编译nginx-auth-ldap模块需要ldap.h头文件,所以需要先安装ldap库

yum -y install openldap-devel

一、下载模块包
git clone https://github.com/kvspb/nginx-auth-ldap.git
二、nginx编译安装的时候,把模块编译进去。
./configure --add-module=path_to_http_auth_ldap_module
make install

如果报错openssl版本低,则升级openssl版本
如果报pragma GCC diagnostic 选项未知

gcc 4.4无法解释'#pragma GCC诊断警告“-Wcpp”'

修复如下。

// make sure manual warnings don't get escalated to errors
#ifdef clang
#pragma clang diagnostic warning "-W#warnings"
#else
#ifdef GNUC
#if GNUC > 4
#pragma GCC diagnostic warning "-Wcpp"
#endif
#endif
#endif
// TODO: do the same stuff for MSVC and/or other compiler
加一个if判断,就行了

二.配置ldap认证

http {

    ldap_server openldap {

    url ldap://192.168.192.20:389/dc=example,dc=com?uid?sub?(&(objectClass=account));

    binddn "cn=Manager,dc=example,dc=com";

    binddn_passwd "secret";

    group_attribute memberuid;

    group_attribute_is_dn on;

    require valid_user;

  }

}

进入conf.d 设置:

server {

   location /status {

        stub_status on;

        access_log off;

        auth_ldap "Restricted Space";

        auth_ldap_servers openldap;

    }

}

在nginx主配置文件的http标签中添加如下代码
group_attribute People 这个是验证的时候,访问哪个组
http {
ldap_server test2 {
url ldap://172.16.6.13:389/DC=ptmind,DC=com?cn?sub?(objectClass=person);
binddn "cn=ldap,dc=ptmind,dc=com";
binddn_passwd 'xxxxxxxxx';
group_attribute People;
group_attribute_is_dn on;
require valid_user;
}
}