How to configure nginx with windows AD?

[tianjiaolaozu]

I have successfully added "nginx-auth-ldap" to nginx when do the configure with centos7(after have a lots of trouble with centos6, so I strongly recommend you to try centos7 ). However, I do not have much luck with company AD, my config in nginx.conf file is like below

    ldap_server openldap {

    url "ldap://<ADIP>:389/ou=Domain Users,dc=<companydomain>,dc=com?sAMAccountName?sub?(&(objectClass=*))";

    #binddn "cn=Manager,dc=companydomain,dc=com";
    #binddn_passwd "secret";
    group_attribute memberuid;
    group_attribute_is_dn on;
    require valid_user;
                         }

Anyone can suggest whether I should uncomment binddb and binddn_passwd or how need I to modify add config file? Instant response will be much appreciated.

Regards,

James Pei

[Vitiate]

url ldap://dc1.local:3268/DC=du,DC=local?sAMAccountName?sub?(objectClass=person); binddn "DULOCAL\username"; binddn_passwd "password"; group_attribute uniquemember; group_attribute_is_dn off; require valid_user; ssl_check_cert off;

The above is working config against AD

[jandrieu]

FWIW, I was not able to get LDAP to work with a bind dn of the form "CN=Name, OU=XXX, DC=YYY" When I changed to "DOMAIN\username" or "user@example.com", it would work.

[fvm2000]

I just finished getting nginx-auth-ldap up and running on RHEL7. Here are a couple of comments from the experience:

• It may not seem obvious, but you need to create an AD user for the module to gain access to the AD (I created a user called "LDAPauth" with minimal rights and set password to never expire and cannot be changed by user (this is the user account you will use in the binddn and binddn_passwd directives)
• The binddn syntax that worked for me was "DOMAIN\LDAPAUTH" (note the double backslash and all caps) [edit: the comment editor removed the double-backslash between DOMAIN and LDAPAUTH and replaced it with a single backslash for some reason]
• I suggest that you create ldap_server sections in your server block for at least two domain controllers for redundancy. You then add one "auth_ldap_servers xxx;" directive for each DC in your location block.
• Make sure you add the appropriate "group_attribute" directives with respect to your "require" directives (ie if you plan to authenticate users, add "group_attribute uniquemember". To authenticate group members, add "group_attribute member")
• If you're having issues with DN syntax, go to ADUC, open your AD user or group properties, and in the Attribute Editor tab, scroll down to distinguishedName. You can double-click and copy-paste the correct DN from here. CAUTION: Be careful you don't alter the value accidentally in this window...
• I found that the statement I specified in the auth_ldap "Enter AD credentials" directive aren't always displayed as expected, depending on the browser used. In Firefox, I get "A username and password are being requested by https://mysite. The site says: "Enter AD credentials"". In Chrome I get "https://mysite requires a username and password." In IE, I get The server mysite is asking for your user name and password. The server reports that it is from Enter AD credentials."

[tianjiaolaozu]

Hello @Vitiate I am quite experienced in AD and my domain name is htwon.com and if I run dsquery user, it will show: "CN=Administrator,CN=Users,DC=htwon,DC=com" Any advice for my below configuration? -----------------------------------------------------------------------------------------------------------------= url ldap://Domain IP:3268/DC=htwon,DC=com?sAMAccountName?sub?(objectClass=Users); binddn "administrator@htwon.com"; binddn_passwd password; group_attribute uniquemember; group_attribute_is_dn off; require valid_user; ssl_check_cert off; }

[hablutzel1]

For troubleshooting LDAP integration problems you could enable network inspection with a tool like Wireshark that understands LDAP and could show you some helpful data for as in the following example: