I extend the group management function，you see

[wanggaolin]

vi nginx-ldap-auth-daemon.py

delete code

        self.log_message('Auth OK for user "%s"' % (ctx['user']))

        # Successfully authenticated user
        self.send_response(200)
        self.end_headers()

add code

        for group in ctx['group'].split(';'):
            GroupInfo = ldap_obj.search(ctx['basedn'], ldap.SCOPE_SUBTREE, 'cn=%s' % group.strip(), None)
            GroupMember = ldap_obj.result(GroupInfo,0)
            try:
                print ldap_dn.lower(),GroupMember[1][0][1]['uniqueMember']
                if ldap_dn.lower() in GroupMember[1][0][1]['uniqueMember']:
                    self.send_response(200)
                    self.end_headers()
                    self.log_message('Auth OK for user "%s"' % (ctx['user']))
                    return
            except IndexError,e:
                pass
        self.send_response(403)
        self.end_headers()
        return

in “'cookiename': ('X-CookieName', args.cookie) ” right add code:

,'group': ('X-Ldap-Group', args.cookie)

nginx config:

proxy_set_header X-Ldap-Group "group2;group2";

[vl-homutov]

Thank you for sharing an example of extending authentication scheme. As I noted earlier, there may be thousands of organisation specific rules, which may need to be enforced: some want user to be in particular groups, others require additional requirements for such groups and so on. This repository shows basic example, starting from which you may setup your own authentication logic. Attempt to add every possible scheme with configuration will lead to overcomplicated code and configuration that will fail to serve idea: demonstration of principles of external authentication with LDAP. Again, thank you for sharing your experience - other people may find it useful. Closing now,