Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C9FB110CDE for ; Tue, 21 Jan 2014 11:43:17 +0000 (UTC) Received: (qmail 88751 invoked by uid 500); 21 Jan 2014 11:43:16 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 88339 invoked by uid 500); 21 Jan 2014 11:43:15 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 88329 invoked by uid 99); 21 Jan 2014 11:43:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Jan 2014 11:43:14 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of st.fankl.in@gmail.com designates 209.85.214.52 as permitted sender) Received: from [209.85.214.52] (HELO mail-bk0-f52.google.com) (209.85.214.52) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Jan 2014 11:43:10 +0000 Received: by mail-bk0-f52.google.com with SMTP id e11so1975839bkh.11 for ; Tue, 21 Jan 2014 03:42:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Oy1i6kFsXTh5rKc6cTm3Dzj5oz2bB24Z5A4nl1YLWIw=; b=jXjpjx9lDbtFBa6bcP3p1Nx0jvB6wiIYA1oAMrQyoz3h7F0/fnhCxGpgda51MXm565 +QN79tyl1mSfIyg9Y4/V7akJFPp3f8D6kLkrCrYYicR9MAxJI9J3a4HaVhOZAj030Ph5 rTEF5x2vFh2P+zr8r42GnzjEU7GgAmGT9m0SsDn3ny48Vwd6hr+zqJ0VN4WqiWCUzvtt 0Lyn9wDejgCkdeC5gwLHodTpT5JjF2COh+GYzaUNgsr/kws7n3vGs0x+Lg/5HsEuTW5j f2stFhz8vEJ2u3Oukccvu572WLC24+t/zU/K/lTLC4EHaRcNWqsgQtUA6hmxPrwvkAl+ BFcg== MIME-Version: 1.0 X-Received: by 10.204.123.199 with SMTP id q7mr632564bkr.53.1390304569205; Tue, 21 Jan 2014 03:42:49 -0800 (PST) Received: by 10.204.55.72 with HTTP; Tue, 21 Jan 2014 03:42:49 -0800 (PST) In-Reply-To: References: Date: Tue, 21 Jan 2014 12:42:49 +0100 Message-ID: Subject: Re: LDAP Auth strategy using nginx From: Stefan Klein To: user@couchdb.apache.org Content-Type: multipart/alternative; boundary=001a11334a3cfa521704f07981fb X-Virus-Checked: Checked by ClamAV on apache.org --001a11334a3cfa521704f07981fb Content-Type: text/plain; charset=ISO-8859-1 2014/1/21 Suraj Kumar > Hi, > > We use nginx as a load balancing proxy in front of couchdb and let our > clients directly talk REST with couchdb. We have a company standard "LDAP" > server to auth against. I've tried (and given up) setting up the ldap auth > plugin for couchdb. Here is our alternate strategy to get things going: > > 1. Clients will attempt auth on a specific route (ex: /auth). This is > routed by nginx to a middleware which, after auth against LDAP, may insert > / update the couchdb _users DB with similar user account. > 2. The middle ware also returns a "session" cookie that is nothing but > crypt("username:password", "myserversecret"). > 3. On nginx side, we write a 'lua' module that decrypts the session cookie > using the same shared "myserversecret" password. This module will fill in > the http basic Authorization header. Since nginx is routing to couchDB too, > I expect auth against couch to work transparently. > > What do you think about this approach? > > Hi, from my understanding (played around with it, but not in production yet) you don't need to create the users in the DB. You could just use "Proxy Authentication"* http://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication So your nginx proxy just has to set some extra headers and couchdb will trust it completely without further validation. If your middle ware i able to provide all needed information about the users (i.e. roles) proxy authentication might be an option. regards, Stefan * beware, there was/is a typo in the documentation, the "proxy_authentication_handler" is actualy called "proxy_authenti*fi*cation_handler" not sure if it is fixed yet, so if it doesn't work try both spellings. --001a11334a3cfa521704f07981fb--