kvspb/nginx-auth-ldap

'Require user' works incorect.

Frikitrok opened this issue · 12 comments

Frikitrok commented

Im tring to make auth to only one user from all ldap. And it works but with one bug. User should place correct password, but he might enter everything (not empty string) to name input place and he still good. So name variable kind of ignoring. Is it possible to fix? My configs

ldap_server ldap1 {
url ldap://ldap_host:389/dc=example,dc=com?uid?sub?(&(objectClass=posixAccount));
binddn "cn=admin,dc=example,dc=com";
binddn_passwd "password";
group_attribute uid;
group_attribute_is_dn on;
#require valid_user;
#group_attribute uniquemember;
require valid_user "uid=usename,ou=People,dc=example,dc=com";
satisfy all;
}

Aslo when i replace valid_user with user variable i cant log in and in error logs is empty -_-

davama commented

require valid_user "uid=usename,ou=People,dc=example,dc=com";

Not sure if this is correct see https://github.com/kvspb/nginx-auth-ldap#require

Search the issues for examples. There are many out there

Frikitrok commented

here i dont see any description about user and valid_user. Can not understand difference. So is it possible to make auth for only one user witch i will configure in nginx conf? But this user still should write his creds in name/password fields.

davama commented

Already documented how to write the line correctly:

nginx-auth-ldap/example.conf

Line 34 in 42d195d

require user "CN=Batman,OU=Users,OU=New York Office,OU=Offices,DC=company,DC=com";

Not sure if you can "lock" access to one specific user.
Maybe on your url

davama commented

Aslo when i replace valid_user with user variable i cant log in and in error logs is empty -_-

just noticed this line in your comment.

does valid_user work? instead of 1 user, all users?

davama commented

Try narrowing your url, i tried on my test box and it worked

    ldap_server ldap_local {
    	url "ldap://localhost/ou=people,dc=datacom,dc=net?uid?sub?(uid=user)";
...
...
	require valid_user;
    }
Frikitrok commented

when i write this way, i can not login at all. and my error log still empty. its kind of ldap plugin can find user but for some reasons dont let him in and for some reasons dont write logs

Frikitrok commented

valid_user work but with one issue. user should enter only valid password but in name field he can write like 'asdasdakjsdgjhas' or 'asd' and he is good.

davama commented

when i write this way, i can not login at all. and my error log still empty. its kind of ldap plugin can find user but for some reasons dont let him in and for some reasons dont write logs

can you do a successful ldap bind based off of your url using the user/user credentials?
something like:

ldapsearch -xLLL -h ldap_host -p 389 -b dc=example,dc=com "(objectClass=posixAccount)" -D uid=user,bla,bla -w 'userpass`

then try your asdfasdfas test

ldapsearch -xLLL -h ldap_host -p 389 -b dc=example,dc=com "(objectClass=posixAccount)" -D uid=asdasdf,bla,bla -w 'asdfsda'

Also, not sure if you need the group* settings if only auth one user

Frikitrok commented

btw this one work good for me
ldap_server ldap_local {
url "ldap://localhost/ou=people,dc=datacom,dc=net?uid?sub?(uid=user)";
...
...
require valid_user;
}
Thank you.

davama commented

glad it works
close issue

Frikitrok commented

ye add this one template to ur wiki as example for other users

Frikitrok commented

ldap_server ldap1 {
url ldap://ldap_hostname:389/dc=example,dc=com?uid,mail,cn?sub?(uid=user_name);
binddn "cn=admin,dc=example,dc=com";
binddn_passwd "pass";
require valid_user;
}