search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
735 stars 252 forks source link

How to make install LDAP Authentication module #207

Closed Howard-Chang closed 6 years ago

Howard-Chang commented 6 years ago

Hi, I follow these steps:

cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap.git   
in nginx source folder
./configure --add-module=path_to_http_auth_ldap_module
make install
[root@localhost nginx-auth-ldap]# make install
make: *** No rule to make target `install'.  Stop.

I don't know how to compile the module : ( there's no configure file in my nginx source folder:

conf.d          koi-utf  mime.types  nginx.conf   uwsgi_params
fastcgi_params  koi-win  modules     scgi_params  win-utf

thank you inadvance!

davama commented 6 years ago

Using CentOS Linux release 7.5.1804 (Core) 

yum install openldap-devel openssl-devel pcre-devel yum-utils gcc
yumdownloader --source nginx
rpm2cpio nginx-#-#.rpm | cpio -idmv
tar xf nginx-#-#.tar.gz
cd nginx-#-#
./configure --user=nginx --group=nginx --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_gzip_static_module --with-http_stub_status_module --with-http_ssl_module --with-pcre --with-file-aio --with-http_realip_module --with-http_v2_module --add-module=/root/source-nginx/nginx-auth-ldap --with-debug
make install
useradd --shell /sbin/nologin -M -r nginx
cp ~/source-nginx/nginx.service /usr/lib/systemd/system/
cp ~/source-nginx/nginx-#-#/man/nginx.8 /usr/local/share/man/man8/

Hope it helps

Howard-Chang commented 6 years ago

Hi, @davama thanks for your reply. when I go to this step: rpm2cpio nginx-#-#.rpm | cpio –idmv there's an error: image

thank you in advance!

davama commented 6 years ago

Interesting... Not sure what could be the cause

i built a clean centos7 vm updated to latest yum update , then ran what i had sent previously

[root@nginx-lab ~]# rpm2cpio nginx-1.12.2-2.el7.src.rpm | cpio -idvm
404.html
50x.html
README.dynamic
UPGRADE-NOTES-1.6-to-1.10
index.html
nginx-1.12.2.tar.gz
nginx-1.12.2.tar.gz.asc
nginx-auto-cc-gcc.patch
nginx-logo.png
nginx-upgrade
nginx-upgrade.8
nginx.conf
nginx.logrotate
nginx.service
nginx.spec
poweredby.png
2032 blocks
davama commented 6 years ago

Your - dash

fix your dash

Howard-Chang commented 6 years ago

Hi @davama, thank you so much! I have installed nginx-auth-ldap successfully. But I don't know how to manage it : ( I am new in ldap. Follow the "Readme" instruction and some errors occur: nginx.conf:

user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}

http {

        ldap_server test1 {
        url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
    }
        ldap_server test2 {
        url ldap://192.168.0.2:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
      }
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

conf.d/default.conf:

server {
    listen       8000;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;
    auth_ldap "Forbidden"
    auth_ldap_servers test1;
            auth_ldap_servers test2;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}
    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}
2018/07/02 12:34:21 [notice] 29734#0: http_auth_ldap: parse_require in /etc/nginx/nginx.conf:22
2018/07/02 12:34:21 [notice] 29734#0: http_auth_ldap: parse_require in /etc/nginx/nginx.conf:30
2018/07/02 12:34:21 [emerg] 29734#0: invalid number of arguments in "auth_ldap" directive in /etc/nginx/conf.d/default.conf:8

thank you in advance!

davama commented 6 years ago

Not sure really but here's a snippet of mine. ( i dont include the default)

http {
....
...
    ldap_server ldap_local {
        url "ldap://localhost/dc=datacom,dc=net?uid?sub?(objectClass=posixAccount)";
    binddn "cn=xxxxx,dc=datacom,dc=net";
        binddn_passwd "xxxxx";
    require group "cn=config,ou=Group,dc=datacom,dc=net";
        group_attribute "memberUid";
        group_attribute_is_dn off;
    require valid_user;
    satisfy all;
    }
location /cgit/ {
    auth_ldap "WHQ LDAP Authentication";
    auth_ldap_servers ldap_local;
...
Howard-Chang commented 6 years ago

