search

sepich / nginx-ldap

nginx LDAP auth with groups support
Other
37 stars 17 forks source link

User and Group access enforcement not working #2

Open xomka686 opened 6 years ago

xomka686 commented 6 years ago

Hi!

I've implemented your nginx-ldap-auth module and it authenticates pretty well, nice job!

The only issue is, when I'm trying to set up authorization (user and group access enforcement), it's not working and users who are not members of specified groups and not listed in respective allowed list, are still able to log in and access the website.

My config snippet for it is as follows:

` root /usr/share/nginx/html;

    set $user '';
    set $group '';

    location = /auth-proxy {
        internal;
        proxy_pass http://127.0.0.1:8888;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Ldap-Realm "NGINX Plus Live Dashboard";
        proxy_set_header X-Ldap-Allowed-Usr $user;
        proxy_set_header X-Ldap-Allowed-Grp $group;
        proxy_cache auth_cache;
        proxy_cache_valid 200 15m;
        proxy_cache_key "$http_authorization$user$group";
    }

    location = /status.html {
        set $user "user1";
        set $group "Admins";
        auth_request /auth-proxy;
    }

    location = / {
        set $user "user1";
        set $group "Admins";
        auth_request /auth-proxy;
          return 301 /status.html;
      }

    location /status {
        set $user "user1";
        set $group "Admins";
        auth_request /auth-proxy;
        status;
        status_format json;
    }`

Can you advice if anything is wrong in the config or maybe which debugs I can attach to assit you in the troubleshooting?

mrgleeco commented 5 years ago

i'm seeing enforcement not working, albeit slightly diff than the above report. It is the case where a valid user with an empty password results in a 200 -instead of checking the None.

Simple patch might look something like this - 

                try:
                    if not passwd:
                        raise ldap.INVALID_CREDENTIALS
                    ldap_connection.simple_bind_s(data['distinguishedName'][0], passwd)
                except ldap.INVALID_CREDENTIALS:

See also: https://github.com/python-ldap/python-ldap/issues/174

mrgleeco commented 5 years ago

to be clear, with such a patch, i do see proper group checking thereafter