You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Suraj Kumar <su...@inmobi.com> on 2014/01/21 12:12:56 UTC

LDAP Auth strategy using nginx

Hi,

We use nginx as a load balancing proxy in front of couchdb and let our
clients directly talk REST with couchdb. We have a company standard "LDAP"
server to auth against. I've tried (and given up) setting up the ldap auth
plugin for couchdb. Here is our alternate strategy to get things going:

1. Clients will attempt auth on a specific route (ex: /auth). This is
routed by nginx to a middleware which, after auth against LDAP, may insert
/ update the couchdb _users DB with similar user account.
2. The middle ware also returns a "session" cookie that is nothing but
crypt("username:password", "myserversecret").
3. On nginx side, we write a 'lua' module that decrypts the session cookie
using the same shared  "myserversecret" password. This module will fill in
the http basic Authorization header. Since nginx is routing to couchDB too,
I expect auth against couch to work transparently.

What do you think about this approach?

Regards,

  -Suraj


-- 
An Onion is the Onion skin and the Onion under the skin until the Onion
Skin without any Onion underneath.

-- 
_____________________________________________________________
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.

Re: LDAP Auth strategy using nginx

Posted by Suraj Kumar <su...@inmobi.com>.

On further reading of the CouchDB documentation, I figured the /_session
API is the nearest to what we want. So, we're going to completely NOT write
the middle ware and just use the /_session API.


On Tue, Jan 21, 2014 at 5:12 PM, Stefan Klein <st...@gmail.com> wrote:

> 2014/1/21 Suraj Kumar <su...@inmobi.com>
>
> > Hi,
> >
> > We use nginx as a load balancing proxy in front of couchdb and let our
> > clients directly talk REST with couchdb. We have a company standard
> "LDAP"
> > server to auth against. I've tried (and given up) setting up the ldap
> auth
> > plugin for couchdb. Here is our alternate strategy to get things going:
> >
> > 1. Clients will attempt auth on a specific route (ex: /auth). This is
> > routed by nginx to a middleware which, after auth against LDAP, may
> insert
> > / update the couchdb _users DB with similar user account.
> > 2. The middle ware also returns a "session" cookie that is nothing but
> > crypt("username:password", "myserversecret").
> > 3. On nginx side, we write a 'lua' module that decrypts the session
> cookie
> > using the same shared  "myserversecret" password. This module will fill
> in
> > the http basic Authorization header. Since nginx is routing to couchDB
> too,
> > I expect auth against couch to work transparently.
> >
> > What do you think about this approach?
> >
> >
> Hi,
>
> from my understanding (played around with it, but not in production yet)
> you don't need to create the users in the DB.
> You could just use "Proxy Authentication"*
>
> http://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication
> So your nginx proxy just has to set some extra headers and couchdb will
> trust it completely without further validation.
> If your middle ware i able to provide all needed information about the
> users (i.e. roles) proxy authentication might be an option.
>
> regards,
> Stefan
>
> * beware, there was/is a typo in the documentation, the
> "proxy_authentication_handler" is actualy called
> "proxy_authenti*fi*cation_handler"
> not sure if it is fixed yet, so if it doesn't work try both spellings.
>



-- 
An Onion is the Onion skin and the Onion under the skin until the Onion
Skin without any Onion underneath.

-- 
_____________________________________________________________
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.

Re: LDAP Auth strategy using nginx

Posted by Stefan Klein <st...@gmail.com>.

2014/1/21 Suraj Kumar <su...@inmobi.com>

> Hi,
>
> We use nginx as a load balancing proxy in front of couchdb and let our
> clients directly talk REST with couchdb. We have a company standard "LDAP"
> server to auth against. I've tried (and given up) setting up the ldap auth
> plugin for couchdb. Here is our alternate strategy to get things going:
>
> 1. Clients will attempt auth on a specific route (ex: /auth). This is
> routed by nginx to a middleware which, after auth against LDAP, may insert
> / update the couchdb _users DB with similar user account.
> 2. The middle ware also returns a "session" cookie that is nothing but
> crypt("username:password", "myserversecret").
> 3. On nginx side, we write a 'lua' module that decrypts the session cookie
> using the same shared  "myserversecret" password. This module will fill in
> the http basic Authorization header. Since nginx is routing to couchDB too,
> I expect auth against couch to work transparently.
>
> What do you think about this approach?
>
>
Hi,

from my understanding (played around with it, but not in production yet)
you don't need to create the users in the DB.
You could just use "Proxy Authentication"*
http://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication
So your nginx proxy just has to set some extra headers and couchdb will
trust it completely without further validation.
If your middle ware i able to provide all needed information about the
users (i.e. roles) proxy authentication might be an option.

regards,
Stefan

* beware, there was/is a typo in the documentation, the
"proxy_authentication_handler" is actualy called
"proxy_authenti*fi*cation_handler"
not sure if it is fixed yet, so if it doesn't work try both spellings.