auth_ldap
Igor Sysoev
is at rambler-co.ru
Wed Aug 20 17:57:45 MSD 2008
On Wed, Aug 20, 2008 at 09:47:12AM -0400, Michael wrote:
> On Wed, Aug 20, 2008 at 14:49:41, Markus Teichmann said...
>
> > > Wouldn't it be better to do the bind as the user authenticating? There's no
> > > need to do the extra step of performing an administrator bind, then look up
> > > the user in an additional operation.
> >
> > The look up is needed if the user authenticates not with it's dn.
> > Sometimes the uid is used for authenticating. Therefore the lookup is
> > needed.
>
> Ah yes, that's a good point, I tend to use unix usernames as the dn myself.
> I'm doing this (on apache) this way now.
>
> You should also consider adding a filter, like apache does this, eg:
>
> Require ldap-filter |(employeeType=Staff)(employeeType=Freelance)
I do not know LDAP syntax, but in nginx style it's better to use variables:
auth_ldap_query
"ou=People,dc=chaos,dc=jmt,uid=$remote_user,...|(employeeType=Staff)...";
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list