Directive Reference

auth_ldap

The auth_ldap directive enables LDAP-based authentication against specified LDAP servers.

LDAP Authentication module for NGINX · httpserverlocationlimit_except
Syntaxauth_ldap "realm_name";
Defaultnone
Contexthttp, server, location, limit_except
Arguments1

Description

The auth_ldap directive is part of the LDAP Authentication module for NGINX, which allows administrators to implement authentication based on entries from an LDAP server. This module utilizes parameters specified for LDAP servers, such as url, binddn, and binddn_passwd, to authenticate users against the LDAP directory. The directive can be placed at different context levels—namely http, server, location, and limit_except—allowing flexibility in defining authentication criteria based on the scope of the directive location in the configuration.

Config Example

http {
    ldap_server my_ldap {
        url ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid?sub?(objectClass=person);
        binddn "cn=admin,dc=example,dc=com";
        binddn_passwd "password";
        group_attribute memberOf;
        group_attribute_is_dn on;
        require valid_user;
    }

    server {
        listen 80;
        server_name example.com;

        auth_ldap "Restricted Area";
        auth_ldap_servers my_ldap;

        location / {
            proxy_pass http://backend;
        }
    }
}

Ensure the LDAP server URL is correctly specified with the appropriate LDAP scheme (ldap:// or ldaps://).

The bind DN and password must be set correctly to allow binding to the LDAP server.

Misconfiguration of group attributes could lead to authentication failures; ensure group_attribute is configured correctly and exists in LDAP.

Related Directives

ldap_serverauth_basicauth_basic_user_fileauth_request
← Back to all directives