一.添加nginx-auth-ldap nginx模块
编译nginx-auth-ldap模块需要ldap.h头文件,所以需要先安装ldap库
yum -y install openldap-devel
在编译nginx时,添加上模块编译参数,如
cd /usr/local/src
git clone https://github.com/kvspb/nginx-auth-ldap.git
编译时候加入 --add-module=/usr/local/src/nginx-auth-ldap
一、下载模块包
git clone https://github.com/kvspb/nginx-auth-ldap.git
二、nginx编译安装的时候,把模块编译进去。
./configure --add-module=path_to_http_auth_ldap_module make install
二.配置ldap认证
http {
ldap_server openldap {
url ldap://192.168.192.20:389/dc=example,dc=com?uid?sub?(&(objectClass=account));
binddn "cn=Manager,dc=example,dc=com";
binddn_passwd "secret";
group_attribute memberuid;
group_attribute_is_dn on;
require valid_user;
}
}
进入conf.d 设置:
server {
location /status {
stub_status on;
access_log off;
auth_ldap "Restricted Space";
auth_ldap_servers openldap;
}
}
在nginx主配置文件的http标签中添加如下代码
group_attribute People 这个是验证的时候,访问哪个组
http { ldap_server test2 { url ldap://172.16.6.13:389/DC=ptmind,DC=com?cn?sub?(objectClass=person); binddn "cn=ldap,dc=ptmind,dc=com"; binddn_passwd 'xxxxxxxxx'; group_attribute People; group_attribute_is_dn on; require valid_user; } }
然后再起一个可以访问的server进行验证
server { listen 80; server_name localhost; location / { root html; index index.html index.htm; auth_ldap "Forbidden"; auth_ldap_servers test2; } }