auth_request vs auth_pam_service_name

nginxuser100 nginx-forum at nginx.us
Mon Jan 12 21:56:01 UTC 2015


Hi, I am a newbie at nginx and looking at its authentication capabilities.
It appears that when using auth_request, every client request would still
require an invokation to the auth_request fastcgi or proxy_pass server.
Looking at auth_pam, I am not clear on how it works:

1. How does nginx pass the user credentials to the PAM module?

2. Would nginx remember that a user has been authenticated? Perhaps via a
cookie that'd be returned by PAM? I looked at the nginx pam source code and
didn't see it returning any cookie to nginx ... perhaps PAM does it by
storing it on some context that's returned to NGINX?

3. Is the auth_pam directive mandatory? When I used it with 
locate /
{
  auth_pam "Login Banner"; 
  auth_required_service_name "nginx"; 
} 
where the PAM nginx file had 'auth required pam_unix.so"
a user/password login page popped up. But even after I entered a valid
user/pwd and hit <cr>, the same login page would pop up again, prompting for
a user/pwd. I got the same behavior even after removing the
auth_required_service_name statement. 
Can someone explain the behavior I experienced?

4. Is there a way for us to provide our own Login html page to the user? If
yes, how do we do it and how would we pass the credentials to NGINX?

5. NGINX chooses the authentication method (local vs ldap vs rsa etc) based
on the server/uri. For example, /www.example.org users would be
authenticated via LDAP: location /example { auth_pam_service_name "authFile"
} and the authFile would contains "auth required ldap.so"

Is there a way to configure nginx to base the authentication method on some
user configuration outside of nginx?

Thank you for any clarifications!

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256075,256075#msg-256075



More information about the nginx mailing list