LDAP + Kerberos authenticator for nginx's auth_request module.
Project description
nginx-krbauth 
LDAP + Kerberos authenticator for nginx's auth_request module.
Installation
pip install nginx-krbauth
If, for some reason, you want to use the latest code from git:
pip install git+https://github.com/quantum5/nginx-krbauth.git
Usage
Load nginx_krbauth:app into any WSGI compatible server.
Configuration is done through environment variables.
Example:
[uwsgi]
protocol = uwsgi
socket = /tmp/krbauth.sock
module = nginx_krbauth:app
env = KRB5_KTNAME=FILE:/home/krbauth/.keytab
env = KRBAUTH_HMAC_KEY=hunter2
env = KRBAUTH_LDAP_SERVER=ldapi:///
env = KRBAUTH_LDAP_BIND_DN=cn=http,ou=Apps,dc=example,dc=com
env = KRBAUTH_LDAP_BIND_AUTHTOK=hunter2
env = KRBAUTH_LDAP_SEARCH_BASE=dc=example,dc=com
nginx_krbauth exports two HTTP endpoints:
/krbauth: This endpoint performs SPNEGO authentication. When done, it sets a session cookie and generates a 307 redirect to the URL in thenextGET parameter./krbauth/check: The endpoint checks the validity of the session cookie. If valid, it returns 200. Otherwise, it returns 401.
The intention is to use /krbauth/check as auth_request in your nginx
configuration. On 401, nginx should be configured to generate a redirect to
/krbauth.
Configuration
KRB5_KTNAME: This is actually a Kerberos setting. It should point to a keytab file that only the user runningnginx_krbauthcan read containing the Kerberos host principals.KRBAUTH_HMAC_KEY(required): This is the HMAC key used to sign cookies. It should be a long random string. Keep it secret!KRBAUTH_KEY_DURATION: The duration (in seconds) for which the session cookie is valid. Default: 1 hour.KRBAUTH_RANDOM_SIZE: The length of the nonce in the session cookie in bytes. Default: 32.KRBAUTH_GSSAPI_NAME: The GSSAPI name for the service. Leave blank if any name in the keytab is fine.KRBAUTH_SECURE_COOKIE: This controls whether the session cookie is marked as HTTPS-only. Default: yes. Set to0ornoto disable.
LDAP
nginx_krbauth can also optionally check LDAP group membership. It does so by
looking up the groups of the LDAP entity whose krbPrincipalName attribute
matches the name of the Kerberos principal used to authenticate.
The group is specified through the WSGI environment variable
KRBAUTH_LDAP_GROUP. This could be set through uwsgi_param, for example.
The following environment variables are used to configure nginx_krbauth's
LDAP support:
KRBAUTH_LDAP_SERVER: The LDAP URI used to connect to the LDAP server.KRBAUTH_LDAP_SEARCH_BASE: The root of the subtree to search for LDAP entities forkrbPrincipalNameand group membership.KRBAUTH_LDAP_BIND_DN: The DN used to bind to the LDAP server. Leave blank for anonymous bind.KRBAUTH_LDAP_BIND_AUTHTOK: The password used to bind to the LDAP server. Leave blank for anonymous bind.
LDAP binding can also be used as a fallback authentication mechanism through HTTP Basic authentication. This is useful when SPNEGO is not supported, or when the client does not support Kerberos. To use this, configure:
KRBAUTH_LDAP_USER_DN: A string template to convert usernames into LDAP DNs. There should be one%ssymbol in this string, which will be replaced by the username.
TLS Client Certificate
It's also possible to use client certificates on machines that have them for
authentication purposes instead of using LDAP or Kerberos. To do this, set
the environment variable KRBAUTH_TLS_CERT_AUTH to 1 or yes.
Then, pass the WSGI environment variable NGINX_SSL_CLIENT_VERIFY from nginx,
setting it to the value of $ssl_client_verify, like this:
uwsgi_param NGINX_SSL_CLIENT_VERIFY "$ssl_client_verify";
You most likely want to make client certificate verification optional if you
are using it with nginx-krbauth:
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional;
Example nginx.conf
auth_request /krbauth/check;
error_page 401 = @krbauth;
location @krbauth {
return 307 /krbauth?next=$request_uri;
}
location /krbauth {
auth_request off;
error_page 527 error.html; # To cancel out error_page 401 outside.
uwsgi_pass unix:/tmp/krbauth.sock;
uwsgi_pass_request_body off;
uwsgi_param KRBAUTH_LDAP_GROUP "cn=group,dc=example,dc=com";
include uwsgi_params;
}
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file nginx_krbauth-0.0.4.tar.gz.
File metadata
- Download URL: nginx_krbauth-0.0.4.tar.gz
- Upload date:
- Size: 6.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5939721ef362cbc5600f2d0b1f980e07a441adae3ebf4abe966c77a29c029099 |
|
| MD5 | a42990cc9c77671cc290dd00e176e738 |
|
| BLAKE2b-256 | 2703372568745aa9c35dcc2c6555a323757554dea26ca1a5158bdfe3db1c967a |
File details
Details for the file nginx_krbauth-0.0.4-py3-none-any.whl.
File metadata
- Download URL: nginx_krbauth-0.0.4-py3-none-any.whl
- Upload date:
- Size: 6.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 14b54e003072cd5d7238ac76e8eb4c120f67b747b0ce0f2439a03f3322568d96 |
|
| MD5 | 71a2afd2cc2427a0e8910630c12f57ad |
|
| BLAKE2b-256 | 5f1c29e9f31b7cca5ccc31efbddc410343dba0cf87cee172d525c436a9eca66e |
