Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

require group - doesn't restrict access, any valid user still can access location #194

Open
svscorp opened this issue Dec 11, 2017 · 6 comments
Open

require group - doesn't restrict access, any valid user still can access location #194

svscorp opened this issue Dec 11, 2017 · 6 comments

Comments

@svscorp
Copy link

svscorp commented Dec 11, 2017

I am trying to use "require group" in extra ldap_server in order to achieve some ACL on Nginx and LDAP group level.

Given the below configuration I am logging in with a valid LDAP user who doesn't belong to mygroup but still can see content.

# nginx.conf

ldap_server myserver {
  url "ldaps://ip:686/ou=people,dc=company,dc=com?uid?sub?(objectClass=person)";
  binddn "uid=binduser,ou=internal,dc=company,dc=com";
  binddn_passwd "...";
  group_attribute "member";
  group_attribute_is_dn on;
  require valid_user;
  satisfy all;
}

ldap_server myserver-restricted {
  url "ldaps://ip:868/ou=people,dc=company,dc=com?uid?sub?(objectClass=person)";
  binddn "uid=binduser,ou=internal,dc=company,dc=com";
  binddn_passwd "...";
  group_attribute "member";
  group_attribute_is_dn on;
  satisfy all;
  # I have tried to put intentionally wrong/non-existing groups - no effect. Still can access.
  require group 'cn=mygroup1,ou=intgrp,ou=groups,dc=company,dc=com';
  require group 'cn=mygroup2,ou=intgrp,ou=groups,dc=company,dc=com';
}

# location_context.conf

# Tried to define on top level, didn't work with override ldap_servers. Moved to each location - still doesn't work.
# auth_ldap "Forbidden";
# auth_ldap_servers myserver;

location / {
    auth_ldap "Forbidden";
    auth_ldap_servers myserver;
    
    root   /usr/share/nginx/html;
    index  index.html index.htm;
}

location  /restricted_view {
    auth_ldap "Forbidden";
    auth_ldap_servers myserver-restricted;

    proxy_pass         http://backend:8080;
    proxy_redirect     off;
    proxy_set_header   Host $host;
}

What is wrong?
@gouzhuang
Copy link
Contributor

I had the same issue and proposed a fix: pull request

@svscorp
Copy link
Author

svscorp commented Dec 19, 2017

It doesn't work for me, @gouzhuang. I can access "/restricted_view" still.

@gouzhuang
Copy link
Contributor

I'm using an OpenLDAP server, the search for group returns success with 0 entries when there is no match, in such case my fix works. What's your LDAP server?

@landryb landryb mentioned this issue Jun 6, 2019
Merged
@Richard-Payne
Copy link

Is anything happening with this issue? We are encountering exactly the same thing. The require valid_user requirement is respected but require group is ignored.

@Richard-Payne
Copy link

Oh, and we're using Windows Server 2016

@Richard-Payne Richard-Payne mentioned this issue Sep 2, 2019
Open
@Swetad90
Copy link

Same here on Ubuntu 18.06. Any solution yet?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@svscorp @gouzhuang @Richard-Payne @Swetad90