search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
731 stars 251 forks source link

require group - doesn't restrict access, any valid user still can access location #194

Open svscorp opened 6 years ago

svscorp commented 6 years ago

I am trying to use "require group" in extra ldap_server in order to achieve some ACL on Nginx and LDAP group level.

Given the below configuration I am logging in with a valid LDAP user who doesn't belong to mygroup but still can see content.

# nginx.conf

ldap_server myserver {
  url "ldaps://ip:686/ou=people,dc=company,dc=com?uid?sub?(objectClass=person)";
  binddn "uid=binduser,ou=internal,dc=company,dc=com";
  binddn_passwd "...";
  group_attribute "member";
  group_attribute_is_dn on;
  require valid_user;
  satisfy all;
}

ldap_server myserver-restricted {
  url "ldaps://ip:868/ou=people,dc=company,dc=com?uid?sub?(objectClass=person)";
  binddn "uid=binduser,ou=internal,dc=company,dc=com";
  binddn_passwd "...";
  group_attribute "member";
  group_attribute_is_dn on;
  satisfy all;
  # I have tried to put intentionally wrong/non-existing groups - no effect. Still can access.
  require group 'cn=mygroup1,ou=intgrp,ou=groups,dc=company,dc=com';
  require group 'cn=mygroup2,ou=intgrp,ou=groups,dc=company,dc=com';
}
# location_context.conf

# Tried to define on top level, didn't work with override ldap_servers. Moved to each location - still doesn't work.
# auth_ldap "Forbidden";
# auth_ldap_servers myserver;

location / {
    auth_ldap "Forbidden";
    auth_ldap_servers myserver;

    root   /usr/share/nginx/html;
    index  index.html index.htm;
}

location  /restricted_view {
    auth_ldap "Forbidden";
    auth_ldap_servers myserver-restricted;

    proxy_pass         http://backend:8080;
    proxy_redirect     off;
    proxy_set_header   Host $host;
}

What is wrong?

gouzhuang commented 6 years ago

I had the same issue and proposed a fix: pull request

svscorp commented 6 years ago

It doesn't work for me, @gouzhuang. I can access "/restricted_view" still.

gouzhuang commented 6 years ago

I'm using an OpenLDAP server, the search for group returns success with 0 entries when there is no match, in such case my fix works. What's your LDAP server?

Richard-Payne commented 4 years ago

Is anything happening with this issue? We are encountering exactly the same thing. The require valid_user requirement is respected but require group is ignored.

Richard-Payne commented 4 years ago

Oh, and we're using Windows Server 2016

Swetad90 commented 4 years ago

Same here on Ubuntu 18.06. Any solution yet?