Index

How to rebuild nginx with LDAP support on CentOS

Wait? I can't just tick a box, like on FreeBSD?

January 2019.
the nginx logothe centos logo

Introduction


We want LDAP in our nginx. We need to rebuild nginx with the LDAP module. Let's rebuild the official RPM to ensure we have a proper piece of software that will run correctly on our system.

The server used here is pretty much normal:

# uname -a
Linux jambon 3.10.0-229.20.1.el7.x86_64 #1 SMP Tue Nov 3 19:10:07 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)

Prepare the build


Download the RPM build tools:

yum install yum-utils rpmdevtools

Create the base environment to build packages:

# rpmdev-setuptree
# ll ~/rpmbuild/
total 0
drwxr-xr-x. 2 root root 6 Jul 17  2017 BUILD
drwxr-xr-x. 2 root root 6 Jul 17  2017 BUILDROOT
drwxr-xr-x. 2 root root 6 Jul 17  2017 RPMS
drwxr-xr-x. 2 root root 6 Jul 17  2017 SOURCES
drwxr-xr-x. 2 root root 6 Jul 17  2017 SPECS
drwxr-xr-x. 2 root root 6 Jul 17  2017 SRPMS

Download the source RPM:

# cd ~/rpmbuild/SRPMS/
# yumdownloader --source nginx
# ls
nginx-1.12.2-2.el7.src.rpm

If yumdownloader does not find it, use a search engine and find it yourself.

Ensure we have all the build dependencies installed:

# yum-builddep nginx-1.12.2-2.el7.src.rpm

Expand the SRPM into the build tree:

# rpm -ivh nginx-1.12.2-2.el7.src.rpm
# ls ../SPECS/nginx.spec
../SPECS/nginx.spec

Patch and build


Get the LDAP module from git:

# git clone https://github.com/kvspb/nginx-auth-ldap.git ~/nginx-auth-ldap

Patch the spec file to include the module in the nginx's configure call:

# cd ~/rpmbuild/SPECS
# patch -p1 >>EOF
--- SPECS/nginx.spec.orig       2019-01-27 10:53:58.485211445 +0100
+++ SPECS/nginx.spec    2019-01-27 10:58:24.913630713 +0100
@@ -204,6 +204,7 @@
     --lock-path=/run/lock/subsys/nginx \\
     --user=%{nginx_user} \\
     --group=%{nginx_user} \\
+    --add-module=/root/nginx-auth-ldap \\
 %if 0%{?with_aio}
     --with-file-aio \\
 %endif
EOF

Execute the build and check that the RPMs have been generated:

# cd ~/rpmbuild
# rpmbuild -ba SPECS/nginx.spec
# # ls RPMS/x86_64/
nginx-1.12.2-2.el7.centos.x86_64.rpm                 nginx-mod-http-image-filter-1.12.2-2.el7.centos.x86_64.rpm  nginx-mod-mail-1.12.2-2.el7.centos.x86_64.rpm
nginx-debuginfo-1.12.2-2.el7.centos.x86_64.rpm       nginx-mod-http-perl-1.12.2-2.el7.centos.x86_64.rpm          nginx-mod-stream-1.12.2-2.el7.centos.x86_64.rpm
nginx-mod-http-geoip-1.12.2-2.el7.centos.x86_64.rpm  nginx-mod-http-xslt-filter-1.12.2-2.el7.centos.x86_64.rpm

Install and configure


Install the result RPMs:

# rpm -i 'RPMS/noarch/*.rpm' 'RPMS/x86_64/*.rpm'

Check that the current binary has LDAP support:

# nginx -V 2>&1 | grep -o nginx-auth-ldap
nginx-auth-ldap

Add LDAP to a server as usual:

http {

    ldap_server infra {
        url ldap://192.168.200.13/ou=Users,dc=example,dc=com?uid?sub?(objectClass=person);
        binddn "cn=git,ou=dsa,dc=example,dc=com";
        binddn_passwd correcthorsebatterystaple;
        group_attribute uniquemember;
        group_attribute_is_dn on;
        require valid_user;
    }

	server {

            auth_ldap "Restricted access";
            auth_ldap_servers infra;
            [...]
	}

}

Profit!