From 18f5e3873ef1e0ba4ca805144f0437c952036756 Mon Sep 17 00:00:00 2001 From: Quantum Date: Wed, 19 Feb 2020 23:55:19 -0800 Subject: [PATCH] Update README for LDAP fallback --- README.md | 15 +++++++++++---- nginx_krbauth.py | 6 +++--- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 98f54c2..aaacc54 100644 --- a/README.md +++ b/README.md @@ -67,15 +67,22 @@ The group is specified through the WSGI environment variable The following environment variables are used to configure `nginx_krbauth`'s LDAP support: -* `KRBAUTH_LDAP_SERVER` (required): The LDAP URI used to connect to the LDAP - server. -* `KRBAUTH_LDAP_SEARCH_BASE` (required): The root of the subtree to search for - LDAP entities for `krbPrincipalName` and group membership. +* `KRBAUTH_LDAP_SERVER`: The LDAP URI used to connect to the LDAP server. +* `KRBAUTH_LDAP_SEARCH_BASE`: The root of the subtree to search for LDAP + entities for `krbPrincipalName` and group membership. * `KRBAUTH_LDAP_BIND_DN`: The DN used to bind to the LDAP server. Leave blank for anonymous bind. * `KRBAUTH_LDAP_BIND_AUTHTOK`: The password used to bind to the LDAP server. Leave blank for anonymous bind. +LDAP binding can also be used as a fallback authentication mechanism through +HTTP Basic authentication. This is useful when SPNEGO is not supported, or when +the client does not support Kerberos. To use this, configure: + +* `LDAP_USER_DN`: A string template to convert usernames into LDAP DNs. There + should be one `%s` symbol in this string, which will be replaced by the + username. + ## Example `nginx.conf` ```nginx diff --git a/nginx_krbauth.py b/nginx_krbauth.py index 521e80f..eefaa83 100644 --- a/nginx_krbauth.py +++ b/nginx_krbauth.py @@ -25,10 +25,10 @@ digest_size = hmac_digest().digest_size HMAC_KEY = os.environ['KRBAUTH_HMAC_KEY'].encode('utf-8') DURATION = int(os.environ.get('KRBAUTH_KEY_DURATION', 3600)) RANDOM_SIZE = int(os.environ.get('KRBAUTH_RANDOM_SIZE', 32)) -LDAP_SERVER = os.environ['KRBAUTH_LDAP_SERVER'] +LDAP_SERVER = os.environ.get('KRBAUTH_LDAP_SERVER') LDAP_BIND_DN = os.environ.get('KRBAUTH_LDAP_BIND_DN') LDAP_BIND_AUTHTOK = os.environ.get('KRBAUTH_LDAP_BIND_AUTHTOK') -LDAP_SEARCH_BASE = os.environ['KRBAUTH_LDAP_SEARCH_BASE'] +LDAP_SEARCH_BASE = os.environ.get('KRBAUTH_LDAP_SEARCH_BASE') LDAP_USER_DN = os.environ.get('KRBAUTH_LDAP_USER_DN') assert not LDAP_USER_DN or LDAP_USER_DN.count('%s') == 1 @@ -124,7 +124,7 @@ def auth_spnego(context, next_url): except (GSSError, GeneralError) as e: return make_401(str(e), context) - if LDAP_SERVER and context.ldap_group: + if LDAP_SERVER and LDAP_SEARCH_BASE and context.ldap_group: ldap_ctx = ldap.initialize(LDAP_SERVER) if LDAP_BIND_DN and LDAP_BIND_AUTHTOK: ldap_ctx.bind_s(LDAP_BIND_DN, LDAP_BIND_AUTHTOK, ldap.AUTH_SIMPLE)