Skip to content

Instantly share code, notes, and snippets.

@stefb69
Last active February 28, 2017 15:57
Show Gist options
  • Save stefb69/3b6c54413b7022512d58 to your computer and use it in GitHub Desktop.
Save stefb69/3b6c54413b7022512d58 to your computer and use it in GitHub Desktop.
Simple and per location customizable LDAP Authentication for nginx, using embedded perl and ngx_http_auth_request_module
#!/usr/bin/perl
package LDAPAuth;
use nginx;
use Authen::Simple::LDAP;
use MIME::Base64;
sub handler {
my $r = shift;
my $ldapfilter = $r->variable('ldapauth_filter');
my $ldaphost = $r->variable('ldapauth_server');
my $ldapbase = $r->variable('ldapauth_basedn');
my $ldapauth = Authen::Simple::LDAP->new(
host => $ldaphost,
basedn => $ldapbase,
filter => $ldapfilter
);
my ( $u, $p ) = split( ':', decode_base64( ( split( ' ', $r->header_in("Authorization") ) )[1] ) );
# print STDERR $r->header_in("Authorization") . " - u: $u - p: $p - ldaphost: $ldaphost - ldapbase: $ldapbase - ldapfilter: $ldapfilter\n";
$r->discard_request_body;
if ( defined $u && defined $p ) {
if ( $ldapauth->authenticate( $u, $p ) ) {
# successfull authentication
# print STDERR "Auth OK\n";
$r->status(200);
$r->send_http_header;
} else {
# print STDERR "Auth Failed\n";
$r->header_out( "WWW-Authenticate", 'Basic realm="Secured Zone"' );
$r->status(401);
$r->send_http_header;
}
return OK;
} else {
# print STDERR "Wrong Parameters\n";
$r->status(401);
$r->send_http_header;
return ERROR;
}
}
1;
perl_require LDAPAuth.pm;
set $ldapauth_server "ldap.example.com";
server {
location /_auth {
internal;
perl LDAPAuth::handler;
}
location /protected {
satisfy any;
auth_basic "Protected by LDAP";
auth_basic_user_file "htpasswd.dummy";
set $ldapauth_basedn "dc=example,dc=com";
set $ldapauth_filter "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%s))";
auth_request /_auth;
}
}
@yaniv4345
Copy link

The directives:
$r->header_out( "WWW-Authenticate", 'Basic realm="Secured Zone"' );
$r->status(401);
$r->send_http_header;
doesn't work for me.
I want the server to request authentication again if first time failed, how can it be done ?

@stefb69
Copy link
Author

stefb69 commented Jan 20, 2017

Hasn't your browser kept credentials in the cache ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment