{"id":138,"date":"2014-09-02T13:37:17","date_gmt":"2014-09-02T03:37:17","guid":{"rendered":"https:\/\/icicimov.com\/blog\/?p=138"},"modified":"2017-01-02T15:40:31","modified_gmt":"2017-01-02T04:40:31","slug":"nginx-ldap-module-on-debianubuntu","status":"publish","type":"post","link":"https:\/\/icicimov.com\/blog\/?p=138","title":{"rendered":"Nginx LDAP module on Debian\/Ubuntu"},"content":{"rendered":"

Nginx<\/a> by default contains the core modules needed which makes it light and lean web server. Any additional stuff needed have to be recompiled and added as modules since Nginx doesn’t have a dynamic (plug-able) module infrastructure like Apache for example.<\/p>\n

Installation<\/h2>\n

First we need the OpenLDAP development headers so the module can build properly. On Ubuntu-12.04 (Precise) we run:<\/p>\n

root@server:~# aptitude install libldap2-dev<\/code><\/pre>\n
Then we switch to our Nginx source directory we have created in this article Centralized logs collection with Logstash and clone the Nginx ldap module inside the modules directory from its project site on GitHub:<\/p>\n
root@server:~# aptitude install apache2-utils liblua5.1-dev daemon dbconfig-common\nroot@server:~# add-apt-repository ppa:nginx\/stable\nroot@server:~# aptitude update\nroot@server:~# aptitude build-dep nginx-naxsi\nroot@server:~# cd \/tmp\/nginx-1.6.0\nroot@server:\/tmp\/nginx-1.6.0# cd debian\/modules\nroot@server:\/tmp\/nginx-1.6.0\/debian\/modules# git clone https:\/\/github.com\/kvspb\/nginx-auth-ldap.git\nCloning into 'nginx-auth-ldap'...\nremote: Counting objects: 196, done.\nremote: Total 196 (delta 0), reused 0 (delta 0)\nReceiving objects: 100% (196\/196), 77.58 KiB | 102.00 KiB\/s, done.\nResolving deltas: 100% (101\/101), done.\nChecking connectivity... done.<\/code><\/pre>\n
Then we edit the rules file and add the new module to the build command:<\/p>\n
root@server:\/tmp\/nginx-1.6.0\/debian\/modules# cd ..\/..\/\nroot@server:\/tmp\/nginx-1.6.0# vi debian\/rules\n...\nnaxsi_configure_flags := \\\n$(common_configure_flags) \\\n--without-mail_pop3_module \\\n--without-mail_smtp_module \\\n--without-mail_imap_module \\\n--without-http_uwsgi_module \\\n--without-http_scgi_module \\\n--add-module=$(MODULESDIR)\/naxsi\/naxsi_src \\\n--add-module=$(MODULESDIR)\/nginx-cache-purge \\\n--add-module=$(MODULESDIR)\/nginx-upstream-fair \\\n--add-module=$(MODULESDIR)\/nginx-auth-ldap<\/code><\/pre>\n
Next we change the Nginx version in the changelog file:<\/p>\n
root@server:\/tmp\/nginx-1.6.0# vi debian\/changelog<\/code><\/pre>\n
change the first line:<\/p>\n
nginx (1.6.0-1+precise0) precise; urgency=medium<\/code><\/pre>\n
to:<\/p>\n
nginx (1.6.0-1+precise0-ldap) precise; urgency=medium<\/code><\/pre>\n
and start the building process:<\/p>\n
root@server:\/tmp\/nginx-1.6.0# dpkg-buildpackage -uc -b<\/code><\/pre>\n
When finished we will see all the deb packages created in the directory one level above:<\/p>\n
root@server:~# ls -l \/tmp\/*.deb\n-rw-r--r-- 1 root root 19818 Aug 27 19:14 \/tmp\/nginx_1.6.0-1+precise0-ldap_all.deb\n-rw-r--r-- 1 root root 34086 Aug 27 19:14 \/tmp\/nginx-common_1.6.0-1+precise0-ldap_all.deb\n-rw-r--r-- 1 root root 31756 Aug 27 19:14 \/tmp\/nginx-doc_1.6.0-1+precise0-ldap_all.deb\n-rw-r--r-- 1 root root 643520 Aug 27 19:14 \/tmp\/nginx-extras_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 4839300 Aug 27 19:14 \/tmp\/nginx-extras-dbg_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 447082 Aug 27 19:14 \/tmp\/nginx-full_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 3152882 Aug 27 19:14 \/tmp\/nginx-full-dbg_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 363708 Aug 27 19:14 \/tmp\/nginx-light_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 2455638 Aug 27 19:14 \/tmp\/nginx-light-dbg_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 418852 Aug 27 19:14 \/tmp\/nginx-naxsi_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 2652770 Aug 27 19:14 \/tmp\/nginx-naxsi-dbg_1.6.0-1+precise0-ldap_amd64.deb\n-rw-r--r-- 1 root root 308594 Aug 27 19:14 \/tmp\/nginx-naxsi-ui_1.6.0-1+precise0-ldap_all.deb<\/code><\/pre>\n
