Add ldap authentication to nginx on RHEL 7

I installed nginx 1.10.2 to my RHEL 7 server using yum from epel repo:

$ sudo yum install epel-release
$ sudo yum install nginx httpd-tools

Now I want to add ldap authentication. I found this from a github search: https://github.com/kvspb/nginx-auth-ldap

However, from the instructions, it needs to add the module via configure and make commands on the nginx sources, which I believe I don't have access to.

Does this mean I need to re-install nginx from source ? Is there any other way ?


Until release 1.9.11 all nginx modules, including the 3rd party modules, had to be compiled statically into nginx. Unlike Apache nginx had no support for dynamically loading modules. So every time you wanted to add a new module, you had to recompile nginx.

nginx 1.9.11 introduced the load_module directive but not all modules have or can even be converted to dynamic modules yet. And a lot of existing documentation still reflects that.

The nginx-auth-ldap config looks to have the right syntax to work as a dynamic module, it is then more a question of whether or not the nginx package maintainers for EPEL provide a ready made RPM that offers nginx-auth-ldap and if they don't you will need to compile the module yourself.

the nginx sources, which I believe I don't have access to.

BTW You can install the SRC rpm package get access to the sources and SPEC files used to make the binary nginx RPM


I ended up re-installing NGINX from source and added the nginx-auth-ldap module at compile time. I found a very helpful how-to here: http://www.ehowstuff.com/how-to-install-nginx-on-centos-7-rhel-7/ I simply added the nginx-auth-ldap module to the ./configure command and it was correctly added at compile time. I'm up and running now ! :-)

A few lessons learned from the experience:

  • Download the module from https://github.com/kvspb/nginx-auth-ldap and read the readme and wiki before going any further
  • It may not seem obvious, but you need to create an AD user for the module to gain access to the AD (I created a user called "LDAPauth" with minimal rights and set password to never expire and cannot be changed by user (this is the user account you will use in the binddn and binddn_passwd directives)
  • The binddn syntax that worked for me was "DOMAIN\LDAPAUTH" (note the double backslash and all caps) [edit: the comment editor removed the double-backslash between DOMAIN and LDAPAUTH and replaces it with a single backslash for some reason]
  • I suggest that you create ldap_server sections in your server block for at least two domain controllers for redundancy. You then add one "auth_ldap_servers xxx;" directive for each DC in your location block.
  • Make sure you add the appropriate "group_attribute" directives with respect to your "require" directives (ie if you plan to authenticate users, add "group_attribute uniquemember". To authenticate group members, add "group_attribute member")
  • If you're having issues with DN syntax, go to ADUC, open your AD user or group properties, and in the Attribute Editor tab, scroll down to distinguishedName. You can double-click and copy-paste the correct DN from here. CAUTION: Be careful you don't alter the value accidentally in this window...
  • I found that the statement I specified in the auth_ldap "Enter AD credentials" directive isn't always displayed as expected, depending on the browser used. In Firefox, I get "A username and password are being requested by mysite. The site says: "Enter AD credentials"". In Chrome I get "mysite requires a username and password." In IE, I get The server mysite is asking for your user name and password. The server reports that it is from Enter AD credentials."