On Mon, Feb 20, 2012 at 06:33:32PM +0100, Cyril Lavier wrote:
> In case we need another base for another vhost, does something like
> this work ?
>
> #
> # /etc/nginx/sites-available/vhost1.example.org
> #
> location / {
> auth_pam whost1.example.org;
> auth_pam_service_name nginx_vhost1;
> }
>
> #
> # /etc/pam.d/nginx_vhost1 - LDAP authentication for nginx webserver
> #
> auth required pam_ldap.so config=/etc/nginx/pam_ldap_vhost1.conf
> account required pam_ldap.so config=/etc/nginx/pam_ldap_vhost1.conf
>
> #
> # /etc/nginx/pam_ldap_vhost1.conf
> #
>
> base ou=othervhost,dc=example,dc=org
> uri ldapi:///
> ldap_version 3
> binddn cn=httpd,dc=example,dc=org
> bindpw *********************
> scope sub
> pam_password md5
>
>
> In the case it's working, this would be more efficient and flexible.
Yes, the above should work.
Take a look at the pam_listfile example in the documentation of
nginx_auth_pam, too, it shows how to restrict the allowed users to a
subset of the users in LDAP/other database.
Note that my pam_ldap config contains “pam_password md5”, which is
misleading, and bad advice. The value of pam_password is only relevant
to *changing* a password in LDAP, which does not apply to nginx_auth_pam.
It should be possible to exclude the irrelevant “pam_password” directive.
Further new LDAP users should be encouraged to use a salted password
hash such as {SSHA}, instead of the less secure {MD5}.
Peter
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
