From c0760d8f3f8d0f0ec5d62648bc864eb2c4b21a86 Mon Sep 17 00:00:00 2001 From: Ewout Voogt Date: Tue, 20 Sep 2016 09:01:17 +0200 Subject: [PATCH 1/4] Make bind address configurable and default to any --- nginx-ldap-auth-daemon.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py index be288b3..815f366 100755 --- a/nginx-ldap-auth-daemon.py +++ b/nginx-ldap-auth-daemon.py @@ -7,7 +7,10 @@ import sys, os, signal, base64, ldap, Cookie from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler -Listen = ('localhost', 8888) +# Default binding is to '' (all interfaces). To specifically +# bind to an interface (e.g. localhost), set the environment +# variable BIND_ADDRESS. +Listen = (os.getenv('BIND_ADDRESS', ''), 8888) #Listen = "/tmp/auth.sock" # Also uncomment lines in 'Requests are # processed with UNIX sockets' section below From 9a7166c64e3523b7feef26955a22dd7ce4800231 Mon Sep 17 00:00:00 2001 From: Ewout Voogt Date: Tue, 20 Sep 2016 09:02:32 +0200 Subject: [PATCH 2/4] Use a simple bind when no binddn (or an empty binddn) is provided --- nginx-ldap-auth-daemon.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py index 815f366..75b68d5 100755 --- a/nginx-ldap-auth-daemon.py +++ b/nginx-ldap-auth-daemon.py @@ -179,7 +179,10 @@ def do_GET(self): # ldap_obj.set_option(ldap.OPT_REFERRALS, 0) ctx['action'] = 'binding as search user' - ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE) + if ctx['binddn'] == '': + ldap_obj.simple_bind_s() + else: + ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE) ctx['action'] = 'preparing search filter' searchfilter = ctx['template'] % { 'username': ctx['user'] } From d5c90126b797d24e8439deb051f8816e2e4095c4 Mon Sep 17 00:00:00 2001 From: Ewout Voogt Date: Tue, 20 Sep 2016 09:03:33 +0200 Subject: [PATCH 3/4] Switch off SSL certificate verification --- nginx-ldap-auth-daemon.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py index 75b68d5..aafd80c 100755 --- a/nginx-ldap-auth-daemon.py +++ b/nginx-ldap-auth-daemon.py @@ -170,6 +170,9 @@ def do_GET(self): self.auth_failed(ctx, 'attempt to use empty password') return + # Switch off SSL certificate verification + ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) + try: ctx['action'] = 'initializing LDAP connection' ldap_obj = ldap.initialize(ctx['url']); From ee37e7008bc87881de080ef742d48949df7a331e Mon Sep 17 00:00:00 2001 From: vwout Date: Tue, 20 Sep 2016 10:32:10 +0200 Subject: [PATCH 4/4] Add Dockerfile for running nginx-ldap-auth-daemon.py as a service --- Dockerfile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d6763b2 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,19 @@ +FROM python:2.7 + +# Add the python LDAP module +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + python-dev libldap2-dev libsasl2-dev libssl-dev \ + curl + +RUN pip install python-ldap + +# Add the LDAP auth daemon from our fork of https://github.com/nginxinc/nginx-ldap-auth +RUN curl -L https://raw.githubusercontent.com/Mapscape/nginx-ldap-auth/master/nginx-ldap-auth-daemon.py > /usr/local/bin/nginx-ldap-auth-daemon.py \ + && chmod +x /usr/local/bin/nginx-ldap-auth-daemon.py + +EXPOSE 8888 + +# Run the daemon application +CMD ["python", "-u", "/usr/local/bin/nginx-ldap-auth-daemon.py"] +