參考及依賴

https://github.com/nginxinc/nginx-ldap-auth
http://nginx.org/
nginx-1.14.2
http_auth_request_module
nginx-ldap-auth
python2.7
python-ldap

Nginx支持ldap

1. 部署nginx，註意需要http_auth_request_module支持

wget http://nginx.org/download/nginx-1.14.2.tar.gz
tar zxvf nginx-1.14.2.tar.gz
cd nginx-1.14.2
./configure --with-http_auth_request_module
make
make install
/usr/local/nginx/sbin/nginx
 

2. 配置nginx,註意ldap配置
   cat /usr/local/nginx/conf/nginx.conf

   
   user                  nobody nobody;
   worker_processes auto;
   #worker_cpu_affinity auto;
   worker_rlimit_nofile 65535;

error_log logs/error.log;
pid logs/nginx.pid;

events {
use epoll;
#reuse_port on; #used in tengine and linux kernel >= 3.9

http {
include mime.types;
default_type application/octet-stream;
server_tokens off;

log_format      main        ‘$remote_addr - $remote_user [$time_local] "$request" ‘
                            ‘$status $request_time $body_bytes_sent "$http_referer" ‘
                            ‘"$http_user_agent" "$http_x_forwarded_for"|body: $request_body‘;

sendfile                    on;
tcp_nopush                  on;
tcp_nodelay                 on;
keepalive_timeout           60;

gzip                        on;
gzip_vary                   on;
gzip_comp_level             5;
gzip_buffers                16 4k;
gzip_min_length             1000;
gzip_proxied                any;
gzip_disable                "msie6";
gzip_types                  text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json;

open_file_cache max=1000    inactive=20s;
open_file_cache_valid       30s;
open_file_cache_min_uses    2;
open_file_cache_errors      on;

client_max_body_size        50m;

#緩存可以減少ldap驗證頻率，不然每個頁面都需要ldap驗證一次
#你不在乎的話，不要緩存也是沒有任何問題的 
proxy_cache_path cache/ keys_zone=auth_cache:10m;
 

#kibanan
upstream kibana_server {
server 10.2.8.44:5601;
}

server {
listen 5601;
server_name localhost;
access_log logs/kibanan_access.log main;
error_log logs/kibanan_error.log debug;

#後端程序，也就是kubernetes-dashboard
location / {
    auth_request /auth-proxy;

    #nginx接收到nginx-ldap-auth-daemon.py返回的401和403都會重新跳轉到登錄頁面
    error_page 401 403 =200 /login;

    proxy_pass http://kibana_server;
}

#登錄頁面，由backend-sample-app.py提供，跑在同一臺機器的8082端口(默認不是8082端口)
location /login {
    proxy_pass http://127.0.0.1:9000/login;
    proxy_set_header X-Target $request_uri;
}

location = /auth-proxy {
    internal;
    proxy_pass http://127.0.0.1:8888;     #nginx-ldap-auth-daemon.py運行端口
    #緩存設置
    proxy_cache auth_cache;
    proxy_cache_key "$http_authorization$cookie_nginxauth";
    proxy_cache_valid 200 403 10m;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";

    #最最重要的ldap配置，請務必按照貴公司的ldap配置如下四項，我在這一步卡了好久，就是ldap配置不對
    #這些配置都會通過http頭部傳遞給nginx-ldap-auth-daemon.py腳本
    proxy_set_header X-Ldap-URL      "ldap://10.2.150.11:389";
    proxy_set_header X-Ldap-BaseDN   "ou=People,dc=yiche,dc=org";
    proxy_set_header X-Ldap-BindDN   "cn=OPITUser,ou=OuterUser,dc=che,dc=org";
    proxy_set_header X-Ldap-BindPass "opit@minminmsn";
    proxy_set_header X-Ldap-Template "(uid=%(username)s)";

    proxy_set_header X-CookieName "nginxauth";
    proxy_set_header Cookie nginxauth=$cookie_nginxauth;
}

}
}

> ### Python Ldap認證

wget https://github.com/nginxinc/nginx-ldap-auth/archive/0.0.4.tar.gz
tar zxvf 0.0.4.tar.gz
python nginx-ldap-auth-daemon.py &

> ### 後端登陸跳轉頁面

默認頁面只能測試，這裏需要大概改下才能使用
vim backend-sample-app.py
python backend-sample-app.py &
backend-sample-app.py其中html=``````修改後如下

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf8"/>
<title>login</title>
</head>
<style>
*{margin:0;padding:0;}
.login{
width:400px;
height:220px;
margin:0 auto;
position:absolute;
left:35%;
top:25%;
}
.login_title{
color: #000000;
font: bold 14px/37px Arial,Helvetica,sans-serif;
height: 37px;
padding-left: 35px;
text-align: left;
}

.login_cont {
background: none repeat scroll 0 0 #FFFFFF;
border: 1px solid #B8B7B7;
height: 152px;
padding-top: 30px;
}
.form_table {
float: left;
margin-top: 10px;
table-layout: fixed;
width: 100%;
}
.form_table th {
color: #333333;
font-weight: bold;
padding: 5px 8px 5px 0;
text-align: right;
white-space: nowrap;
}
.form_table td {
color: #717171;
line-height: 200%;
padding: 6px 0 5px 10px;
text-align: left;
}
.login_cont input.submit {
background-position: 0 -37px;
height: 29px;
margin: 10px 14px 0 0;
width: 38px;
}
</style>
<body>
<div class="login">
<div class="login_cont">
<form action=‘/login‘ method=‘post‘>
<table class="form_table">
<col width="60px" />
<col />
<p align="center"> 歡迎登陸kibana管理平臺</p>
<p align="center"> 請使用郵箱賬戶密碼登陸</p>
<tr>
<th>用戶名:</th><td><input class="normal" type="text" name="username" alt="請填寫用戶名" /><th>@zhidaoauto.com</th></td>
</tr>
<tr>
<th>密???碼:</th><td><input class="normal" type="password" name="password" alt="請填寫密碼" /></td>
</tr>
<tr>
<th></th><td><input class="submit" type="submit" value="登錄" /><input class="submit" type="reset" value="取消" /></td>
</tr>
</table>
<input type="hidden" name="target" value="TARGET">
</form>
</div>
</div>
</body>
</html>

> ### 登陸測試
http://10.2.8.24:5601/ 
![](http://i2.51cto.com/images/blog/201812/24/2ec96017895b0be37676ff980fd50f5a.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

Nginx 結合Python Ldap認證用於Kibana權限登陸