search

nginxinc / nginx-ldap-auth

Example of LDAP authentication using ngx_http_auth_request_module
BSD 2-Clause "Simplified" License
681 stars 202 forks source link

setting sertificates in Debian #43

Closed d-malko closed 5 years ago

d-malko commented 6 years ago

Please advise! I'm new to LDAP authorization (AD). I've already spent a lot of time, but I cann't figure it out. How cat I install certificates on my Debian system for connection using ldaps.

/etc/nginx/conf.d/ldap.conf

`error_log logs/error.log debug;

proxy_cache_path cache/  keys_zone=auth_cache:10m;

# The back-end daemon listens on port 9000 as implemented
# in backend-sample-app.py.
# Change the IP address if the daemon is not running on the
# same host as NGINX/NGINX Plus.
upstream backend {
    server 127.0.0.1:5601;
}

# NGINX/NGINX Plus listen on port 8081 for requests that require
# authentication. Change the port number as appropriate.
server {
    listen 80;

    # Protected application
    location / {
        auth_request /auth-proxy;

        #proxy_pass http://backend/;
    #proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_cache_bypass $http_upgrade;

    }

    location = /auth-proxy {
        internal;

        # The ldap-auth daemon listens on port 8888, as set
        # in nginx-ldap-auth-daemon.py.
        # Change the IP address if the daemon is not running on
        # the same host as NGINX/NGINX Plus.
        proxy_pass http://127.0.0.1:8888;

        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_cache auth_cache;
        proxy_cache_valid 200 10m;

        # The following directive adds the cookie to the cache key
        #proxy_cache_key "$http_authorization$cookie_nginxauth";i
    proxy_set_header X-Ldap-URL      "ldaps://balanced_ldap.co.company.com:636";
        proxy_set_header X-Ldap-BaseDN   "OU=company,DC=central,DC=co,DC=company,DC=com";
        proxy_set_header X-Ldap-BindDN   "CN=NGINX LDAP,OU=Technical Users,OU=Cv,OU=Branches,OU=company,DC=central,DC=co,DC=company,DC=com";
        proxy_set_header X-Ldap-BindPass "pass";
        proxy_set_header X-Ldap-Template "(userPrincipalName=%(username)s)";

    #proxy_set_header X-Ldap-Starttls "true";           

        # (Required) The following directives set the cookie name and pass
        # it, respectively. They are required for cookie-based
        # authentication. Comment them out if using HTTP basic
        # authentication.
        proxy_set_header X-CookieName "nginxauth";
        proxy_set_header Cookie nginxauth=$cookie_nginxauth;

    }
}

`

stdout of nginx-ldap-auth: localhost - denys.malko@company.com [04/May/2018 16:20:19] Error while binding as search user: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}, server="ldaps://balanced_ldap.co.company.com:636", login="denys.malko@company.com"

vl-homutov commented 5 years ago

The error indicates clearly that there is a problem in your configuration - LDAP server is not accessible. For Debian questions, please consult corresponding Debian support channel.