difference between auth_basic and auth_ldap

Maxim Dounin mdounin at mdounin.ru
Sun Jan 3 22:17:01 UTC 2021 

Hello!

On Fri, Jan 01, 2021 at 08:39:01PM +0100, A. Schulze wrote:

> Hello & happy new year!
> 
> my goal is to configure nginx to deny access from most client-ip but allow access from special ip's
> for authenticated users. This work for basic_authentication as expect but behave different with auth_ldap
> I use https://github.com/kvspb/nginx-auth-ldap.
> 
> simplified configuration with no allowed IPs at all:
> 
> 	server {
> 	  listen *:80;
> 	  deny all;
> 	  location /auth_basic {
> 	    auth_basic "auth_basic";
> 	    auth_basic_user_file /path/to/auth_basic_user_file;
> 	  }
> 	}
> 
> $ curl -v               http://nginx/auth_basic
> $ curl -v -u user:pass  http://nginx/auth_basic
> $ curl -v -u user:wrong http://nginx/auth_basic
> 
> all three calls return "403 Forbidden", which is ok and acceptable to me.
> 
> switching to auth_ldap the results are different:
> 
> 	ldap_server ldap-server {
> 	  url ldap://ldap-server/dc=example?cn?sub?(objectclass=top);
> 	  require valid_user;
> 	}
> 	server {
> 	  listen *:80;
> 	  deny all;
> 	  location /auth_ldap {
> 	    auth_ldap "auth_ldap";
> 	    auth_ldap_servers "ldap-server";
> 	  }
> 	}
> 
> $ curl -v               http://nginx/auth_ldap
> $ curl -v -u user:wrong http://nginx/auth_ldap
> 	return "401 Unauthorized"	expected: "403 Forbidden"
> 
> $ curl -v -u user:pass  http://nginx/auth_ldap
> 	return "403 Forbidden"
> 
> Is there anything wrong with my configuration or is the unexpected request for authentication
> a result of how https://github.com/kvspb/nginx-auth-ldap is written?

This is a result of how nginx-auth-ldap is written.  Or, more 
strictly, how it adds itself into nginx request processing 
pipeline - it simply adds itself as an HTTP module, and ends up 
called before the access module.

It is relatively easily to fix assuming dynamic module linking 
(that is, if you are using the "load_module" directive to load the 
module), just using

    ngx_module_order="ngx_http_auth_ldap_module ngx_http_access_module"

should do the trick.  For static linking it wouldn't be that easy 
though, as static linking does not support module order selection 
via ngx_module_order, and appropriate configure variables with 
lists of modules needs to be adjusted directly instead.

Quick-and-dirty workaround would be to use auth_request as a 
"proxy" for auth_ldap.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list