How do I use require_group (and where is the logging?)

[funkytaco]

How do I auth only users who are a "memberOf" CN=*ABY (ITS),OU=Groups,OU=Messaging,OU=North America,DC=example,DC=com

my URL: url "ldap://ldap.example.com/dc=example,dc=com?sAMAccountName?sub?(objectClass=person)"; my require group (doesnt work): require group "CN=*ABY (ITS),OU=Groups,OU=Messaging,OU=North America,DC=example,DC=com"

I've also tried: require group "CN=*ABY (ITS)"

Also, where are the logs? I don't see the ldap output anywhere

[fpeterschmitt]

Hi,

You may want to use the group_attribute member option. Is it an Active Directory?

Check the group_attribute_is_dn option too, it's off by default.

[fvm2000]

I just finished getting nginx-auth-ldap up and running on RHEL7. Here are a couple of comments from the experience:

• It may not seem obvious, but you need to create an AD user for the module to gain access to the AD (I created a user called "LDAPauth" with minimal rights and set password to never expire and cannot be changed by user (this is the user account you will use in the binddn and binddn_passwd directives)

• The binddn syntax that worked for me was "DOMAIN\LDAPAUTH" (note the double backslash and all caps) [edit: the comment editor removes the double-backslash between DOMAIN and LDAPAUTH and replaced it with a single backslash for some reason]

• I suggest that you create ldap_server sections in your server block for at least two domain controllers for redundancy. You then add one "auth_ldap_servers xxx;" directive for each DC in your location block.

• Make sure you add the appropriate "group_attribute" directives with respect to your "require" directives (ie if you plan to authenticate users, add "group_attribute uniquemember". To authenticate group members, add "group_attribute member")

• If you're having issues with DN syntax, go to ADUC, open your AD user or group properties, and in the Attribute Editor tab, scroll down to distinguishedName. You can double-click and copy-paste the correct DN from here. CAUTION: Be careful you don't alter the value accidentally in this window...

• I found that the statement I specified in the auth_ldap "Enter AD credentials" directive aren't always displayed as expected, depending on the browser used. In Firefox, I get "A username and password are being requested by https://mysite. The site says: "Enter AD credentials"". In Chrome I get "https://mysite requires a username and password." In IE, I get The server mysite is asking for your user name and password. The server reports that it is from Enter AD credentials."