我正在尝试使用"要求群组"在额外的ldap_server中,以便在Nginx和LDAP组级别上实现某些ACL。
鉴于以下配置,我使用的是有效的LDAP用户登录,该用户不属于mygroup,但仍可以看到内容。
# nginx.conf
ldap_server myserver {
url "ldaps://ip:686/ou=people,dc=company,dc=com?uid?sub?(objectClass=person)";
binddn "uid=binduser,ou=internal,dc=company,dc=com";
binddn_passwd "...";
group_attribute "member";
group_attribute_is_dn on;
require valid_user;
satisfy all;
}
ldap_server myserver-restricted {
url "ldaps://ip:868/ou=people,dc=company,dc=com?uid?sub?(objectClass=person)";
binddn "uid=binduser,ou=internal,dc=company,dc=com";
binddn_passwd "...";
group_attribute "member";
group_attribute_is_dn on;
satisfy all;
# I have tried to put intentionally wrong/non-existing groups - no effect. Still can access.
require group 'cn=mygroup1,ou=intgrp,ou=groups,dc=company,dc=com';
require group 'cn=mygroup2,ou=intgrp,ou=groups,dc=company,dc=com';
}
# location_context.conf
# Tried to define on top level, didn't work with override ldap_servers. Moved to each location - still doesn't work.
# auth_ldap "Forbidden";
# auth_ldap_servers myserver;
location / {
auth_ldap "Forbidden";
auth_ldap_servers myserver;
root /usr/share/nginx/html;
index index.html index.htm;
}
location /restricted_view {
auth_ldap "Forbidden";
auth_ldap_servers myserver-restricted;
proxy_pass http://backend:8080;
proxy_redirect off;
proxy_set_header Host $host;
}
有什么问题?