@@ -281,6 +281,127 @@ The VM running Nginx (and ldap_authz_proxy) was joined to AD domain like this:
281281Script(s) for building Nginx Kerberos (SPNEGO) module for Debian:
282282https://github.com/elonen/debian-nginx-spnego
283283
284+ ## Config option details
285+
286+ Configuration options (generated by ` ldap_authz_proxy --help-config ` ):
287+
288+ ```
289+ http_path [default: '']
290+
291+ Regular expression to match the HTTP path against (e.g. '^/api/v1/.*').
292+ Never matched if empty. If you need to match all paths, use '^'.
293+ If multiple sections match, the first one is used.
294+
295+
296+ username_http_header [default: 'X-Ldap-Authz-Username']
297+
298+ HTTP header to use for the username
299+
300+
301+ ldap_server_url [REQUIRED]
302+
303+ URL of the LDAP server (e.g. 'ldaps://ldap.example.com:636')
304+
305+
306+ ldap_conn_timeout [default: '10.0']
307+
308+ LDAP connection timeout in seconds
309+
310+
311+ ldap_bind_dn [REQUIRED]
312+
313+ DN of the LDAP user to bind as (e.g. 'CN=proxyuser,OU=users,DC=example,DC=com')
314+
315+
316+ ldap_bind_password [REQUIRED]
317+
318+ Password of the LDAP user to bind as
319+
320+
321+ ldap_search_base [REQUIRED]
322+
323+ LDAP base DN to search in (e.g. 'OU=users,DC=example,DC=com')
324+
325+
326+ ldap_scope [default: 'subtree']
327+
328+ LDAP search scope. Must be 'subtree', 'onelevel' or 'base')
329+
330+
331+ ldap_query [REQUIRED]
332+
333+ LDAP query to use. May contain '%USERNAME%', which will be quoted and replaced.
334+ Example: '(&(objectClass=person)(sAMAccountName=%USERNAME%))
335+
336+
337+ ldap_attribs [default: 'CN']
338+
339+ LDAP attributes to return (e.g. 'displayName, givenName, sn, mail'). Must not be empty.
340+
341+
342+ query_vars [default: '']
343+
344+ Extra variables to use in the query, in addition to %USERNAME%.
345+ You can use these to avoid repeating long query strings in different sections.
346+
347+ Example: 'MY_GROUP_NAME=group1, MY_USER_ATTRIB=sAMAccountName'
348+ ...would turn '(&(objectClass=person)(%MY_USER_ATTRIB%=%USERNAME%)(memberOf=%MY_GROUP_NAME%))'
349+ into '(&(objectClass=person)(sAMAccountName=%USERNAME%)(memberOf=group1))'
350+
351+
352+ cache_size [default: '512']
353+
354+ Maximum number of entries to cache (per section)
355+
356+
357+ cache_time [default: '30.0']
358+
359+ Maximum age of entries in the cache (in seconds)
360+
361+
362+ attrib_delimiter [default: ';']
363+
364+ Delimiter to use when concatenating multiple values of an attribute
365+
366+
367+ deduplicate_attribs [default: 'true']
368+
369+ Whether to deduplicate attribute values.
370+ Example: 'someAttr=foo,bar,foo,foo' becomes 'someAttr=foo,bar')
371+
372+
373+ set_attribs_on_success [default: '']
374+
375+ Attributes to set manually if the main query succeeds.
376+ If empty, only the attributes returned by LDAP queries are set.
377+ Format: 'attribute=value1, attribute=value2, attribute2= ...'
378+
379+
380+ sub_queries [default: '']
381+
382+ Section names of optional sub-queries.'.
383+
384+ Sub-queries can check for additional conditions and/or set additional attributes.
385+ See also 'sub_query_join for details.
386+
387+ Recursions and duplicates are removed.
388+ Sub-queries are cached in the same way as the main query, and
389+ caching is hierarchical: if main query is cached, sub-queries are not executed.
390+
391+ Format: 'extra_section_1, extra_section_2'
392+
393+
394+ sub_query_join [default: 'Main']
395+
396+ How sub-queries affect authorization.
397+ Regardless of this, if any sub-query throws an LDAP error, the request is NOT authorized.
398+
399+ Possible values:
400+ - 'Any': If main query or any sub-queries returns non-empty, request is authorized.
401+ - 'All': All sub-queries must return non-empty, otherwise request is NOT authorized.
402+ - 'Main': If main query authorizes, use sub-requests to add attributes.
403+ ```
404+
284405## Development
285406
286407Probably the easiest way to develop this is to:
0 commit comments