Configuring LDAP Authentication for NGINX HTTP Reverse Proxy

You can configure the device's HTTP Reverse Proxy to authenticate HTTP requests with an LDAP server. This is done using the device's integrated NGINX add-on module "nginx-auth-ldap-module".

To configure LDAP authentication for HTTP Reverse Proxy:
1. Configure one or more LDAP servers in an HTTP Directive Set. Note that the declaration may include the optional “require group”, “require valid_user”, or “require group” clauses.
ldap_server ad_1 {
# User search base
url \"ldap://<YOUR LDAP SERVER>:3268/,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)\";
# bind as
binddn \"CN=Operator,OU=Service Accounts,DC=company,DC=com\";
# bind pw
binddn_passwd <PUT Operator's PASSWORD HERE>;
# group attribute name which contains member object
group_attribute member;
# search for full DN in member object
group_attribute_is_dn on;
# matching algorithm (any / all)
satisfy any;
# optional list of allowed groups
require group \"CN=Admins,OU=My Security Groups,DC=company,DC=com\";
require group \"CN=New York Users,OU=My Security Groups,DC=company,DC=com\";

# optional list of allowed users
# require 'valid_user' cannot be used together with 'user' as valid user is a superset
require valid_user;"
# require user \"<YOUR LDAP QUERY>\";
}
2. Customize the url, DN password, and any other attributes of the query, as needed. Details of the syntax supported for the LDAP server declarations can be found here.
3. Reference this new declaration in the “HTTP Context Directives”. For example, if in the previous step, you named the HTTP Directive Set "My LDAP Server", then add the following line to the “HTTP Context Directives”:
<@Include My LDAP Server@>;
4. Activate LDAP authentication on the HTTP Servers and/or Locations:
a. Add the following lines to an HTTP Directive Set:
auth_ldap "Forbidden";
auth_ldap_servers ad_1;
# additional ldap servers as required…
# auth_ldap_servers ad_2;
b. Set this HTTP Directive Set as the Additional Directive set for any HTTP servers or HTTP Locations for which you wish to authenticate using LDAP: