sepich
User and Group access enforcement not working
Hi!
I've implemented your nginx-ldap-auth module and it authenticates pretty well, nice job!
The only issue is, when I'm trying to set up authorization (user and group access enforcement), it's not working and users who are not members of specified groups and not listed in respective allowed list, are still able to log in and access the website.
My config snippet for it is as follows:
` root /usr/share/nginx/html;
set $user '';
set $group '';
location = /auth-proxy {
internal;
proxy_pass http://127.0.0.1:8888;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Ldap-Realm "NGINX Plus Live Dashboard";
proxy_set_header X-Ldap-Allowed-Usr $user;
proxy_set_header X-Ldap-Allowed-Grp $group;
proxy_cache auth_cache;
proxy_cache_valid 200 15m;
proxy_cache_key "$http_authorization$user$group";
}
location = /status.html {
set $user "user1";
set $group "Admins";
auth_request /auth-proxy;
}
location = / {
set $user "user1";
set $group "Admins";
auth_request /auth-proxy;
return 301 /status.html;
}
location /status {
set $user "user1";
set $group "Admins";
auth_request /auth-proxy;
status;
status_format json;
}`
Can you advice if anything is wrong in the config or maybe which debugs I can attach to assit you in the troubleshooting?
i'm seeing enforcement not working, albeit slightly diff than the above report. It is the case where a valid user with an empty password results in a 200 -instead of checking the None.
Simple patch might look something like this -
try:
if not passwd:
raise ldap.INVALID_CREDENTIALS
ldap_connection.simple_bind_s(data['distinguishedName'][0], passwd)
except ldap.INVALID_CREDENTIALS:
See also: https://github.com/python-ldap/python-ldap/issues/174
