nginx + php-fpm + x-accel-redirect + ldap

README

install the packages

# yum install php-fpm php-ldap

then make sure php-fpm can create sessions
and change user and group to be nginx
see /etc/php-fpm.d/www.conf for more details

# sed -i -e 's/apache/nginx/g'  /etc/php-fpm.d/www.conf
# sed -i -e 's/;catch_workers_output = yes/catch_workers_output = yes/'  /etc/php-fpm.d/www.conf
# mkdir -p /var/lib/php/session
# chown -R nginx: /var/lib/php/session

ldap-auth.php

<?php

function forbidden() {
    error_log("forbidden: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']);
    // avoid brute force attacks
    sleep(rand(0, 3));
    // re-display login form
    session_destroy();
    // don't give too much info (e.g. user does not exist / password is wrong)
    Header("HTTP/1.0 403 Forbidden");
    die('Unauthorized.');
}
function authenticate() {
    error_log("authreq: " . $_SERVER['REMOTE_ADDR']);
    // mark that we saw the login box.
    $_SESSION['AUTH'] = 1;
    // browser shows login box
    Header("WWW-Authenticate: Basic realm=LDAP credentials.");
    Header("HTTP/1.0 401 Unauthorized");
    die('Unauthorized.');
}
function ldap_auth() {
    $ldap_server = 'ldap://ldap.example.com/';
    $ldap_domain = 'dc=example,dc=com';
    $ldap_userbase = 'ou=Users,' . $ldap_domain;
    $ldap_user = 'uid=' . $_SERVER['PHP_AUTH_USER'] . ',' . $ldap_userbase;
    $ldap_pass = $_SERVER['PHP_AUTH_PW'];

    // connect to ldap server
    $ldapconn = ldap_connect($ldap_server)
        or die("Could not connect to LDAP server.");
    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3) ;
    if ($ldapconn) {
        // try to bind/authenticate against ldap
        $ldapbind = @ldap_bind($ldapconn, $ldap_user, $ldap_pass) || forbidden();
        // "LDAP bind successful...";
        error_log("success: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']);
    }
    ldap_close($ldapconn);
}


// no cache
session_cache_limiter('nocache');
session_start( );
header('Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');
header("Expires: 0");

if (@$_SESSION['AUTH'] != 1) {
    authenticate();
}

if (empty($_SERVER['PHP_AUTH_USER'])) {
    authenticate();
}

// check credentials
ldap_auth();

// Get requested file name
$path = $_SERVER["REQUEST_URI"];

error_log("serving: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER'] . ', path: ' . $path);

header("Content-Type: ", true);
header("X-Accel-Redirect: /protected" . $path);

?>

nginx.conf

server {
    listen       80;
    server_name  _;
    
    # all requests to /data will be intercepted by PHP script
    # which may then decide to use X-Accel to serve
    # /protected$request_uri, which is handled by /protected/data location
    location /data/ {
        fastcgi_pass  unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_param SCRIPT_FILENAME /path/to/scripts/ldap-auth.php;
        fastcgi_param PHP_AUTH_USER $remote_user;
        fastcgi_param PHP_AUTH_PW $http_authorization;
        include fastcgi_params;
    }

    #
    location /protected/data/ {
        types { }
        default_type text/plain;
        internal;
        autoindex on;
        alias /path/to/protected/data/;
    }

Hello ,

Could you please let me know to where to put the ldap-auth.php ?

put it where you want then adjust SCRIPT_FILENAME in nginx.conf.

Hi, what about formbased auth in stead of popup dialog box? After successful login I want to be redirected to a different server instead of /

thanks. this help me to use ldap with php-fpm