search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
738 stars 253 forks source link

ldap connection problem behind a firewall #51

Open uweng opened 10 years ago

uweng commented 10 years ago

I've got the following problem to connect to LDAP-Server behind a firewall.

After first start everything works fine. After a while the authentication doesn't work anymore.

Between the server and the ldap server there is a firewall closing the ldap connection after a time of no data transfer.

In the error.log file i'll see this messages:

2014/07/28 09:02:10 [info] 14109#0: http_auth_ldap: 
ldap_result() failed (-1: Can't contact LDAP server)

and some time before

2014/07/28 09:00:31 [info] 8020#0: http_auth_ldap: 
Request timed out (state=1) (110: Connection timed out)

NGINX Version:

nginx -V
nginx version: nginx/1.6.0
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx-1.6.0 
            --with-http_ssl_module 
            --with-http_gzip_static_module
            --with-http_stub_status_module 
            --with-cc-opt=-Wno-error 
            --add-module=/tmp/nginx/nginx-auth-ldap-master/

NGINX-Config:

http {
  ldap_server ldap1 {
    url ldaps://ldapserver.domain.com/DC=domain,DC=com?sAMAccountName?
                  sub?(objectClass=person);
      binddn "CN=ldap-user,OU=Users,DC=domain,DC=com";
      group_attribute uniquemember;
      group_attribute_is_dn on;
      binddn_passwd password;
      require valid_user;

    }
    auth_ldap_cache_enabled on;
    auth_ldap_cache_expiration_time 10000;
    auth_ldap_cache_size 1000;
}
    server {
                listen       192.168.1.2:80;
                server_name  nginx.domain.com;
                rewrite ^ https://nginx.domain.com/ permanent;
           }
    server {
                listen       192.168.1.2:443;
                server_name  nginx.domain.com;
                root /www/nginx

                satisfy any;

                allow 192.168.0.0/16;
                allow 127.0.0.1;

                # LDAP authentication
                auth_ldap "LDAP-Auth";
                auth_ldap_servers ldap1;

                # SSL
                ssl on;
                ssl_protocols        SSLv3 TLSv1;
                ssl_ciphers          HIGH:!ADH:!MD5;

                ssl_certificate       /certs/nginx.domain.com.crt;
                ssl_certificate_key   /certs/nginx.domain.com.key;

                error_page 404 /404.html;
                access_log  /logs/nginx/access.log main;
                error_log   /logs/nginx/error.log;
                rewrite_log on;
            }
henhof commented 10 years ago

Hi,

I get the same error.

This is my error.log:

2014/09/01 10:41:34 [error] 2523#0: *4 http_auth_ldap: Authentication timed out, client: 172.16.1.200, server: redmine-dev.member.domain.de, request: "GET / HTTP/1.1", host: "redmine-dev.member.domain.de"
uweng commented 10 years ago

Hi,

I changed to this module (ngx_http_auth_pam_module):

http://web.iti.upv.es/~sto/nginx/

Here is the howto:

http://web.iti.upv.es/~sto/nginx/ngx_http_auth_pam_module-1.2/README.html

This solution works perfect including using redundant LDAP server.

jbq commented 9 years ago

I submitted a patch for issue #80 so you can have proper error messages in the logs and diagnose the issue yourself.