couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Klein <st.fankl...@gmail.com>
Subject Re: LDAP Auth strategy using nginx
Date Tue, 21 Jan 2014 11:42:49 GMT
2014/1/21 Suraj Kumar <suraj.kumar@inmobi.com>

> Hi,
>
> We use nginx as a load balancing proxy in front of couchdb and let our
> clients directly talk REST with couchdb. We have a company standard "LDAP"
> server to auth against. I've tried (and given up) setting up the ldap auth
> plugin for couchdb. Here is our alternate strategy to get things going:
>
> 1. Clients will attempt auth on a specific route (ex: /auth). This is
> routed by nginx to a middleware which, after auth against LDAP, may insert
> / update the couchdb _users DB with similar user account.
> 2. The middle ware also returns a "session" cookie that is nothing but
> crypt("username:password", "myserversecret").
> 3. On nginx side, we write a 'lua' module that decrypts the session cookie
> using the same shared  "myserversecret" password. This module will fill in
> the http basic Authorization header. Since nginx is routing to couchDB too,
> I expect auth against couch to work transparently.
>
> What do you think about this approach?
>
>
Hi,

from my understanding (played around with it, but not in production yet)
you don't need to create the users in the DB.
You could just use "Proxy Authentication"*
http://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication
So your nginx proxy just has to set some extra headers and couchdb will
trust it completely without further validation.
If your middle ware i able to provide all needed information about the
users (i.e. roles) proxy authentication might be an option.

regards,
Stefan

* beware, there was/is a typo in the documentation, the
"proxy_authentication_handler" is actualy called
"proxy_authenti*fi*cation_handler"
not sure if it is fixed yet, so if it doesn't work try both spellings.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message