Ruby Forum NGINX > auth_ldap

Hello,

as a new user to this list, I just want to contribute my little 
auth_ldap
module. I hope you enjoy it. Here is an example conf file:

http {
     # LDAP URI
     auth_ldap_uri "ldap://127.0.0.1";

     server {
         listen       80;
         server_name  localhost;

         location / {
       # Realm
             auth_ldap "LDAP Request";
             # Search Base
             auth_ldap_dn "ou=People,dc=chaos,dc=jmt";
             # The Attribute searching for. Normaly this is uid or cn
             auth_ldap_attribute "uid";
       # Activate the authenticaten
       # require off; will disable the module.
             require ldap-user;

             root   html;
             index  index.html index.htm;
         }
...

Also I have some questions during this coding. First of all is there a
place for third party modules?
And much more important for me: how does the async calling mechanism in
nginx work? I've played around with NGX_AGAIN, but I doesn't got the
expected result. So all the ldap code ist sync now. Would be nice to
change this.

Best Regards,

Markus Teichmann

I am very interested in seeing this mature.

Well, only if it can work with Active Directory on a WinXP/Win2003
network. I would like to be able to use http auth using on our
intranet using LDAP (more specifically it would be best if I could use
Windows Integrated Authentication) - I'd be willing to pay some cash
if you want to tackle that!

On Mon, Aug 18, 2008 at 3:50 PM, mike <mike503@gmail.com> wrote:
> I am very interested in seeing this mature.
>
> Well, only if it can work with Active Directory on a WinXP/Win2003
> network. I would like to be able to use http auth using on our
> intranet using LDAP (more specifically it would be best if I could use
> Windows Integrated Authentication) - I'd be willing to pay some cash
> if you want to tackle that!

There are some quirks in AD implementation support between 2k, 2k3 and
2k8. I have learned this the hard way with Apache!

Cheers
Kon

That's hopefully what someone would be working out if I paid :)

I want to get nginx adopted everywhere including internally on our
intranet. But we have WIA/NTLM/whatever the integrated authentication
in IE6, IE7 and our Active Directory domain accounts.

It's in IE6/IE7 and called WIA I  believe (Windows Integrated
Authentication) that uses NTLM/LDAP/whatever to transparently identify
you based on your domain account is what I need. I tried to get this
support in Lighttpd, but I no longer use or care about Lighty. I am
all about nginx now.

On Mon, Aug 18, 2008 at 4:30 PM, mike <mike503@gmail.com> wrote:
> all about nginx now.
Well theres not much to work out besides the implementation. :)

I am using Apache and ldap auth against 2k3 and 2k8 for SSO support in
our organization (for the few apps that require it i.e. subversion
users, etc.). The trick with 2k3 and 2k8 is that you need an
authorized user in the OU or group that has rights to query the
directory -- it cannot be done anonymously anymore as was the case
with 2k (IIRC).

2k8 royally broke everything for me as well, in that you cant query
across domains that are in the same forest, whereas with 2k3 you
could. But that is more of an Apache bug than anything else. The
downside with this annoyance is that if domain1 is being accessed with
ldap auth for a user in domain 2, the dummy query account cant find
out about domain2's users. So you have to duplicate users on domain1
from domain2, and youre left with what can best be described as a CSO
clusterf*ck of a solution.

Markus if you're listening that may be something to note (there is an
outstanding authnz_ldap bug related to this).

Sigh.

Cheers
Kon

I'm fine with however it has to work. We're still using XP and
probably will for some time. I suppose as software moves on some of
those kinks that can be fixed will be worked out. But that first step
of getting the existing way implemented is key right now.

Hello!

On Tue, Aug 19, 2008 at 12:23:02AM +0200, Markus Teichmann wrote:

>
>
>             root   html;
>             index  index.html index.htm;
>         }
> ...
>
> Also I have some questions during this coding. First of all is there a  
> place for third party modules?

http://wiki.codemongers.com/NginxModules

> And much more important for me: how does the async calling mechanism in  
> nginx work? I've played around with NGX_AGAIN, but I doesn't got the  
> expected result. So all the ldap code ist sync now. Would be nice to  
> change this.

