编译nginx-auth-ldap模块需要ldap.h头文件,所以需要先安装ldap库
yum -y install openldap-devel
一、下载模块包 git clone https://github.com/kvspb/nginx-auth-ldap.git 二、nginx编译安装的时候,把模块编译进去。 ./configure --add-module=path_to_http_auth_ldap_module make install
如果报错openssl版本低,则升级openssl版本 如果报pragma GCC diagnostic 选项未知 则 gcc 4.4无法解释'#pragma GCC诊断警告“-Wcpp”'
修复如下。
// make sure manual warnings don't get escalated to errors #ifdef clang #pragma clang diagnostic warning "-W#warnings" #else #ifdef GNUC #if GNUC > 4 #pragma GCC diagnostic warning "-Wcpp" #endif #endif #endif // TODO: do the same stuff for MSVC and/or other compiler 加一个if判断,就行了
二.配置ldap认证
http {
ldap_server openldap {
url ldap://192.168.192.20:389/dc=example,dc=com?uid?sub?(&(objectClass=account));
binddn "cn=Manager,dc=example,dc=com";
binddn_passwd "secret";
group_attribute memberuid;
group_attribute_is_dn on;
require valid_user;
}
}
进入conf.d 设置:
server {
location /status {
stub_status on;
access_log off;
auth_ldap "Restricted Space";
auth_ldap_servers openldap;
}
}
在nginx主配置文件的http标签中添加如下代码 group_attribute People 这个是验证的时候,访问哪个组 http { ldap_server test2 { url ldap://172.16.6.13:389/DC=ptmind,DC=com?cn?sub?(objectClass=person); binddn "cn=ldap,dc=ptmind,dc=com"; binddn_passwd 'xxxxxxxxx'; group_attribute People; group_attribute_is_dn on; require valid_user; } }
