diff --git a/README.md b/README.md index 06bd0f2..5125aa3 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -# LDAP Authentication module for nginx -LDAP module for nginx which supports authentication against multiple LDAP servers. +# LDAP Authentication module for Nginx +LDAP module for Nginx which supports authentication against multiple LDAP servers. # How to install @@ -18,13 +18,39 @@ Check HTTP_AUTH_LDAP options ## Linux -```bash -cd ~ && git clone https://github.com/kvspb/nginx-auth-ldap.git +Clone this repo or download the ZIP archive. + +Install `libssl` and `libldap2` headers (on Debian/Ubuntu: `apt install libssl-dev libldap2-dev`). + +You can build this module as an SO, statically compile it into the main `nginx` binary or, if using Debian/Ubuntu, build +and install the deb package. + +### Build as an SO + +- Obtain the Nginx source (on Debian/Ubuntu this can be done with `apt-get source nginx`) +- cd /path/to/nginx/source +```sh +./configure `nginx -V` --with-compat --add-dynamic-module=/path/to/nginx-auth-ldap/source +cp objs/ngx_http_auth_ldap_module.so /usr/share/nginx/modules/ngx_http_auth_ldap_module.so +``` +- Add the below config to Nginx so that it loads the module: +```nginx +load_module modules/ngx_http_auth_ldap_module.so; ``` -in nginx source folder +### Build & install the deb package -```bash +```sh +sudo apt install build-essential dpkg-dev libssl-dev libldap2-dev +cd /path/to/nginx-auth-ldap/source +dpkg-buildpackage -b -uc +sudo dpkg -i ../libnginx-mod-http-auth-ldap_1.0.0-1_amd64.deb +``` + +### Statically link into Nginx + +```sh +cd /path/to/nginx/source ./configure --add-module=path_to_http_auth_ldap_module make install ``` @@ -32,7 +58,7 @@ make install # Example configuration Define list of your LDAP servers with required user/group requirements: -```bash +```nginx http { ldap_server test1 { url ldap://192.168.0.1:3268/DC=test,DC=local?sAMAccountName?sub?(objectClass=person); @@ -55,7 +81,7 @@ Define list of your LDAP servers with required user/group requirements: ``` And add required servers in correct order into your location/server directive: -```bash +```nginx server { listen 8000; server_name localhost; @@ -140,6 +166,6 @@ you'll basically need to run OpenSSL's c_rehash command in this directory. expected value: on, off LDAP library default is on. This option disables usage of referral messages from -LDAP server. Usefull for authenticating against read only AD server without access +LDAP server. Useful for authenticating against read only AD server without access to read write. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..a7fda74 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,6 @@ +libnginx-mod-http-auth-ldap (1.0.0-1) experimental; urgency=medium + + * First deb release + * Fix issue with Nginx >= 1.23 + + -- jesse Tue, 03 Oct 2023 11:55:53 +0100 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..63a605a --- /dev/null +++ b/debian/control @@ -0,0 +1,22 @@ +Source: libnginx-mod-http-auth-ldap +Section: httpd +Priority: optional +Maintainer: Jesse Portnoy +Build-Depends: debhelper-compat (= 13), + dh-sequence-nginx, + libldap2-dev, + libssl-dev, +Standards-Version: 4.6.2 +Homepage: https://github.com/jessp01/nginx-auth-ldap +Vcs-Git: https://github.com/jessp01/nginx-auth-ldap +Vcs-Browser: https://github.com/jessp01/nginx-auth-ldap +Rules-Requires-Root: no + +Package: libnginx-mod-http-auth-ldap +Architecture: any +Multi-Arch: foreign +Depends: ${misc:Depends}, + ${shlibs:Depends}, +Recommends: nginx, +Description: LDAP authentication module for Nginx + The nginx_http_auth_ldap module enables authentication via LDAP. