couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Klein <>
Subject Re: LDAP Auth strategy using nginx
Date Tue, 21 Jan 2014 11:42:49 GMT
2014/1/21 Suraj Kumar <>

> Hi,
> We use nginx as a load balancing proxy in front of couchdb and let our
> clients directly talk REST with couchdb. We have a company standard "LDAP"
> server to auth against. I've tried (and given up) setting up the ldap auth
> plugin for couchdb. Here is our alternate strategy to get things going:
> 1. Clients will attempt auth on a specific route (ex: /auth). This is
> routed by nginx to a middleware which, after auth against LDAP, may insert
> / update the couchdb _users DB with similar user account.
> 2. The middle ware also returns a "session" cookie that is nothing but
> crypt("username:password", "myserversecret").
> 3. On nginx side, we write a 'lua' module that decrypts the session cookie
> using the same shared  "myserversecret" password. This module will fill in
> the http basic Authorization header. Since nginx is routing to couchDB too,
> I expect auth against couch to work transparently.
> What do you think about this approach?

from my understanding (played around with it, but not in production yet)
you don't need to create the users in the DB.
You could just use "Proxy Authentication"*
So your nginx proxy just has to set some extra headers and couchdb will
trust it completely without further validation.
If your middle ware i able to provide all needed information about the
users (i.e. roles) proxy authentication might be an option.


* beware, there was/is a typo in the documentation, the
"proxy_authentication_handler" is actualy called
not sure if it is fixed yet, so if it doesn't work try both spellings.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message