LDAP authentication against Active Directory
2,724 views
Skip to first unread message
Wilfried Anuzet
Aug 23, 2017, 9:25:29 AM8/23/17
to NetBox
Level
Hi,
I just set up a netbox server at works and everything went fine until I tried to activate the LDAP login against our AD.
Basicaly the python ldap module seems to find my user in the AD decide that this user not belong to the required group.
Here's the I have when I tried to login with my user:
Time Channel Message Location
DEBUG 12:56:35 08/23/2017 django_auth_ldap search_s('ou=it,ou=_users,dc=domain,dc=com', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=usertest,ou=it,ou=_users,dc=domain,dc=com /usr/lib/python3.4/site-packages/django_auth_ldap/config.py:252
DEBUG 12:56:35 08/23/2017 django_auth_ldap cn=usertest,ou=it,ou=_users,dc=domain,dc=com is not a member of ou=it,ou=_users,dc=domain,dc=com /usr/lib/python3.4/site-packages/django_auth_ldap/backend.py:938
DEBUG 12:56:35 08/23/2017 django_auth_ldap Authentication failed for usertest: user does not satisfy AUTH_LDAP_REQUIRE_GROUP /usr/lib/python3.4/site-packages/django_auth_ldap/backend.py:351
Here's my ldap_config.py file:
import ldap
# Server URI
AUTH_LDAP_SERVER_URI = "ldap://dc02.domain.com"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=UserReader,OU=Technics,OU=_USERS,DC=domain,DC=com"
AUTH_LDAP_BIND_PASSWORD = "Password"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
from django_auth_ldap.config import LDAPSearch
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=it,ou=_users,dc=domain,dc=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = None
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, NestedGroupOfNamesType
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=domain,dc=com", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
#AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "ou=it,ou=_users,dc=domain,dc=com"
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "ou=it,ou=_users,dc=domain,dc=com",
"is_staff": "ou=it,ou=_users,dc=domain,dc=com",
"is_superuser": "ou=it,ou=_users,dc=domain,dc=com"
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
Am I missing something ? Can't figure out why the ldap module find my user in the expected group and somehow decided that the user is not a part of this group...
Dis someone have any clue about that behavior ?
Thanks for reading :)
Hi,
I just set up a netbox server at works and everything went fine until I tried to activate the LDAP login against our AD.
Basicaly the python ldap module seems to find my user in the AD decide that this user not belong to the required group.
Here's the I have when I tried to login with my user:
Time Channel Message Location
DEBUG 12:56:35 08/23/2017 django_auth_ldap search_s('ou=it,ou=_users,dc=domain,dc=com', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=usertest,ou=it,ou=_users,dc=domain,dc=com /usr/lib/python3.4/site-packages/django_auth_ldap/config.py:252
DEBUG 12:56:35 08/23/2017 django_auth_ldap cn=usertest,ou=it,ou=_users,dc=domain,dc=com is not a member of ou=it,ou=_users,dc=domain,dc=com /usr/lib/python3.4/site-packages/django_auth_ldap/backend.py:938
DEBUG 12:56:35 08/23/2017 django_auth_ldap Authentication failed for usertest: user does not satisfy AUTH_LDAP_REQUIRE_GROUP /usr/lib/python3.4/site-packages/django_auth_ldap/backend.py:351
Here's my ldap_config.py file:
import ldap
# Server URI
AUTH_LDAP_SERVER_URI = "ldap://dc02.domain.com"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=UserReader,OU=Technics,OU=_USERS,DC=domain,DC=com"
AUTH_LDAP_BIND_PASSWORD = "Password"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
from django_auth_ldap.config import LDAPSearch
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=it,ou=_users,dc=domain,dc=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = None
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, NestedGroupOfNamesType
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=domain,dc=com", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
#AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "ou=it,ou=_users,dc=domain,dc=com"
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "ou=it,ou=_users,dc=domain,dc=com",
"is_staff": "ou=it,ou=_users,dc=domain,dc=com",
"is_superuser": "ou=it,ou=_users,dc=domain,dc=com"
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
Am I missing something ? Can't figure out why the ldap module find my user in the expected group and somehow decided that the user is not a part of this group...
Dis someone have any clue about that behavior ?
Thanks for reading :)
Dave Noonan
Aug 23, 2017, 10:42:24 AM8/23/17
to Wilfried Anuzet, NetBox
I wonder if your AUTH_LDAP_USER_SEARCH is too specific. Mine is "CN=Users,DC=domain,DC=com" and my AUTH_LDAP_GROUP_SEARCH is the same.
What ended up helping me was connecting on port 389 and using wireshark on the server to look at the traffic. I couldn't find useful logs from either NetBox or Windows. I'm sure they exist but for me wireshark was easier.
--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to netbox-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/b331afff-4a69-4afd-be48-3cfc7890c7ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Wilfried Anuzet
Aug 24, 2017, 8:07:24 AM8/24/17
to Dave Noonan, NetBox
I just tried and it seems that it hasn't have any effect.
I also tried to use the nestedgroup search and i can now see that it seems there's no group object returned by the ldap query:
08/24/2017 django_auth_ldap search_s('ou=it,ou=_users,dc=domain,dc=com', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=usertest,ou=it,ou=_users,dc=domain,dc=com
08/24/2017 django_auth_ldap search_s('ou=it,ou=_users,dc=domain,dc=com', 2, '(&(objectClass=group)(|(member=cn=usertest,ou=it,ou=_users,dc=domain,dc=com)))') returned 0 objects:
08/24/2017 django_auth_ldap search_s('ou=it,ou=_users,dc=domain,dc=com', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=usertest,ou=it,ou=_users,dc=domain,dc=com
08/24/2017 django_auth_ldap search_s('ou=it,ou=_users,dc=domain,dc=com', 2, '(&(objectClass=group)(|(member=cn=usertest,ou=it,ou=_users,dc=domain,dc=com)))') returned 0 objects:
08/24/2017
django_auth_ldap
cn=usertest,ou=it,ou=_users,dc=domain,dc=com
is not a member of ou=it,ou=_users,dc=domain,dc=com
/usr/lib/python3.4/site-packages/django_auth_ldap/backend.py:938
08/24/2017 django_auth_ldap Authentication failed for usertest: user does not satisfy AUTH_LDAP_REQUIRE_GROUP /usr/lib/python3.4/site-packages/django_auth_ldap/backend.py:351
08/24/2017 django_auth_ldap Authentication failed for usertest: user does not satisfy AUTH_LDAP_REQUIRE_GROUP /usr/lib/python3.4/site-packages/django_auth_ldap/backend.py:351
So basically as I understand the ldap query find my user but can't find of which group he's a member...
That explain why it fails at login...
Any clue how to resolve that query ?
To post to this group, send email to netbox-...@googlegroups.com.
Wilfried Anuzet
Aug 24, 2017, 8:34:46 AM8/24/17
to Dave Noonan, NetBox
-_-'
I just ask the AD team and it seems that I don't search in the groups ou...# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=_groups,dc=domain,dc=com", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "cn=it,ou=_groups,dc=domain,dc=com"
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "cn=it,ou=_groups,dc=domain,dc=com",
"is_staff": "cn=it,=_groups,dc=domain,dc=com",
"is_superuser": "cn=it,ou=_groups,dc=domain,dc=com"
}
And it now works."is_staff": "cn=it,=_groups,dc=domain,dc=com",
"is_superuser": "cn=it,ou=_groups,dc=domain,dc=com"
}
Reply all
Reply to author
Forward
0 new messages