search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
739 stars 253 forks source link

'Require user' works incorect. #209

Closed Frikitrok closed 6 years ago

Frikitrok commented 6 years ago

Im tring to make auth to only one user from all ldap. And it works but with one bug. User should place correct password, but he might enter everything (not empty string) to name input place and he still good. So name variable kind of ignoring. Is it possible to fix? My configs

ldap_server ldap1 { url ldap://ldap_host:389/dc=example,dc=com?uid?sub?(&(objectClass=posixAccount)); binddn "cn=admin,dc=example,dc=com"; binddn_passwd "password"; group_attribute uid; group_attribute_is_dn on;

require valid_user;

    #group_attribute uniquemember;
    require valid_user "uid=usename,ou=People,dc=example,dc=com";
    satisfy all;
}

Aslo when i replace validuser with user variable i cant log in and in error logs is empty --

davama commented 6 years ago

require valid_user "uid=usename,ou=People,dc=example,dc=com";

Not sure if this is correct see https://github.com/kvspb/nginx-auth-ldap#require

Search the issues for examples. There are many out there

Frikitrok commented 6 years ago

here i dont see any description about user and valid_user. Can not understand difference. So is it possible to make auth for only one user witch i will configure in nginx conf? But this user still should write his creds in name/password fields.

davama commented 6 years ago

Already documented how to write the line correctly: https://github.com/kvspb/nginx-auth-ldap/blob/42d195d7a7575ebab1c369ad3fc5d78dc2c2669c/example.conf#L34

Not sure if you can "lock" access to one specific user. Maybe on your url

davama commented 6 years ago

Aslo when i replace validuser with user variable i cant log in and in error logs is empty --

just noticed this line in your comment.

does valid_user work? instead of 1 user, all users?

davama commented 6 years ago

Try narrowing your url, i tried on my test box and it worked

    ldap_server ldap_local {
        url "ldap://localhost/ou=people,dc=datacom,dc=net?uid?sub?(uid=user)";
...
...
    require valid_user;
    }
Frikitrok commented 6 years ago

when i write this way, i can not login at all. and my error log still empty. its kind of ldap plugin can find user but for some reasons dont let him in and for some reasons dont write logs

Frikitrok commented 6 years ago

valid_user work but with one issue. user should enter only valid password but in name field he can write like 'asdasdakjsdgjhas' or 'asd' and he is good.

davama commented 6 years ago

when i write this way, i can not login at all. and my error log still empty. its kind of ldap plugin can find user but for some reasons dont let him in and for some reasons dont write logs

can you do a successful ldap bind based off of your url using the user/user credentials? something like:

ldapsearch -xLLL -h ldap_host -p 389 -b dc=example,dc=com "(objectClass=posixAccount)" -D uid=user,bla,bla -w 'userpass`

then try your asdfasdfas test

ldapsearch -xLLL -h ldap_host -p 389 -b dc=example,dc=com "(objectClass=posixAccount)" -D uid=asdasdf,bla,bla -w 'asdfsda'

Also, not sure if you need the group* settings if only auth one user

Frikitrok commented 6 years ago

btw this one work good for me ldap_server ldap_local { url "ldap://localhost/ou=people,dc=datacom,dc=net?uid?sub?(uid=user)"; ... ... require valid_user; } Thank you.

davama commented 6 years ago

glad it works close issue

Frikitrok commented 6 years ago

ye add this one template to ur wiki as example for other users

Frikitrok commented 6 years ago

ldap_server ldap1 { url ldap://ldap_hostname:389/dc=example,dc=com?uid,mail,cn?sub?(uid=user_name); binddn "cn=admin,dc=example,dc=com"; binddn_passwd "pass"; require valid_user; }