2014/1/21 Suraj Kumar <[email protected]> > Hi, > > We use nginx as a load balancing proxy in front of couchdb and let our > clients directly talk REST with couchdb. We have a company standard "LDAP" > server to auth against. I've tried (and given up) setting up the ldap auth > plugin for couchdb. Here is our alternate strategy to get things going: > > 1. Clients will attempt auth on a specific route (ex: /auth). This is > routed by nginx to a middleware which, after auth against LDAP, may insert > / update the couchdb _users DB with similar user account. > 2. The middle ware also returns a "session" cookie that is nothing but > crypt("username:password", "myserversecret"). > 3. On nginx side, we write a 'lua' module that decrypts the session cookie > using the same shared "myserversecret" password. This module will fill in > the http basic Authorization header. Since nginx is routing to couchDB too, > I expect auth against couch to work transparently. > > What do you think about this approach? > > Hi,
from my understanding (played around with it, but not in production yet) you don't need to create the users in the DB. You could just use "Proxy Authentication"* http://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication So your nginx proxy just has to set some extra headers and couchdb will trust it completely without further validation. If your middle ware i able to provide all needed information about the users (i.e. roles) proxy authentication might be an option. regards, Stefan * beware, there was/is a typo in the documentation, the "proxy_authentication_handler" is actualy called "proxy_authenti*fi*cation_handler" not sure if it is fixed yet, so if it doesn't work try both spellings.
