
    ldap_server ldap2 {
        url ldaps://ldap2.example.com/dc=example,dc=com?uid?sub?(objectClass=person);
        group_attribute memberUid; # default 'member'
        group_attribute_is_dn off; # default on
        require valid_user;
                require group "cn=staff,ou=Groups,dc=example,dc=com";
                satisfy any;
    }
    ldap_server ldap3 {
        url ldaps://ldap3.example.com/dc=example,dc=com?uid?sub?(objectClass=person);
        group_attribute memberUid; # default 'member'
        group_attribute_is_dn off; # default on
        require valid_user;
                require group "cn=staff,ou=Groups,dc=example,dc=com";
                satisfy any;
    }

And in my vhost:

  auth_ldap "Closed content";
  auth_ldap_servers ldap1;
  auth_ldap_servers ldap2;
  auth_ldap_servers ldap3;

Any idea what could cause this?

[mig5]

I took out this line which you instructed to put at the top of /etc/nginx/nginx.conf:

include /etc/nginx/modules-enabled/*.conf;

And now nginx starts fine with those ldap settings.

This strikes me as a problem, since apparently we depend on this line being present now? Would my upgrade have failed if I didn't have the line in?

[mig5]

Also just realised that earlier today I have upgraded existing Jessie machines to Nginx 1.10 and accidentally forgot to include the 'include /etc/nginx/modules-enabled/*.conf;' line there. And so they are working fine (they use the ldap config too).

Seems to contradict the requirement that we must include the line? My upgrades were clean without it..

[mig5]

After rebooting, now I can't start nginx whether or not the 'include' line is there. The only way I can start it is if I comment out the 'auth_ldap_servers' from the vhost.

This is weird as it worked without an issue on just a point-release upgrade on 13 Jessie machines earlier today, which never had the 'include' line and still don't :(

[gplessis]

Just to clarify the situation :

• auth-ldap is only included in nginx-extras, not in other flavors
• it is built-in with nginx, not built as a separate dynamic module

As a consequence :

• include /etc/nginx/modules-enabled/*.conf; is not required for auth-ldap to work as soon as you have nginx-extrasinstalled on your machine
• this include is strictly required only if you use directives from the dynamically-loaded modules : http-auth-pam, http-geoip, http-image-filter, http-lua, http-ndk, http-perl, http-xslt-filter, stream and mail.

Given this, could you please double check your setup while I investigate on my side?

Thanks.

[mig5]

Yes, just clarifying that all these machines use nginx-extras (I only use your packages for Nginx because I depend on auth-ldap)

I don't use any of those other modules, perhaps this is why the absence of the 'include' works on my first 13 machines which were already using Jessie 1.8.1-1~dotdeb+8.1 (then upgraded to 1.10.1-1~dotdeb+8.2 without issue)

On this new machine, I went from Wheezy on an earlier Nginx version, but still using nginx-extras, to 1.10.1-1~dotdeb+8.2, and after reboot it would not start whether or not the 'include' line was there (as you said, it makes no difference).

I just downgraded it to 1.8.1-1~dotdeb+8.1, where auth_ldap config still in use exactly as above, and no 'include' line (no more /etc/nginx/modules-enabled/*.conf), and it is working fine there now.

Just remains a mystery for me why this machine was different - the only difference was jump from Wheezy to Jessie but the config is exactly the same otherwise.

[gplessis]

I just tested to install nginx-extras on a clean Jessie, with the following minimal configuration :

user www-data;
worker_processes auto;

pid /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 12288;
}

http {
    add_header Ping pong;

    server {
        listen 80; 
        root /var/www/html;
    }   

    ldap_server ldap1 {
        url ldaps://ldap.example.com/dc=example,dc=com?uid?sub?(objectClass=person);
        group_attribute memberUid; # default 'member'
        group_attribute_is_dn off; # default on
        require valid_user;
        require group "cn=staff,ou=Groups,dc=example,dc=com";
        satisfy any;
    }   
}

No unknown directive error was thrown, just a timeout because ldap.example.com does not answer.

Could you please reproduce this case and confirm that the auth-ldapdirectives are available in such a simple setup?

[mig5]

I will do that, can you try putting 'auth_ldap_servers ldap1;' in your server { } block and restart nginx? That way it matches my config better (actually instantiating ldap auth on a vhost)

[mig5]

OK I apologise, this looks like a red herring. It relates to a bad Apt Pin on nginx during the wheezy->jessie upgrade, which resulted in Debian trying to install nginx-full somehow to resolve a dependency problem. Not exactly clear why the issue continued after I was sure nginx-extras was installed, but it is somehow related.

I just fixed the pin and did an apt-get dist-upgrade (remember I downgraded to 1.8) and it cleanly upgrade to 1.10.

Sorry for wasting your time, thanks for your tests.

[gplessis]

No problem. I'm glad to help.