Created
February 28, 2014 02:05
-
-
Save dnozay/9263794 to your computer and use it in GitHub Desktop.
nginx + php-fpm + x-accel-redirect + ldap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
install the packages | |
# yum install php-fpm php-ldap | |
then make sure php-fpm can create sessions | |
and change user and group to be nginx | |
see /etc/php-fpm.d/www.conf for more details | |
# sed -i -e 's/apache/nginx/g' /etc/php-fpm.d/www.conf | |
# sed -i -e 's/;catch_workers_output = yes/catch_workers_output = yes/' /etc/php-fpm.d/www.conf | |
# mkdir -p /var/lib/php/session | |
# chown -R nginx: /var/lib/php/session |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
function forbidden() { | |
error_log("forbidden: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']); | |
// avoid brute force attacks | |
sleep(rand(0, 3)); | |
// re-display login form | |
session_destroy(); | |
// don't give too much info (e.g. user does not exist / password is wrong) | |
Header("HTTP/1.0 403 Forbidden"); | |
die('Unauthorized.'); | |
} | |
function authenticate() { | |
error_log("authreq: " . $_SERVER['REMOTE_ADDR']); | |
// mark that we saw the login box. | |
$_SESSION['AUTH'] = 1; | |
// browser shows login box | |
Header("WWW-Authenticate: Basic realm=LDAP credentials."); | |
Header("HTTP/1.0 401 Unauthorized"); | |
die('Unauthorized.'); | |
} | |
function ldap_auth() { | |
$ldap_server = 'ldap://ldap.example.com/'; | |
$ldap_domain = 'dc=example,dc=com'; | |
$ldap_userbase = 'ou=Users,' . $ldap_domain; | |
$ldap_user = 'uid=' . $_SERVER['PHP_AUTH_USER'] . ',' . $ldap_userbase; | |
$ldap_pass = $_SERVER['PHP_AUTH_PW']; | |
// connect to ldap server | |
$ldapconn = ldap_connect($ldap_server) | |
or die("Could not connect to LDAP server."); | |
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3) ; | |
if ($ldapconn) { | |
// try to bind/authenticate against ldap | |
$ldapbind = @ldap_bind($ldapconn, $ldap_user, $ldap_pass) || forbidden(); | |
// "LDAP bind successful..."; | |
error_log("success: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER']); | |
} | |
ldap_close($ldapconn); | |
} | |
// no cache | |
session_cache_limiter('nocache'); | |
session_start( ); | |
header('Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0'); | |
header('Pragma: no-cache'); | |
header("Expires: 0"); | |
if (@$_SESSION['AUTH'] != 1) { | |
authenticate(); | |
} | |
if (empty($_SERVER['PHP_AUTH_USER'])) { | |
authenticate(); | |
} | |
// check credentials | |
ldap_auth(); | |
// Get requested file name | |
$path = $_SERVER["REQUEST_URI"]; | |
error_log("serving: " . $_SERVER['REMOTE_ADDR'] . ', user: ' . $_SERVER['PHP_AUTH_USER'] . ', path: ' . $path); | |
header("Content-Type: ", true); | |
header("X-Accel-Redirect: /protected" . $path); | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
server_name _; | |
# all requests to /data will be intercepted by PHP script | |
# which may then decide to use X-Accel to serve | |
# /protected$request_uri, which is handled by /protected/data location | |
location /data/ { | |
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; | |
fastcgi_param SCRIPT_FILENAME /path/to/scripts/ldap-auth.php; | |
fastcgi_param PHP_AUTH_USER $remote_user; | |
fastcgi_param PHP_AUTH_PW $http_authorization; | |
include fastcgi_params; | |
} | |
# | |
location /protected/data/ { | |
types { } | |
default_type text/plain; | |
internal; | |
autoindex on; | |
alias /path/to/protected/data/; | |
} |
put it where you want then adjust SCRIPT_FILENAME
in nginx.conf
.
Hi, what about formbased auth in stead of popup dialog box? After successful login I want to be redirected to a different server instead of /
thanks. this help me to use ldap with php-fpm
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello ,
Could you please let me know to where to put the ldap-auth.php ?