nginx-ldap-auth icon indicating copy to clipboard operation
nginx-ldap-auth copied to clipboard
verified publisher icon nginxinc

unable to authenticate against AD using nginx-ldap-auth as a container

Open Bodzz96 opened this issue 8 months ago • 0 comments

Hello All,

I hope you are doing well, I'm unable to authenticate against AD using nginx-ldap-auth as a container,

in the access.log i see, GET / HTTP/1.1" 401 574 and the login form just appears again,

I have the nginx default configuration nginx.conf along with some other apps in the /conf.d/http

in the /etc/nginx/conf.d/http/nginx-ldap-auth.conf i filled the configuration as follows: #error_log logs/error.log debug;

#events { }

#http { #proxy_cache_path cache/ keys_zone=auth_cache:10m;

# The back-end daemon listens on port 9000 as implemented
# in backend-sample-app.py.
# Change the IP address if the daemon is not running on the
# same host as NGINX/NGINX Plus.
upstream backend {
    server proctected-app.com;
}

# NGINX/NGINX Plus listen on port 8081 for requests that require
# authentication. Change the port number as appropriate.
server {
    listen 443;
    server_name url-configured.com;

    # Protected application
    location / {
        auth_request /auth-proxy;

        # redirect 401 to login form
        # Comment them out if using HTTP basic authentication.
        # or authentication popup won't show
        error_page 401 = /login;

        proxy_pass https://backendapp;
    }

    location /ldaplogin {
        proxy_pass http://url-to-ldap-auth-container:9000;
        # Login service returns a redirect to the original URI
        # and sets the cookie for the ldap-auth daemon
    }

    location = /auth-proxy {
        internal;

        # The ldap-auth daemon listens on port 8888, as set
        # in nginx-ldap-auth-daemon.py.
        # Change the IP address if the daemon is not running on
        # the same host as NGINX/NGINX Plus.
        proxy_pass http://url-to-ldap-auth-container:8888;

        proxy_pass_request_body off;
        proxy_pass_request_headers off;
        proxy_set_header Content-Length "";
        proxy_set_header        X-Original-URI $request_uri;
        #proxy_cache auth_cache;
        #proxy_cache_valid 200 10m;

        # The following directive adds the cookie to the cache key
        #proxy_cache_key "$http_authorization$cookie_nginxauth";

        # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
        # communicates with a LDAP server, passing in the following
        # parameters to specify which user account to authenticate. To
        # eliminate the need to modify the Python code, this file contains
        # 'proxy_set_header' directives that set the values of the
        # parameters. Set or change them as instructed in the comments.
        #
        #    Parameter      Proxy header
        #    -----------    ----------------
        #    url            X-Ldap-URL
        #    starttls       X-Ldap-Starttls
        #    basedn         X-Ldap-BaseDN
        #    binddn         X-Ldap-BindDN
        #    bindpasswd     X-Ldap-BindPass
        #    cookiename     X-CookieName
        #    realm          X-Ldap-Realm
        #    template       X-Ldap-Template

        # (Required) Set the URL and port for connecting to the LDAP server,
        # by replacing 'example.com'.
        # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
        proxy_set_header X-Ldap-URL      "ldaps://AD.com:363";

        # (Optional) Establish a TLS-enabled LDAP session after binding to the
        # LDAP server.
        # This is the 'proper' way to establish encrypted TLS connections, see
        # http://www.openldap.org/faq/data/cache/185.html
        #proxy_set_header X-Ldap-Starttls "true";

        # (Required) Set the Base DN, by replacing the value enclosed in
        # double quotes.
        proxy_set_header X-Ldap-BaseDN   "OU=IT,DC=AD,DC=com";

        # (Required) Set the Bind DN, by replacing the value enclosed in
        # double quotes.
        proxy_set_header X-Ldap-BindDN   "CN=root,DC=ad,DC=com";

        # (Required) Set the Bind password, by replacing 'secret'.
        proxy_set_header X-Ldap-BindPass "passwd";

        # (Required) The following directives set the cookie name and pass
        # it, respectively. They are required for cookie-based
        # authentication. Comment them out if using HTTP basic
        # authentication.
        proxy_set_header X-CookieName "nginxauth";
        proxy_set_header Cookie nginxauth=$cookie_nginxauth;

        # (Optional) Uncomment if using HTTP basic authentication
        #proxy_set_header Authorization $http_authorization;

        # (Required if using Microsoft Active Directory as the LDAP server)
        # Set the LDAP template by uncommenting the following directive.
        proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)(&(cn=%(username)s)(memberOf=OU=IT,DC=AD,DC=com))";

        # (May be required if using Microsoft Active Directory and
        # getting "In order to perform this operation a successful bind
        # must be completed on the connection." errror)
        #proxy_set_header X-Ldap-DisableReferrals "true";

        # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
        # template by uncommenting the following directive and replacing
        # '(cn=%(username)s)' which is the default set in
        # nginx-ldap-auth-daemon.py.
        #proxy_set_header X-Ldap-Template "(cn=%(username)s)";

        # (Optional) Set the realm name, by uncommenting the following
        # directive and replacing 'Restricted' which is the default set
        # in nginx-ldap-auth-daemon.py.
        #proxy_set_header X-Ldap-Realm    "Restricted";
    }
}

#}

Bodzz96 avatar Mar 25 '25 13:03 Bodzz96