nginx-auth-ldap icon indicating copy to clipboard operation
nginx-auth-ldap copied to clipboard

Published 20 hours ago verified publisher icon kvspb

LDAP: No re-authentication with auth_ldap_cache_enabled off

Open mithun0119 opened this issue 5 years ago • 6 comments

I am running a web application behind nginx, using it as a reverse proxy to authenticate with AD and for SSL termination. now my issue is , if I login with credentials in a particular browser(chrome for eg;), the session doesnt terminate even if I leave the any of my chrome tabs(with anything open) for days together it never asks for credentials again when I refresh or open the URL in a new tab, unless I close all the instances of chrome or clear the cache/cookie.

My config:

###Using nested groups, hence no group directive used## ldap_server adauth { url "ldap://xxxx?sAMAccountName?sub?"; url "ldap://xxxx?sAMAccountName?sub?(&(memberOf:1.2.840.113556.1.4.1941:=CN=,OU=xx,DC=xx,DC=,DC=xx0(objectClass=person))"; binddn "@"; binddn_passwd "*****"; UAT,OU=xx,DC=xx,DC=xx,DC=xx"; require valid_user; max_down_retries 10; connections 50; } ##Authentication with Active Directory## auth_ldap_cache_enabled off;

proxy_cache_path /opt/nginx/cache levels=1:2 keys_zone=mycache:20m max_size=1G; proxy_temp_path /opt/nginx/tmp_cache/; proxy_cache_use_stale error timeout invalid_header http_502; proxy_cache_bypass $cookie_nocache; proxy_no_cache $cookie_nocache;

server { listen 443 ssl; server_name testserver.com; auth_ldap "Enter your AD username/password"; auth_ldap_servers adauth; ssl on; ssl_session_cache shared:SSL:20m; ssl_session_timeout 1m; ssl_protocols SSLv2 SSLv3 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; ssl_certificate /xxx.cer; ssl_certificate_key /xxx.key; access_log /var/log/nginx/test.log; error_log /var/log/nginx/test-error.log error; location / { add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; expires off; keepalive_timeout 5s; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://localhost:3838; proxy_read_timeout 90; proxy_buffering off; proxy_redirect / $scheme://$host/; } }

I am using nginx 1.13.1 configured with below options:

nginx version: nginx/1.13.1 (Ubuntu) built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=www-data --group=www-data --build=Ubuntu --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-openssl=../openssl-1.1.0f --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-openssl-opt=no-nextprotoneg --with-openssl-opt=no-weak-ssl-ciphers --with-openssl-opt=no-ssl3 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_slice_module --with-http_ssl_module --with-http_sub_module --with-http_stub_status_module --with-http_v2_module --with-http_secure_link_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-debug --add-module=../nginx-auth-ldap --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'

mithun0119 avatar Aug 02 '19 09:08 mithun0119

@kvspb Can you please help me out here.

mithun0119 avatar Aug 06 '19 07:08 mithun0119

This is likely handled in the cookie you're getting when you auth. They tend to have an expiration that time in the cookie which will determine with you'll have to re-auth. Pretty sure this isn't a module issue but one tied to your browser or LDAP server.

rmendal avatar Aug 15 '19 20:08 rmendal

Hi @mithun0119 - did you manage to achieve this? Thanks!

Harrtron avatar Nov 18 '19 17:11 Harrtron

Hi @mithun0119 - did you manage to achieve this? Thanks!

No Harrtron, I never managed to find a fix. Please do let me know if you find any.

mithun0119 avatar Nov 19 '19 00:11 mithun0119

Hi @mithun0119 I am also facing the same issue. Any luck in finding any fix for the above mentioned issue

amruthapbhat avatar Mar 29 '20 10:03 amruthapbhat

Hi Amrutha, No luck. I just left it there. So if the browsers are all closed and reopened, then the cookie is gone and it prompts for credentials, else it just takes me in.

mithun0119 avatar Mar 31 '20 14:03 mithun0119