LDAP: No re-authentication with auth_ldap_cache_enabled off

[mithun0119]

I am running a web application behind nginx, using it as a reverse proxy to authenticate with AD and for SSL termination. now my issue is , if I login with credentials in a particular browser(chrome for eg;), the session doesnt terminate even if I leave the any of my chrome tabs(with anything open) for days together it never asks for credentials again when I refresh or open the URL in a new tab, unless I close all the instances of chrome or clear the cache/cookie.

My config:

###Using nested groups, hence no group directive used##
ldap_server adauth {
url "ldap://xxxx?sAMAccountName?sub?";
url "ldap://xxxx?sAMAccountName?sub?(&(memberOf:1.2.840.113556.1.4.1941:=CN=,OU=xx,DC=xx,DC=,DC=xx0(objectClass=person))";
binddn "@";
binddn_passwd "*****";
UAT,OU=xx,DC=xx,DC=xx,DC=xx";
require valid_user;
max_down_retries 10;
connections 50;
}
##Authentication with Active Directory##
auth_ldap_cache_enabled off;

proxy_cache_path /opt/nginx/cache levels=1:2 keys_zone=mycache:20m max_size=1G;
proxy_temp_path /opt/nginx/tmp_cache/;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_bypass $cookie_nocache;
proxy_no_cache $cookie_nocache;

server {
listen 443 ssl;
server_name testserver.com;
auth_ldap "Enter your AD username/password";
auth_ldap_servers adauth;
ssl on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /xxx.cer;
ssl_certificate_key /xxx.key;
access_log /var/log/nginx/test.log;
error_log /var/log/nginx/test-error.log error;
location / {
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
expires off;
keepalive_timeout 5s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3838;
proxy_read_timeout 90;
proxy_buffering off;
proxy_redirect / $scheme://$host/;
}
}

I am using nginx 1.13.1 configured with below options:

nginx version: nginx/1.13.1 (Ubuntu)
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=www-data --group=www-data --build=Ubuntu --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-openssl=../openssl-1.1.0f --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-openssl-opt=no-nextprotoneg --with-openssl-opt=no-weak-ssl-ciphers --with-openssl-opt=no-ssl3 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_slice_module --with-http_ssl_module --with-http_sub_module --with-http_stub_status_module --with-http_v2_module --with-http_secure_link_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-debug --add-module=../nginx-auth-ldap --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'

[mithun0119]

@kvspb Can you please help me out here.

[rmendal]

This is likely handled in the cookie you're getting when you auth. They tend to have an expiration that time in the cookie which will determine with you'll have to re-auth. Pretty sure this isn't a module issue but one tied to your browser or LDAP server.

[Harrtron]

Hi @mithun0119 - did you manage to achieve this? Thanks!

[mithun0119]

Hi @mithun0119 - did you manage to achieve this? Thanks!

No Harrtron, I never managed to find a fix. Please do let me know if you find any.

[amruthapbhat]

Hi @mithun0119
I am also facing the same issue. Any luck in finding any fix for the above mentioned issue

[mithun0119]

Hi Amrutha, No luck. I just left it there. So if the browsers are all closed and reopened, then the cookie is gone and it prompts for credentials, else it just takes me in.