quantum/nginx-krbauth
1
0
Fork 0
mirror of https://github.com/quantum5/nginx-krbauth.git synced 2025-04-24 12:32:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update README for LDAP fallback

Browse source
This commit is contained in:
Quantum 2020-02-19 23:55:19 -08:00
parent e6b5b137e2
commit 18f5e3873e
2 changed files with 14 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
README.md
View file

@ -67,15 +67,22 @@ The group is specified through the WSGI environment variable
The following environment variables are used to configure `nginx_krbauth`'s The following environment variables are used to configure `nginx_krbauth`'s
LDAP support: LDAP support:
* `KRBAUTH_LDAP_SERVER` (required): The LDAP URI used to connect to the LDAP * `KRBAUTH_LDAP_SERVER`: The LDAP URI used to connect to the LDAP server.
server. * `KRBAUTH_LDAP_SEARCH_BASE`: The root of the subtree to search for LDAP
* `KRBAUTH_LDAP_SEARCH_BASE` (required): The root of the subtree to search for entities for `krbPrincipalName` and group membership.
LDAP entities for `krbPrincipalName` and group membership.
* `KRBAUTH_LDAP_BIND_DN`: The DN used to bind to the LDAP server. Leave blank * `KRBAUTH_LDAP_BIND_DN`: The DN used to bind to the LDAP server. Leave blank
for anonymous bind. for anonymous bind.
* `KRBAUTH_LDAP_BIND_AUTHTOK`: The password used to bind to the LDAP server. * `KRBAUTH_LDAP_BIND_AUTHTOK`: The password used to bind to the LDAP server.
Leave blank for anonymous bind. Leave blank for anonymous bind.
LDAP binding can also be used as a fallback authentication mechanism through
HTTP Basic authentication. This is useful when SPNEGO is not supported, or when
the client does not support Kerberos. To use this, configure:
* `LDAP_USER_DN`: A string template to convert usernames into LDAP DNs. There
should be one `%s` symbol in this string, which will be replaced by the
username.
## Example `nginx.conf` ## Example `nginx.conf`
```nginx ```nginx

6
nginx_krbauth.py
View file

@ -25,10 +25,10 @@ digest_size = hmac_digest().digest_size
HMAC_KEY = os.environ['KRBAUTH_HMAC_KEY'].encode('utf-8') HMAC_KEY = os.environ['KRBAUTH_HMAC_KEY'].encode('utf-8')
DURATION = int(os.environ.get('KRBAUTH_KEY_DURATION', 3600)) DURATION = int(os.environ.get('KRBAUTH_KEY_DURATION', 3600))
RANDOM_SIZE = int(os.environ.get('KRBAUTH_RANDOM_SIZE', 32)) RANDOM_SIZE = int(os.environ.get('KRBAUTH_RANDOM_SIZE', 32))
LDAP_SERVER = os.environ['KRBAUTH_LDAP_SERVER'] LDAP_SERVER = os.environ.get('KRBAUTH_LDAP_SERVER')
LDAP_BIND_DN = os.environ.get('KRBAUTH_LDAP_BIND_DN') LDAP_BIND_DN = os.environ.get('KRBAUTH_LDAP_BIND_DN')
LDAP_BIND_AUTHTOK = os.environ.get('KRBAUTH_LDAP_BIND_AUTHTOK') LDAP_BIND_AUTHTOK = os.environ.get('KRBAUTH_LDAP_BIND_AUTHTOK')
LDAP_SEARCH_BASE = os.environ['KRBAUTH_LDAP_SEARCH_BASE'] LDAP_SEARCH_BASE = os.environ.get('KRBAUTH_LDAP_SEARCH_BASE')
LDAP_USER_DN = os.environ.get('KRBAUTH_LDAP_USER_DN') LDAP_USER_DN = os.environ.get('KRBAUTH_LDAP_USER_DN')
assert not LDAP_USER_DN or LDAP_USER_DN.count('%s') == 1 assert not LDAP_USER_DN or LDAP_USER_DN.count('%s') == 1
@ -124,7 +124,7 @@ def auth_spnego(context, next_url):
except (GSSError, GeneralError) as e: except (GSSError, GeneralError) as e:
return make_401(str(e), context) return make_401(str(e), context)
if LDAP_SERVER and context.ldap_group: if LDAP_SERVER and LDAP_SEARCH_BASE and context.ldap_group:
ldap_ctx = ldap.initialize(LDAP_SERVER) ldap_ctx = ldap.initialize(LDAP_SERVER)
if LDAP_BIND_DN and LDAP_BIND_AUTHTOK: if LDAP_BIND_DN and LDAP_BIND_AUTHTOK:
ldap_ctx.bind_s(LDAP_BIND_DN, LDAP_BIND_AUTHTOK, ldap.AUTH_SIMPLE) ldap_ctx.bind_s(LDAP_BIND_DN, LDAP_BIND_AUTHTOK, ldap.AUTH_SIMPLE)