SoFunction
Updated on 2025-04-08

Example of using LDAP to implement Nginx user authentication

In Internet operation and maintenance, user authentication is a common requirement. LDAP (Lightweight Directory Access Protocol) is a tool that centrally manages user information, while Nginx is a high-performance reverse proxy server. Combining the two makes it easy to achieve LDAP-based user authentication.

Today we will talk about how to use Nginx and LDAP to implement user authentication, and use instances to implement this function step by step.

Why choose LDAP + Nginx?

  • Unified user management: LDAP centrally manages user information to avoid repeated maintenance of multiple systems.
  • Efficient and stable: Nginx has excellent performance and is suitable for large concurrency scenarios.
  • Simple and easy to use: The authentication logic can be completed through simple configuration.

Implementation ideas

  • When a user accesses the system, Nginx requires an account number and password.
  • Nginx forwards the user-entered credentials to the LDAP server for verification.
  • After successful verification, the user can access the protected resource; if it fails, access is denied.

Usage Tools

In the implementation, we will use an Nginx third-party module:nginx-auth-ldap. This module supports sending user authentication requests to LDAP servers, which is very suitable for our needs.

Environmental preparation

Environmental information:

  • Operating system: Ubuntu 20.04
  • LDAP Server: OpenLDAP (IP:192.168.1.100
  • Nginx version: 1.20+ (need to compile and support nginx-auth-ldap module)

Install Nginx and LDAP modules

1. Install the necessary components

sudo apt update
sudo apt install nginx libldap2-dev libpcre3-dev build-essential -y

2. Download and compile Nginx

Since the default Nginx installed does not includenginx-auth-ldapModules need to be compiled manually.

wget /download/nginx-1.20.
tar -xzvf nginx-1.20.
cd nginx-1.20.2

# Download nginx-auth-ldap modulegit clone /kvspb/

#Configuration and Compilation./configure --add-module=./nginx-auth-ldap --prefix=/etc/nginx --with-http_ssl_module
make
sudo make install

Configure Nginx to implement LDAP authentication

Edit Nginx configuration files, usually in/etc/nginx/, the following is the sample configuration:

http {
    # Define LDAP server    ldap_server ldap_backend {
        url ldap://192.168.1.100:389/ou=users,dc=example,dc=com?uid?sub?(objectClass=posixAccount);
        binddn "cn=admin,dc=example,dc=com";
        binddn_passwd "admin_password";
        group_attribute memberUid;
        group_attribute_is_dn off;
        require valid_user;
    }

    server {
        listen 80;
        server_name ;

        # Enable LDAP authentication for protected resources        location /protected {
            auth_ldap "Restricted Area";
            auth_ldap_servers ldap_backend;
            root /var/www/html;
            index ;
        }
    }
}

Configuration parsing

LDAP server configuration segment

  • url: Specify the LDAP server address and filtering rules.
    • ou=users: Specify the search range asusersOrganization unit.
    • uid: Used when the user logs inuidAttributes as username.
    • sub: Represents recursive search of child nodes.
  • binddn: LDAP administrator account, used for search operations during verification.
  • binddn_passwd: Administrator account password.

Protected resource segment

  • auth_ldap: Enable LDAP authentication and set authentication prompt information.
  • auth_ldap_servers: Specify the associated LDAP server.

Start the service and test it

  • Restart NginxAfter saving the configuration, execute the following command to restart Nginx:

    sudo nginx -s reload

  • Access Test

    • Visit in the browser/protected
    • A login box will pop up and enter the LDAP username and password to test it.
    • After the authentication is passed, the content will be displayed on the page; otherwise, return401 Unauthorized

Test Example

Assume that the LDAP user information is as follows:

  • username:testuser
  • password:testpassword
  • Users are located at:ou=users,dc=example,dc=com

Test certification process

  • Enter the username and password in the browser:

    • username:testuser
    • password:testpassword

  • The verification is successful and the browser loads the page normally. If it fails, check the Nginx log.

Check log

Nginx's log files are usually located in/var/log/nginx/, view the LDAP authentication related information:

sudo tail -f /var/log/nginx/

Frequently Asked Questions

Issue 1: LDAP cannot connect

  • Check service status
    sudo systemctl status slapd
  • Test connection
    ldapsearch -x -H ldap://192.168.1.100 -b "dc=example,dc=com"

Question 2: Authentication failed

  • make surebinddnandbinddn_passwdcorrect.
  • confirmuidWhether the attribute exists in the LDAP user entry.

Summarize

Through the combination of Nginx and LDAP, centralized user authentication can be easily achieved. This solution is not only safe and efficient, but also reduces operation and maintenance management costs, which is very suitable for scenarios where unified user management is required.

This is the end of this article about using LDAP to implement Nginx user authentication. For more information about Nginx LDAP user authentication, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!