auth_ldap

Igor Sysoev is at rambler-co.ru
Wed Aug 20 17:57:45 MSD 2008


On Wed, Aug 20, 2008 at 09:47:12AM -0400, Michael wrote:

> On Wed, Aug 20, 2008 at 14:49:41, Markus Teichmann said...
> 
> > > Wouldn't it be better to do the bind as the user authenticating?  There's no
> > > need to do the extra step of performing an administrator bind, then look up
> > > the user in an additional operation.
> > 
> > The look up is needed if the user authenticates not with it's dn.
> > Sometimes the uid is used for authenticating. Therefore the lookup is
> > needed.
> 
> Ah yes, that's a good point, I tend to use unix usernames as the dn myself.
> I'm doing this (on apache) this way now.
> 
> You should also consider adding a filter, like apache does this, eg:
> 
> Require ldap-filter |(employeeType=Staff)(employeeType=Freelance)

I do not know LDAP syntax, but in nginx style it's better to use variables:

auth_ldap_query
   "ou=People,dc=chaos,dc=jmt,uid=$remote_user,...|(employeeType=Staff)...";


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list