I install the nginx-naxsi packages only since that’s the Nginx version I’m are running:<\/p>\n
root@server:\/tmp\/nginx-1.6.0# dpkg -i nginx-common_1.6.0-1+precise0-ldap_all.deb nginx-naxsi_1.6.0-1+precise0-ldap_amd64.deb nginx-naxsi-dbg_1.6.0-1+precise0-ldap_amd64.deb nginx-naxsi-ui_1.6.0-1+precise0-ldap_all.deb<\/code><\/pre>\n
and restart Nginx process:<\/p>\n
root@server:\/tmp\/nginx-1.6.0# service nginx restart<\/code><\/pre>\n
After that we can check the Nginx version information to confirm it compiled with LDAP support:<\/p>\n
root@server:\/tmp\/nginx-1.6.0# nginx -V\nnginx version: nginx\/1.6.0\nTLS SNI support enabled\nconfigure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=\/usr\/share\/nginx --conf-path=\/etc\/nginx\/nginx.conf --http-log-path=\/var\/log\/nginx\/access.log --error-log-path=\/var\/log\/nginx\/error.log --lock-path=\/var\/lock\/nginx.lock --pid-path=\/run\/nginx.pid --http-client-body-temp-path=\/var\/lib\/nginx\/body --http-fastcgi-temp-path=\/var\/lib\/nginx\/fastcgi --http-proxy-temp-path=\/var\/lib\/nginx\/proxy --http-scgi-temp-path=\/var\/lib\/nginx\/scgi --http-uwsgi-temp-path=\/var\/lib\/nginx\/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --add-module=\/tmp\/nginx-1.6.0\/debian\/modules\/naxsi\/naxsi_src --add-module=\/tmp\/nginx-1.6.0\/debian\/modules\/nginx-cache-purge --add-module=\/tmp\/nginx-1.6.0\/debian\/modules\/nginx-upstream-fair --add-module=\/tmp\/nginx-1.6.0\/debian\/modules\/nginx-auth-ldap<\/code><\/pre>\n
Configuration<\/h2>\n
We add to Nginx config file \/etc\/nginx\/nginx.conf<\/code>:<\/p>\n
http {\n...\nauth_ldap_cache_enabled on;\nauth_ldap_cache_expiration_time 10000;\nauth_ldap_cache_size 1000;\n\nldap_server ldap1 {\nurl ldap:\/\/ldap1.mydomain.com:389\/ou=Users,dc=mydomain,dc=com?uid?sub;\nbinddn \"cn=binduser,ou=Users,dc=mydomain,dc=com\";\nbinddn_passwd bindpassword;\ngroup_attribute memberUid;\ngroup_attribute_is_dn on;\nrequire group \"cn=mygroup,ou=Groups,dc=mydomain,dc=com\";\nrequire valid_user;\n}\n\nldap_server ldap2 {\nurl ldap:\/\/ldap2.mydomain.com:389\/ou=Users,dc=mydomain,dc=com?uid?sub;\nbinddn \"cn=binduser,ou=Users,dc=mydomain,dc=com\";\nbinddn_passwd bindpassword;\ngroup_attribute memberUid;\ngroup_attribute_is_dn on;\nrequire group \"cn=mygroup,ou=Groups,dc=mydomain,dc=com\";\nrequire valid_user;\n}\n...\n}<\/code><\/pre>\n
Then we use this in the virtual hosts or locations we want to protect like for example our server virtual host, in this case I have site server<\/code> active so I put in the \/etc\/nginx\/sites-enabled\/server<\/code> file:<\/p>\n
server {\nlisten 443 ssl;\nserver_name server.mydomain.com www.server.mydomain.com;\nroot \/opt\/server\/webapp\/content;\n...\nlocation \/ {\nproxy_pass_header Server;\nproxy_set_header Host $http_host;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Scheme $scheme;\nproxy_redirect off;\nproxy_connect_timeout 10;\nproxy_read_timeout 10;\nproxy_pass http:\/\/127.0.0.1:8080;\nauth_ldap \"My server access\";\nauth_ldap_servers ldap1;\nauth_ldap_servers ldap2;\n}\n...\n}<\/code><\/pre>\n
The only drawback is that the module still doesn’t support STARTTLS but supports SSL so in case we really need encrypted traffic (outside an internal LAN for example) we need to edit the config to use ldaps<\/code> on port 636<\/code> (assuming our LDAP server has been configured with SSL support).<\/p>\n","protected":false},"excerpt":{"rendered":"
Nginx by default contains the core modules needed which makes it light and lean web server. Any additional stuff needed have to be recompiled and added as modules since Nginx doesn’t have a dynamic (plug-able) module infrastructure like Apache for…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-138","post","type-post","status-publish","format-standard","hentry","category-server"],"_links":{"self":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=138"}],"version-history":[{"count":3,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/138\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/138\/revisions\/158"}],"wp:attachment":[{"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icicimov.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}