Connecting Nginx to LDAP/Kerberos

A. Schulze sca at andreasschulze.de
Mon Sep 12 19:22:03 UTC 2016 


Am 12.09.2016 um 21:04 schrieb Joshua Schaeffer:
> - https://github.com/kvspb/nginx-auth-ldap

I'm using that one to authenticate my users.

auth_ldap_cache_enabled         on;
ldap_server my_ldap_server {
     url                         ldaps://ldap.example.org/dc=users,dc=mybase?uid?sub;
     binddn                      cn=nginx,dc=mybase;
     binddn_passwd               ...;
     require                     valid_user;
}

server {
   ...
   location / {
     auth_ldap                   "foobar";
     auth_ldap_servers           "my_ldap_server";

     root                        /srv/www/...;
   }
}

this is like documented on https://github.com/kvspb/nginx-auth-ldap exept my auth_ldap statements are inside the location.
while docs suggest them outside.
Q: does that matter?

I found it useful to explicit set "auth_ldap_cache_enabled on" but cannot remember the detailed reasons.
Finally: it's working as expected for me (basic auth, no Kerberos)

BUT: I fail to compile this module with openssl-1.1.0
I send a message to https://github.com/kvspb some days ago but got no response till now.

the problem (nginx-1.11.3 + openssl-1.1.0 + nginx-auth-ldap)

cc -c -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall   -I src/core -I src/event -I src/event/modules -I src/os/unix -I /opt/local/include -I objs -I src/http -I src/http/modules -I src/http/v2 \
         -o objs/addon/nginx-auth-ldap-20160428/ngx_http_auth_ldap_module.o \
         ./nginx-auth-ldap-20160428//ngx_http_auth_ldap_module.c
./nginx-auth-ldap-20160428//ngx_http_auth_ldap_module.c: In function 'ngx_http_auth_ldap_ssl_handshake':
./nginx-auth-ldap-20160428//ngx_http_auth_ldap_module.c:1325:79: error: dereferencing pointer to incomplete type
          int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx,
                                                                                ^
./nginx-auth-ldap-20160428//ngx_http_auth_ldap_module.c:1335:80: error: dereferencing pointer to incomplete type
        int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx);
                                                                                 ^
make[2]: *** [objs/addon/nginx-auth-ldap-20160428/ngx_http_auth_ldap_module.o] Error 1
objs/Makefile:1343: recipe for target 'objs/addon/nginx-auth-ldap-20160428/ngx_http_auth_ldap_module.o' failed

Maybe the list have a suggestion...

More information about the nginx mailing list