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..21c1523 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,26 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: ngx_http_auth_pam_module +Upstream-Contact: Sergio Talens Oliag +Source: https://github.com/jessp01/nginx-auth-ldap + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. diff --git a/debian/debhelper-build-stamp b/debian/debhelper-build-stamp new file mode 100644 index 0000000..95511cd --- /dev/null +++ b/debian/debhelper-build-stamp @@ -0,0 +1 @@ +libnginx-mod-http-auth-ldap diff --git a/debian/files b/debian/files new file mode 100644 index 0000000..83f7df9 --- /dev/null +++ b/debian/files @@ -0,0 +1,3 @@ +libnginx-mod-http-auth-ldap-dbgsym_1.0.0-1_amd64.deb debug optional automatic=yes +libnginx-mod-http-auth-ldap_1.0.0-1_amd64.buildinfo httpd optional +libnginx-mod-http-auth-ldap_1.0.0-1_amd64.deb httpd optional diff --git a/debian/libnginx-mod-http-auth-ldap.postinst.debhelper b/debian/libnginx-mod-http-auth-ldap.postinst.debhelper new file mode 100644 index 0000000..0ad39dd --- /dev/null +++ b/debian/libnginx-mod-http-auth-ldap.postinst.debhelper @@ -0,0 +1,28 @@ +# Automatically added by dh_nginx/UNDECLARED +for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf ; do + from=$(echo $confpair | cut -d: -f1) + to=$(echo $confpair | cut -d: -f2) + + if [ -L /etc/nginx/modules-enabled/$to.removed ]; then + rm /etc/nginx/modules-enabled/$to.removed + removed_link=true + else + removed_link=false + fi + + # Symlink on + # 1) Fresh installations + # 2) Reinstalls after automatic removes (preserve admin actions) + if [ -z "$2" -o "$removed_link" = "true" ]; then + ln -sf /usr/share/nginx/modules-available/$from \ + /etc/nginx/modules-enabled/$to + fi +done + +if [ "$1" = "configure" ] ; then + if which dpkg-trigger >/dev/null 2>&1 ; then + dpkg-trigger --no-await nginx-reload + fi + +fi +# End automatically added section diff --git a/debian/libnginx-mod-http-auth-ldap.postrm.debhelper b/debian/libnginx-mod-http-auth-ldap.postrm.debhelper new file mode 100644 index 0000000..7f03b6a --- /dev/null +++ b/debian/libnginx-mod-http-auth-ldap.postrm.debhelper @@ -0,0 +1,30 @@ +# Automatically added by dh_nginx/UNDECLARED +if [ "$1" = "purge" ] ; then + for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf ; do + from=$(echo $confpair | cut -d: -f1) + to=$(echo $confpair | cut -d: -f2) + + if [ -L /etc/nginx/modules-enabled/$to ]; then + rm /etc/nginx/modules-enabled/$to + fi + if [ -L /etc/nginx/modules-enabled/$to.removed ]; then + rm /etc/nginx/modules-enabled/$to.removed + fi + done +fi + +if [ "$1" = "remove" ] ; then + for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf ; do + from=$(echo $confpair | cut -d: -f1) + to=$(echo $confpair | cut -d: -f2) + + if [ -L /etc/nginx/modules-enabled/$to ]; then + mv /etc/nginx/modules-enabled/$to /etc/nginx/modules-enabled/$to.removed + fi + done + + if which dpkg-trigger >/dev/null 2>&1 ; then + dpkg-trigger --no-await nginx-reload + fi +fi +# End automatically added section diff --git a/debian/libnginx-mod-http-auth-ldap.prerm.debhelper b/debian/libnginx-mod-http-auth-ldap.prerm.debhelper new file mode 100644 index 0000000..7bcf4bf --- /dev/null +++ b/debian/libnginx-mod-http-auth-ldap.prerm.debhelper @@ -0,0 +1,12 @@ +# Automatically added by dh_nginx/UNDECLARED +if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ] ; then + for confpair in mod-http-auth-ldap.conf:50-mod-http-auth-ldap.conf ; do + from=$(echo $confpair | cut -d: -f1) + to=$(echo $confpair | cut -d: -f2) + + if [ -L /etc/nginx/modules-enabled/$to ]; then + mv /etc/nginx/modules-enabled/$to /etc/nginx/modules-enabled/$to.removed + fi + done +fi +# End automatically added section diff --git a/debian/libnginx-mod-http-auth-ldap.substvars b/debian/libnginx-mod-http-auth-ldap.substvars new file mode 100644 index 0000000..37a3f50 --- /dev/null +++ b/debian/libnginx-mod-http-auth-ldap.substvars @@ -0,0 +1,3 @@ +misc:Depends=nginx-abi-1.24.0-1 +shlibs:Depends=libc6 (>= 2.14), libldap-2.5-0 (>= 2.5.4) +misc:Pre-Depends= diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..d8309f6 --- /dev/null +++ b/debian/rules @@ -0,0 +1,6 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..ca20b9f --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,6 @@ +Tests: generic +Restrictions: allow-stderr isolation-container needs-root +Depends: curl, + nginx, + nginx-core, + @, diff --git a/debian/tests/generic b/debian/tests/generic new file mode 100644 index 0000000..a14fc80 --- /dev/null +++ b/debian/tests/generic @@ -0,0 +1,73 @@ +#!/bin/sh +# version 20221215 + +# generic test that only verifies that nginx is running with the given +# libnginx-... module +# - after installation +# - after nginx reload +# - after nginx restart + +EX=0 +CURL_CMD="curl --max-time 60 --silent --fail -o /dev/null" + +#change directory to $AUTOPKGTEST_TMP +cd "${AUTOPKGTEST_TMP}" + +echo -n "curl after installation: http status=" +if $CURL_CMD -w "response_code: %{http_code}, ... " http://127.0.0.1/; then + echo "OK" +else + EX=1 + echo "FAILED" +fi + +echo -n "nginx reload ... " +if invoke-rc.d nginx reload; then + echo "OK" +else + EX=1 + echo "FAILED" +fi +sleep 5 + + +echo -n "curl after reload: http status=" +if $CURL_CMD -w "response_code: %{http_code}, ... " http://127.0.0.1/; then + echo "OK" +else + EX=1 + echo "FAILED" +fi + +echo -n "nginx restart ... " +if invoke-rc.d nginx restart; then + echo "OK" +else + EX=1 + echo "FAILED" +fi +sleep 5 + +echo -n "curl after restart: http status=" +if $CURL_CMD -w "response_code: %{http_code}, ... " http://127.0.0.1/; then + echo "OK" +else + EX=1 + echo "FAILED" +fi + +if [ ${EX} -ne 0 ]; then + echo "=== journalctl ===" + journalctl -n all -xu nginx.service || : + + echo "=== error.log ===" + if [ `wc -l /var/log/nginx/error.log | cut -d ' ' -f1` -gt 100 ]; then + head -n 50 /var/log/nginx/error.log + echo '...' + tail -n 50 /var/log/nginx/error.log + else + cat /var/log/nginx/error.log + fi +fi + +exit ${EX} diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..3c040ec --- /dev/null +++ b/debian/watch @@ -0,0 +1,6 @@ +version=4 + +opts="\ +filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/@PACKAGE@-$1\.tar\.gz/,\ +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/,\ +" https://github.com/jessp01/nginx-auth-ldap/tags .*/v?(\d\S+)\.tar\.gz diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c index 2f4e592..e1dbd9b 100644 --- a/ngx_http_auth_ldap_module.c +++ b/ngx_http_auth_ldap_module.c @@ -1779,6 +1779,9 @@ ngx_http_auth_ldap_set_realm(ngx_http_request_t *r, ngx_str_t *realm) } r->headers_out.www_authenticate->hash = 1; +#if (nginx_version >= 1023000) + r->headers_out.www_authenticate->next = NULL; +#endif r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; r->headers_out.www_authenticate->value = *realm;