search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
732 stars 253 forks source link

"satisfy any;" does not work with "allow/deny" and "auth_ldap" #7

Closed jasonwbarnett closed 11 years ago

jasonwbarnett commented 11 years ago

I've attempted to document the problem as best I can and I've provided debugging logs for ALL scenarios. I would try to fix this myself, although I don't know C. I spent several hours looking through the code and found myself lost...

I ran through the following scenarios to help you track down the issue.

  1. JUST Basic Auth (WORKS)
  2. JUST LDAP Auth (WORKS)
  3. Basic Auth, Access (IP Auth) (Client IP does NOT match), and satisfy any (WORKS)
  4. LDAP Auth, Access (IP Auth) (Client IP does NOT match), and satisfy any (does NOT work)

All four scenarios work, except 4. In scenario 4 with a client whose IP does not match, the browser does not even prompt the end user for a username and password like it does in scenario 3.

Nginx Config for scenario 4: https://gist.github.com/jasonwbarnett/4727443

  1. Debug Log: https://gist.github.com/jasonwbarnett/4727534
  2. Debug Log: https://gist.github.com/jasonwbarnett/4727452
  3. Debug Log: https://gist.github.com/jasonwbarnett/4727480
  4. Debug Log: https://gist.github.com/jasonwbarnett/4727481
jasonwbarnett commented 11 years ago

I was able to resolve this issue with what I consider a "hack"

If you need to use 4. above, then you simply need to also include Auth Basic with an empty password file AND the "auth_basic" and "auth_ldap" directives MUST be equal to one another.

Example config:

    ## CORE:
    satisfy any;

    ## LDAP MODULE
    auth_ldap "MUST BE EQUAL";
    auth_ldap_require valid_user;
    auth_ldap_satisfy any;

    ## AUTH BASIC MODULE
    auth_basic "MUST BE EQUAL";
    auth_basic_user_file /etc/nginx/emptyFile;

    ## IP MODULE
    allow 8.8.8.8/32;
    allow 10.10.10.10/32;
    allow 10.10.20.42/32;
    deny all;
tdm4 commented 10 years ago

This works for me, however I get numerous errors in nginx:

2014/03/03 16:45:52 [error] 17168#0: *67 http_auth_ldap: Authentication timed out, client: 10.xxx.xxx.xxx, server: example.com, request: "GET /tracks/getdata HTTP/1.1", host: "example.com", referrer: "https://example.com.com/"

There has to be a cleaner way to do this.

jasonwbarnett commented 10 years ago

I attempted to deep dive into the code and it looks like this is the only way to do it... It's probably possible, but you would most likely need to patch the core NGINX code which doesn't sound like a good idea. I wish there was a simpler way, but I really don't think there is.

landryb commented 10 years ago

I would add to this that it also fails for me in case the client IP matches the allow block.

ie

satisfy any;
auth_ldap_servers myserv;
allow 10.0.0.0/24;
deny all;

if i come from an ip in the allow block, i get the 401 prompt, while i shouldnt since satisfy any is in use. This is a huge blocker for me to use auth-ldap, since i can "easily" do the same thing with lighttpd and apache2.... adding to this that one cant seem to use allow in a potential referer check if block....