Directive Reference

ldap_server

The 'ldap_server' directive configures an LDAP server block for authentication in NGINX.

LDAP Authentication module for NGINX · http
Syntaxldap_server name { url url; binddn string; binddn_passwd string; group_attribute string; group_attribute_is_dn on | off; require valid_user | user | group; satisfy all | any; max_down_retries number; connections number; ssl_check_cert on | off; ssl_ca_file path; ... };
Defaultnone
Contexthttp
Argumentsblock (1)

Description

The 'ldap_server' directive is used within the http context to define the parameters necessary for NGINX to communicate with one or more LDAP servers for user authentication. Each LDAP server block is defined with a unique name and includes critical parameters such as the server URL, bind credentials (bind DN and password), group attributes, and user validation requirements. This enables NGINX to authenticate users by performing LDAP queries based on the configured settings.

The primary parameters within the ldap_server block are url, which specifies the LDAP server address, and binddn and binddn_passwd, which provide the credentials for the bind operation. The group_attribute parameter defines the LDAP attribute that is used to specify group membership, while group_attribute_is_dn indicates whether this attribute should be treated as a distinguished name. The require directive specifies what kind of user authentication is necessary, such as requiring a valid user or group membership. Additional configurations, such as ssl_check_cert, provide security by ensuring certificates are verified when using secure LDAP connections (LDAPS). Overall, the ldap_server directive enables flexible and secure integration with LDAP directories for authentication purposes.

Config Example

http {
    ldap_server test1 {
        url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
    }

    ldap_server test2 {
        url ldap://192.168.0.2:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person);
        binddn "TEST\\LDAPUSER";
        binddn_passwd LDAPPASSWORD;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
    }

    server {
        listen 8000;
        server_name localhost;

        auth_ldap "Forbidden";
        auth_ldap_servers test1;
        auth_ldap_servers test2;

        location / {
            root html;
            index index.html index.htm;
        }
    }
}

Ensure the LDAP URL is correctly formatted, including the protocol (ldap:// or ldaps://).

The bind DN must be specified correctly to avoid authentication errors.

Check if the option ssl_check_cert is enabled; a proper CA certificate may be necessary for LDAPS connections.

If using group attributes, confirm that they exist in the LDAP schema and are properly populated.

Related Directives

auth_ldapauth_ldap_serversrequiresatisfy
← Back to all directives