Hi @davama, thanks for your reply again! now it is my new nginx.conf setting (I'm not sure it's correct, but nginx can run.):

user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}

http {
        ldap_server ldap_local {
        url "ldap://localhost/cn=Manager,dc=xinhua?uid?sub?(objectClass=posixAccount)";
        binddn "cn=Manager,dc=xinhua,dc=org";
        binddn_passwd "xxxxxx";
        require group "cn=config,ou=People,dc=xinhua,dc=org";
        group_attribute "memberUid";
        group_attribute_is_dn off;
        require valid_user;
        satisfy all;
}
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
}

conf.d/default.conf

server {
    listen       8000;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;
    auth_ldap "Forbidden";
    auth_ldap_servers ldap_local;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

image image

Now, I don't know what is the username and password. When I try the username and password in .htpasswd. It can't work.

thank you in advance!

davama commented 6 years ago

Glad it's working but did you check the logs? nginx/ldap

Now, I don't know what is the username and password. When I try the username and password in .htpasswd. It can't work.

.htpasswd and ldap are two different authentication methods. you are trying to use ldap not .htpasswd, so use credentials for a user in ldap

url "ldap://localhost/cn=Manager,dc=xinhua?uid?sub?(objectClass=posixAccount)";

uh... that's wrong. that's not your the organization DN that you show

require group "cn=config,ou=People,dc=xinhua,dc=org"

i dont even see you have a cn=config object....

I dont know what exactly you are looking for in terms of authentication/authorization but according to your ldap tree and assuming you need someone to be part of cn=secretary 

url "ldap://localhost/dc=xinhua,dc=org?uid?sub?(objectClass=posixAccount)";

require group "cn=secretary,ou=group,dc=xinhua,dc=org";

then login as ada with their credentials. (this is all assuming ada is part of cn=secretary and ada has posixAccount objectclass)

I think what is more important is that you understand what each of those lines is doing https://github.com/kvspb/nginx-auth-ldap#available-config-parameters

Hope it's helpful

Howard-Chang commented 6 years ago

Hi @davama , Thank you sooooo much : ) It can work now! I can login with the account in LDAP. Now I want to integrate AD with LDAP. Is it possible? Besides, I want to let users could auto login with the LDAP authenticate. Could you give me some hints : )

thanks a lot.

davama commented 6 years ago

Now I want to integrate AD with LDAP. Is it possible?

Not really sure, but not a discussion for here. Ask google

auto login with ldap authenticate

I believe you are talking about SSO. That is a much more complicated system. This project is not for sso. Ive played with the authelia project which was not easy to set up

Howard-Chang commented 6 years ago

Hi @davama, sorry could I ask you a question : ) I want to get username from the form and pass it through nginx. image how should I modified nginx.conf:

error_log logs/error.log debug;
events {
worker_connections 10240;
}
http {
    proxy_cache_path cache/  keys_zone=auth_cache:10m;
    upstream backend {
        server 127.0.0.1:9000;
        #server 127.0.0.1:5601;
    }
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    server {
        listen 8081;
        location / {
            auth_request /auth-proxy;
            error_page 401 =200 /login;
            auth_request_set $user $upstream_http_x_user;// I am not sure is it correct? or how to modified it
            proxy_set_header X-PROXY-USER $user;
            #proxy_pass http://backend/;
            proxy_pass http://localhost:5601;
        }
        location /login {
            proxy_pass http://backend/login;
            proxy_set_header X-Target $request_uri;
        }
        location = /auth-proxy {
            internal;
            proxy_pass http://127.0.0.1:8888;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_cache auth_cache;
            proxy_cache_valid 200 10m;
            proxy_cache_key "$http_authorization$cookie_nginxauth";
            proxy_set_header X-Ldap-URL      "ldap://localhost:389";
            proxy_set_header X-Ldap-BaseDN   "dc=xinhua,dc=org";
            proxy_set_header X-Ldap-BindDN   "cn=Manager,dc=xinhua,dc=org";
            proxy_set_header X-Ldap-BindPass "XXXXX";
            proxy_set_header X-CookieName "nginxauth";
            proxy_set_header Cookie nginxauth=$cookie_nginxauth;
        }
    }
}
davama commented 6 years ago

Look for a module that does that

Howard-Chang commented 6 years ago

I solved the problem thx :)

mithun0119 commented 4 years ago

I solved the problem thx :)

Please advise what was done to fix?