## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ldap.conf
## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
## see the heimdall example in the default site config for info on enabling ldap auth
## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth

    location /ldaplogin {
        resolver 127.0.0.11 valid=30s;
        set $upstream_auth_app ldap-auth;
        set $upstream_auth_port 9000;
        set $upstream_auth_proto http;
        proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
        proxy_set_header X-Target $request_uri;
    }

    location = /auth {
        resolver 127.0.0.11 valid=30s;
        set $upstream_auth_app ldap-auth;
        set $upstream_auth_port 8888;
        set $upstream_auth_proto http;
        proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;

        proxy_pass_request_body off;
        proxy_set_header Content-Length "";

        #Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
        #proxy_cache auth_cache;
        #proxy_cache_valid 200 10m;
        #proxy_cache_key "$http_authorization$cookie_nginxauth";

        # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
        # communicates with a LDAP server, passing in the following
        # parameters to specify which user account to authenticate. To
        # eliminate the need to modify the Python code, this file contains
        # 'proxy_set_header' directives that set the values of the
        # parameters. Set or change them as instructed in the comments.
        #
        #    Parameter      Proxy header
        #    -----------    ----------------
        #    url            X-Ldap-URL
        #    starttls       X-Ldap-Starttls
        #    basedn         X-Ldap-BaseDN
        #    binddn         X-Ldap-BindDN
        #    bindpasswd     X-Ldap-BindPass
        #    cookiename     X-CookieName
        #    realm          X-Ldap-Realm
        #    template       X-Ldap-Template

        # (Required) Set the URL and port for connecting to the LDAP server,
        # by replacing 'example.com'.
        # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
        proxy_set_header X-Ldap-URL      "ldap://example.com";

        # (Optional) Establish a TLS-enabled LDAP session after binding to the
        # LDAP server.
        # This is the 'proper' way to establish encrypted TLS connections, see
        # http://www.openldap.org/faq/data/cache/185.html
        #proxy_set_header X-Ldap-Starttls "true";

        # (Required) Set the Base DN, by replacing the value enclosed in
        # double quotes.
        proxy_set_header X-Ldap-BaseDN   "cn=Users,dc=test,dc=local";

        # (Required) Set the Bind DN, by replacing the value enclosed in
        # double quotes.
        # If AD, use "root@test.local"
        proxy_set_header X-Ldap-BindDN   "cn=root,dc=test,dc=local";

        # (Required) Set the Bind password, by replacing 'secret'.
        proxy_set_header X-Ldap-BindPass "secret";

        # (Required) The following directives set the cookie name and pass
        # it, respectively. They are required for cookie-based
        # authentication. Comment them out if using HTTP basic
        # authentication.
        proxy_set_header X-CookieName "nginxauth";
        proxy_set_header Cookie nginxauth=$cookie_nginxauth;

        # (Required if using Microsoft Active Directory as the LDAP server)
        # Set the LDAP template by uncommenting the following directive.
        #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

        # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
        # template by uncommenting the following directive and replacing
        # '(cn=%(username)s)' which is the default set in
        # nginx-ldap-auth-daemon.py.
        #proxy_set_header X-Ldap-Template "(cn=%(username)s)";

        # (Optional) Set the realm name, by uncommenting the following
        # directive and replacing 'Restricted' which is the default set
        # in nginx-ldap-auth-daemon.py.
        #proxy_set_header X-Ldap-Realm    "Restricted";
    }