Limit LDAP authentication to specific user or group

Question

Limit LDAP authentication to specific user or group

enidvrenozaj opened this issue 2 years ago · 4 comments

Hi,
Is there any possibility that we can limit the ldap authentication to some specific group or user?
Is this even possible with nginx-ldap-auth daemon?

Sth simmilar to: X-Ldap-Allowed-Usr/X-Ldap-Allowed-Grp or any other configuration/headers

Thanks

Answer 1 · 2022-08-03T10:54:19.000Z

Enid,
You can hardcode a part of a filter. Or use nginx configuration map block to restrict that.
So yes, you can limit auth to a group/user.

Answer 2 · 2022-08-04T09:17:04.000Z

@oxpa
Thank you for your reply:
I see that we can use this header:
proxy_set_header X-Ldap-Template "(&(cn=%(username)s)(memberOf=cn=group1,cn=Users,dc=example,dc=com))";
which does what I need but unfortunately it uses memberOf attribute on ldap server which in my case it is not enabled/configured and it is a bit difficult to do it now as I do not have all freedom to do it on a live system.

Question is if I can use any other filter than memberOf which can correlate user to group during authentication?

Thanks

Answer 3 · 2022-08-04T09:25:00.000Z

Enid,
You can change the filter to whatever you need. 'memberOf' is just an example.
Usually, what you want to do, is to build a filter using 'ldapsearch' or another program and then use the result as a template in nginx.

Answer 4 · 2022-08-05T10:22:09.000Z

Hi,
In my case it was the issue with the current ldap server setup where posixAccount/posixGroup is used instead of organizationalPerson/groupOfNames method of user/group creation where we can use memberOf attributes of each user thus making the filter an easy thing to use.
It is not possible for me to apply this change so I was looking towards any nginx config map block if it is possible to apply some limitation in this way. I want to use LDAP authenticated users and not auth_basic method with htpasswd.
Any help on how I can achieve this is appreciated.

Thank you