search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
735 stars 252 forks source link

Require a combination of groups #240

Open bleenders opened 4 years ago

bleenders commented 4 years ago

Hey there,

I was wondering if it is possible to authorize based on a combination of 2 groups. Right now it seems to be satisfied when the user is part of one of the groups, I only want to grant them access when they are part of both.

ldap_server test {
    satisfy all;
    url ldap://127.0.0.1:389/OU=accounts,OU=customers,DC=domain,DC=test?cn?sub?(objectClass=inetOrgPerson);
    binddn "cn=admin,dc=domain,dc=test";
    binddn_passwd superSecret;
    group_attribute uniqueMember;
    group_attribute_is_dn on;
    require valid_user;
    require group 'cn=group1,ou=groups,ou=customers,dc=domain,dc=test';
    require group 'cn=group2,ou=groups,ou=customers,dc=domain,dc=test';
}

Is something like that possible out of the box?

zzzzl13 commented 3 years ago

Maybe you can try to add another ldap_server "test1", and add "auth_ldap servers test1" to load this server