Nginx with LDAP-authentication
Monday, December 23. 2013
I've been a fan of Nginx for a couple of years. It performs so much better than the main competitor Apache HTTP Server. However, on the negative side is that Nginx does not have all the bells and whistles as the software which has existed since dawn of Internet.
So I have to do lot more myself to get the gain. I package my own Nginx RPM and have modified couple of the add-on modules. My fork of the Nginx LDAP authentication module can be found from https://github.com/HQJaTu/nginx-auth-ldap.
It adds following functionality to Valery's version:
- per location authentication requirements without defining the same server again for different authorization requirement
- His version handles different requirement by defining new servers.
- They are not actual new servers, the same server just is using different authorization requirement for a Nginx-location.
- case sensitive user accounts, just like all other web servers have
- One of the services in my Nginx is Trac. It works as any other *nix software. User accounts are case sensitive.
- However, in LDAP pretty much nothing is. The default schema defines most things as case insensitive.
- The difference must be compensated during authentication into Nginx. That's why I added the :caseExactMatch: into LDAP search filter.
- LDAP-users can be specified with UID or DN
- In Apache, a required user is typically specified as require user admin.
- Now in LDAP-oriented approach the module requires users to be specified as a DN (for the non-LDAP people a DN is an unique name for an entry in the LDAP).
- LDAP does have the UID (user identifier), so in my version it also is a valid requirement.
IMHO those changes make the authentication much, much more useful.
Thanks Valery for the original version!
(Page 1 of 1, totaling 1 entries)