search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
732 stars 253 forks source link

Group authentication fails #76

Closed alertedsnake closed 9 years ago

alertedsnake commented 9 years ago

Pretty standard config:

ldap_server ldaptest {
    url                     "ldap://ldap.example.com/dc=example,dc=com?uid?sub?(&(objectClass=inetOrgPerson)    (employeeType=active))"
    group_attribute_is_dn   on;
    group_attribute         member;
    satisfy                 all;
    require                 group "cn=test,ou=Groups,dc=example,dc=com";
    require                 valid_user;
}

I know the group membership stuff works, and that the user is in the group, I've tested it various other places including an Apache server.

I get the following error:

2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: Authentication loop (phase=1, iteration=1)
2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: Authentication loop (phase=2, iteration=1)
2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: User DN is "uid=michael,ou=People,dc=example,dc=com"
2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: Authentication loop (phase=3, iteration=0)
2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: Comparing user group with "cn=test,ou=Groups,dc=example,dc=com"
2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: ldap_compare_ext() -> msgid=3
2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: Waking authentication request "GET / HTTP/1.1"
2015/03/12 14:01:44 [debug] 16876#0: *5 access phase: 8
2015/03/12 14:01:44 [debug] 16876#0: *5 http_auth_ldap: Authentication loop (phase=3, iteration=1)
2015/03/12 14:09:43 [error] 17109#0: *5 http_auth_ldap: ldap_compare_ext() request failed (21:Invalid syntax), client: 64.132.216.196, server: testserver.example.com, request: "GET / HTTP/1.1", host: "testserver.example.com"

Any suggestions from here? I have tried without the valid_user, it still fails. I comment out the group check, and it's fine.

Group is a groupOfNames, with my user's dn in the member attribute.

alertedsnake commented 9 years ago

I found something... I added a debug line to check the value of 'group_attribute_is_dn' inside ngx_http_auth_ldap_check_group :

2015/03/12 20:37:03 [debug] 28972#0: *5 http_auth_ldap: group_attribute_is_dn: 0

That's not what my config file says!

But... if you look more closely.... you'll notice my URL line has no semicolon. Bleh.

bitfrickler commented 8 years ago

:+1: Same just happened to me. Wasted hours on this...