search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
735 stars 252 forks source link

About nginx, ldap, AD and nested groups #84

Open skokhanovskiy opened 9 years ago

skokhanovskiy commented 9 years ago

For example, we have the following configuration file:

ldap_server test1 {
    url ldaps://LDAPSERVER:3269/DC=domain,DC=local?sAMAccountName?sub?(objectClass=person);

    binddn "DOMAIN\\user";
    binddn_passwd p@sSwOrd;

    group_attribute member;
    group_attribute_is_dn on;

    require group "CN=MyGroup,OU=Groups,OU=Global,DC=domain,DC=local";
}

Create a group MySubGroup, add the user DOMAIN\access.user to the group MySubGroup, and add MySubGroup to the group MyGroup. If we do not change this configuration file, the user DOMAIN\access.user will not be able to authenticate to the site.

To solve the problem in an Active Directory environment you need to use a rule LDAP_MATCHING_RULE_IN_CHAIN. Using it, you can enumerate all members of this group, also including members of nested groups.

ldap_server test1 {
    url ldaps://LDAPSERVER:3269/DC=domain,DC=local?sAMAccountName?sub?(&(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=Groups,OU=Global,DC=domain,DC=local)(objectClass=person));

    binddn "DOMAIN\\user";
    binddn_passwd p@sSwOrd;

    require valid_user;
}

The filter specified in the URL query will return only users that are directly or indirectly joined in MyGroup. So the verification directive require group is no longer needed, replace it for _require validuser

If the group name contains spaces, replace all spaces with the %20 code

url ldaps://LDAPSERVER:3269/DC=domain,DC=local?sAMAccountName?sub?(&(memberOf:1.2.840.113556.1.4.1941:=CN=My%20Group%20With%20Spaces,OU=Groups,OU=Global,DC=domain,DC=local)(objectClass=person));
ojongerius commented 7 years ago

Thanks for saving me from having to brush up on my C 👍