difference between auth_basic and auth_ldap
Maxim Dounin
mdounin at mdounin.ru
Sun Jan 3 22:17:01 UTC 2021
Hello!
On Fri, Jan 01, 2021 at 08:39:01PM +0100, A. Schulze wrote:
> Hello & happy new year!
>
> my goal is to configure nginx to deny access from most client-ip but allow access from special ip's
> for authenticated users. This work for basic_authentication as expect but behave different with auth_ldap
> I use https://github.com/kvspb/nginx-auth-ldap.
>
> simplified configuration with no allowed IPs at all:
>
> server {
> listen *:80;
> deny all;
> location /auth_basic {
> auth_basic "auth_basic";
> auth_basic_user_file /path/to/auth_basic_user_file;
> }
> }
>
> $ curl -v http://nginx/auth_basic
> $ curl -v -u user:pass http://nginx/auth_basic
> $ curl -v -u user:wrong http://nginx/auth_basic
>
> all three calls return "403 Forbidden", which is ok and acceptable to me.
>
> switching to auth_ldap the results are different:
>
> ldap_server ldap-server {
> url ldap://ldap-server/dc=example?cn?sub?(objectclass=top);
> require valid_user;
> }
> server {
> listen *:80;
> deny all;
> location /auth_ldap {
> auth_ldap "auth_ldap";
> auth_ldap_servers "ldap-server";
> }
> }
>
> $ curl -v http://nginx/auth_ldap
> $ curl -v -u user:wrong http://nginx/auth_ldap
> return "401 Unauthorized" expected: "403 Forbidden"
>
> $ curl -v -u user:pass http://nginx/auth_ldap
> return "403 Forbidden"
>
> Is there anything wrong with my configuration or is the unexpected request for authentication
> a result of how https://github.com/kvspb/nginx-auth-ldap is written?
This is a result of how nginx-auth-ldap is written. Or, more
strictly, how it adds itself into nginx request processing
pipeline - it simply adds itself as an HTTP module, and ends up
called before the access module.
It is relatively easily to fix assuming dynamic module linking
(that is, if you are using the "load_module" directive to load the
module), just using
ngx_module_order="ngx_http_auth_ldap_module ngx_http_access_module"
should do the trick. For static linking it wouldn't be that easy
though, as static linking does not support module order selection
via ngx_module_order, and appropriate configure variables with
lists of modules needs to be adjusted directly instead.
Quick-and-dirty workaround would be to use auth_request as a
"proxy" for auth_ldap.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list