auth_ldap_servers
The `auth_ldap_servers` directive defines LDAP servers that NGINX can use for user authentication.
Description
The auth_ldap_servers directive is part of the LDAP Authentication module for NGINX, which allows the web server to authenticate users against one or more LDAP servers. By specifying this directive within the server, location, or http context, an administrator can configure NGINX to refer to external LDAP servers, leveraging them for user credentials verification. Each server can be defined with specific connection parameters such as URL, bind DN, and other authentication criteria.
Multiple LDAP server blocks can be defined, and they should be preceded by an ldap_server directive, which specifies the connection details and requirements for authenticating users. The auth_ldap directive must then be set to enable authentication and specify the realm message shown to users. The directive supports various arguments, including settings for whether to require valid users, define group attributes, or manage connection retry strategies, among others.
An important consideration when implementing auth_ldap_servers is to ensure that all defined servers are reachable and correctly configured in accordance with your network and security policies. This may include managing SSL certificate verification for secure connections to LDAP servers.
Config Example
http {
ldap_server test1 {
url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
binddn "TEST\\LDAPUSER";
binddn_passwd LDAPPASSWORD;
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
}
server {
listen 8000;
server_name localhost;
auth_ldap "Forbidden";
auth_ldap_servers test1;
location / {
root html;
index index.html index.htm;
}
}
}Ensure that the server addresses are reachable from the NGINX host.
Incorrect LDAP URLs will lead to connection issues; validate them before use.
Misconfigured binddn or binddn_passwd can prevent authentication from succeeding.