difference between auth_basic and auth_ldap

A. Schulze sca at andreasschulze.de
Fri Jan 1 19:39:01 UTC 2021

Hello & happy new year!

my goal is to configure nginx to deny access from most client-ip but allow access from special ip's
for authenticated users. This work for basic_authentication as expect but behave different with auth_ldap
I use https://github.com/kvspb/nginx-auth-ldap.

simplified configuration with no allowed IPs at all:

	server {
	  listen *:80;
	  deny all;
	  location /auth_basic {
	    auth_basic "auth_basic";
	    auth_basic_user_file /path/to/auth_basic_user_file;

$ curl -v               http://nginx/auth_basic
$ curl -v -u user:pass  http://nginx/auth_basic
$ curl -v -u user:wrong http://nginx/auth_basic

all three calls return "403 Forbidden", which is ok and acceptable to me.

switching to auth_ldap the results are different:

	ldap_server ldap-server {
	  url ldap://ldap-server/dc=example?cn?sub?(objectclass=top);
	  require valid_user;
	server {
	  listen *:80;
	  deny all;
	  location /auth_ldap {
	    auth_ldap "auth_ldap";
	    auth_ldap_servers "ldap-server";

$ curl -v               http://nginx/auth_ldap
$ curl -v -u user:wrong http://nginx/auth_ldap
	return "401 Unauthorized"	expected: "403 Forbidden"

$ curl -v -u user:pass  http://nginx/auth_ldap
	return "403 Forbidden"

Is there anything wrong with my configuration or is the unexpected request for authentication
a result of how https://github.com/kvspb/nginx-auth-ldap is written?


	-> return "403 Forbidden"

More information about the nginx mailing list