You should be able to return NGX_AGAIN from your handler and then
post write event on request socket to continue work (or even call
r->write_event_handler(r) or ngx_http_core_run_phases(r) directly,
not sure which method is preffered).  See ngx_http_core_module.c
for details of how phases are handled.

Some minor notes about code:

1. You shouldn't use ngx_log_error_core() directly, use ngx_log_error()
instead.  With ngx_log_error_core() it's impossible to control log
level from config.

2. This:

...
     /* compose filer */
     ngx_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE);
     ngx_snprintf(buf, NGX_HTTP_AUTH_BUF_SIZE, "(%V=%V)",
&(conf->attribute), &(r->headers_in.user) );
...

is ugly and unsafe since result is used in libldap where null
terminated string expected.  The ngx_snprintf does not terminate
strings with '\0' and doesn't preserve last character in buffer
for it.  Use something like

     p = ngx_snprintf(buf, NGX_HTTP_AUTH_BUF_SIZE - 1, ...)
     *p = '\0';

instead.  It's also a good idea to check somewhere if result
actually fits into buffer - since truncated filter will probably
make ldap unhappy.  Alternatively you may consider just allocating
needed space from request pool - nginx pool allocator works really
fast and you don't need to free memory (it's automatically
freed upon request completion).

3. It doesn't compile here under FreeBSD 7.0 (gcc 4.2.1) with
OpenLDAP 2.4.11 (current stable version, just installed).
Warnings are treated as errors under nginx build, and your module
have many.  Here is relevant part:

[cut here]

gcc -c -O -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter
-Wno-unused-function -Wunused-variable -Wunused-value -Werror -g
-I src/core  -I src/event  -I src/event/modules  -I src/os/unix
-I /usr/local/include  -I objs  -I src/http  -I src/http/modules
-I src/mail  -o
objs/addon/ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.o
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c
cc1: warnings being treated as errors
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In
function 'ngx_http_auth_ldap_handler':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:140:
warning: 'main' is usually a function
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:171:
warning: pointer targets in passing argument 2 of
'ldap_initialize' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:193:
warning: pointer targets in passing argument 2 of
'ldap_search_ext_s' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:193:
warning: pointer targets in passing argument 4 of
'ldap_search_ext_s' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:207:
warning: implicit declaration of function 'ldap_simple_bind_s'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:222:
warning: implicit declaration of function 'ldap_unbind'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:142:
warning: unused variable 'p'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In
function 'ngx_http_auth_ldap_merge_loc_conf':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:281:
warning: unused variable 'result'
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In
function 'ngx_http_auth_ldap_uri':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:344:
warning: pointer targets in passing argument 1 of
'ldap_is_ldap_url' differ in signedness
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c: In
function 'ngx_http_auth_ldap_init_module':
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:355:
warning: 'main' is usually a function
../ngx_http_auth_ldap_module-0.1/ngx_http_auth_ldap_module.c:361:
warning: pointer targets in passing argument 2 of
'ldap_initialize' differ in signedness
*** Error code 1

[cut here]

Maxim Dounin

On Tue, Aug 19, 2008 at 10:55:24AM +0400, Maxim Dounin wrote:

> >        listen       80;
> >      # require off; will disable the module.
> http://wiki.codemongers.com/NginxModules
> for details of how phases are handled.
Just warning: it should work, but I have no module to prove this
functionality.

>     ngx_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE);
>     *p = '\0';
ngx_snprintf has "%Z" for zero:

  "(%V=%V)%Z"

On Tue, Aug 19, 2008 at 12:23:02AM +0200, Markus Teichmann wrote:

> 
> 
> change this.
Yes, it should be chnaged to async way, otherwise whole nginx worker
will be block while LDAP authentication.

Also, nginx has no "require" concept as in Apache.
Instead is better to use "auth_ldap off".