search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
731 stars 251 forks source link

NGINX: [emerg] https_auth_ldap: Invalid or missing scope string in /etc/nginx/nginx.conf:26 #184

Open manas86 opened 6 years ago

manas86 commented 6 years ago

I will appreciate any direction towards the solving and assist me to reach the goal for centos7. I'm following and using https://github.com/kvspb/nginx-auth-ldap using docker. So my docker file looks like this. RUN cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap && git clone https://github.com/nginx/nginx && cd /root/nginx && /root/nginx/auto/configure --add-module=/root/nginx-auth-ldap --with-http_ssl_module --with-debug --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/log/nginx/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-stream --with-stream_ssl_module --with-debug --with-file-aio --with-threads --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_auth_request_module && make install && cd .. && rm -rf nginx-auth-ldap && rm -rf nginx now i have difficulty in setting of nginx.conf, basically what I want to achieve is as soon as the login window pop up users will give their own credentials including user name and password which will eventually validated against LDAP (CN=devops,OU=project,OU=services,OU=groups,o=orgname) or ((CN=users,OU=project,OU=services,OU=groups,o=orgname). So that means I can't have the password stored in my config file. Can you help me to build the setup for different filters ?

at this moment, I setup my config file like this for one filter, which gives me below error

NGINX: [emerg] https_auth_ldap: Invalid or missing scope string in /etc/nginx/nginx.conf:26

under http tag: ldap_server ldap { url "ldaps://XXX:636/CN=devops,OU=project,OU=services,OU=groups,o=orgname?uniqMember?sub?(objectclass=*)" require valid_user;" } and in location tag location / {

auth_basic "Restricted Content";

auth_basic_user_file /etc/nginx/pass/.htpasswd;

auth_ldap "Closed content"; auth_ldap_servers ldap; root html; index index.html index.htm; }

and then how can I achieve 2 filters ?

May be attached LDAP image will help.... https://user-images.githubusercontent.com/30902765/29176575-813b3592-7dec-11e7-9949-683f679e4c38.png

Regards, Manas

trueCii commented 6 years ago

This is the configuration that I have in my conf file 

ldap_server server1 {
      url "ldap://<url>/DC=something,DC=company,DC=com?sAMAccountName?sub?(&(memberOf:1.2.***.******:=CN=devops,OU=servergroups,OU=mgmnt,DC=something,DC=company,DC=com)(objectClass=*))";
      binddn "cn=some-bind-user,ou=specialaccounts,ou=accounts,ou=mgmnt,dc=something,dc=company,dc=com";
      binddn_passwd "<password>";
      require valid_user;
  }

For different ldap groups

ldap_server ldap {
url "ldaps://XXX:636/CN=devops,OU=project,OU=services,OU=groups,o=orgname?uniqMember?sub?(objectclass=*)"
require valid_user;"
}

ldap_server **ldap1** {
url "ldaps://XXX:636/CN=new-devops,OU=project,OU=services,OU=groups,o=orgname?uniqMember?sub?(objectclass=*)"
require valid_user;"
}

and in location tag
location / {
#auth_basic "Restricted Content";
#auth_basic_user_file /etc/nginx/pass/.htpasswd;
auth_ldap "Closed content";
auth_ldap_servers ldap;
root html;
index index.html index.htm;
}

location /test {
#auth_basic "Restricted Content";
#auth_basic_user_file /etc/nginx/pass/.htpasswd;
auth_ldap "Closed content";
auth_ldap_servers **ldap1**;
root html;
index index.html index.htm;
}
manas86 commented 6 years ago

thanks, it's working fine now.

manas86 commented 5 years ago

@trueCii can I ask you a question?