AD/LDAP Authentication on Nginx

 Views: 9984Articles, , , ,

If you are like me then one of your biggest pet peeve’s with Nginx is its lack of authentication methods like those so easily accessible in Apache. Beyond that, if you would like to add an authentication method to Nginx, it will typically require a recompile. If you are running Debian or Ubuntu then I would like to introduce you to nginx-extras. The package nginx-extras is compiled with all the standard modules as well as some very useful extras which are listed here.  Debian’s package version does not support LDAP authentication however, DotDeb packages do include the LDAP module.  Note you will need to install the DotDeb package as described in Nginx Latest on Debian Wheezy. So without further ado, first we will have to ensure that we have the required package which is nginx-extras.

apt-get install nginx-extras

Once the required packages are installed we can start configuring our virtual host. Configuring Nginx to authenticate using LDAP or AD is fairly strait forward and as simple as adding your AD or LDAP server connection in the /etc/nginx.conf file as seen below.

ldap_server [DC03] {
	url ldap://192.168.1.250:389/DC=[your-domain],DC=[local]?sAMAccountName?sub?(objectClass=person);
	binddn "[DOMAIN]\\[admin-user]";
	binddn_passwd [password];
	group_attribute uniquemember;
	group_attribute_is_dn on;
	require valid_user;
}

Note that everything in brackets needs to be replaced with your specific configuration (remove the brackets as well). Once that is complete, simply add the following two statements to your Nginx virtual host configuration.

auth_ldap "[Postfix Manager]";
auth_ldap_servers [DC03];

That is it. Lastly you will want to restart Nginx and then navigate to your website and you will now be prompted to enter a username and password.

If you are looking for other authentication methods using nginx, please see our companion articles Certificate Authentication on Nginx and MySQL Authentication on Nginx

Did you find this article useful? Why not share it with your friends?

3 thoughts on “AD/LDAP Authentication on Nginx

  1. Followed the instructions but at the end got this error when testing the configuration with nginx -t

    nginx: [emerg] unknown directive “url” in /etc/nginx/nginx.conf:34
    nginx: configuration file /etc/nginx/nginx.conf test failed

    Reply

      1. I followed the instructions provided in this article https://oitibs.com/nginx-latest-on-debian-wheezy/

        Installed nginx-extras

        Please find below nging -V result

        nginx -V
        nginx version: nginx/1.14.0 (Ubuntu)
        built with OpenSSL 1.1.1 11 Sep 2018
        TLS SNI support enabled
        configure arguments: –with-cc-opt=’-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2′ –with-ld-opt=’-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC’ –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –modules-path=/usr/lib/nginx/modules –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_v2_module –with-http_dav_module –with-http_slice_module –with-threads –with-http_addition_module –with-http_flv_module –with-http_geoip_module=dynamic –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module=dynamic –with-http_mp4_module –with-http_perl_module=dynamic –with-http_random_index_module –with-http_secure_link_module –with-http_sub_module –with-http_xslt_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-stream=dynamic –with-stream_ssl_module –with-stream_ssl_preread_module –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-headers-more-filter –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-auth-pam –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-cache-purge –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-dav-ext –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-ndk –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-echo –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-fancyindex –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/nchan –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-lua –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/rtmp –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-uploadprogress –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-upstream-fair –add-dynamic-module=/build/nginx-GkiujU/nginx-1.14.0/debian/modules/http-subs-filter

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.