LDAPSearch Troubleshooting

144 views
Skip to first unread message

Ken Jenney

unread,
Oct 8, 2017, 10:34:31 PM10/8/17
to Django users
I've got LDAPSearch configured to work with my Synology Directory Server. Users can authenticate fine but when I try to map a user to a group I get INVALID_CREDENTIALS:

import ldap


# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://synology.kensnet.priv"


# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=netbox,CN=users,DC=kensnet,DC=priv"
AUTH_LDAP_BIND_PASSWORD = bindpassword


LDAP_IGNORE_CERT_ERRORS = True


from django_auth_ldap.config import LDAPSearch, PosixGroupType, GroupOfNamesType


AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=users,dc=kensnet,dc=priv",
                                    ldap.SCOPE_SUBTREE,
                                    "(sAMAccountName=%(user)s)")


# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,dc=kensnet,dc=priv"


### EVERYTHING WORKS UP UNTIL HERE


#### Groups


# # This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# # heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv", ldap.SCOPE_SUBTREE,
                                    "(objectClass=organizationalRole")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()


# # Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "cn=users,cn=groups,dc=kensnet,dc=priv"


# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_staff": "cn=staff,cn=groups,dc=kensnet,dc=priv",
    "is_superuser": "cn=administrators,cn=groups,dc=kensnet,dc=priv"
}


How can I troubleshoot the group search/mapping to figure out what the issue is? 

James Schneider

unread,
Oct 8, 2017, 11:06:20 PM10/8/17
to django...@googlegroups.com


On Oct 8, 2017 7:33 PM, "Ken Jenney" <kje...@gmail.com> wrote:
I've got LDAPSearch configured to work with my Synology Directory Server. Users can authenticate fine but when I try to map a user to a group I get INVALID_CREDENTIALS:

Are you binding to LDAP using the users' credentials, or do you have a service account? It appears you have a service account configured, but I can't tell whether or not it is in use based on the settings you provided.

Have you:

a) Verified the DN being used against the Synology NAS for the user and group authentication requests? This can be found in the Synology auth logs.
b) Verified that the account in use has permission to traverse that portion of the LDAP schema, including a user being able to query their own groups, or the service account being able to list other users' groups?
c) Increased the logging level for Django and specifically for the Django LDAP package you are using to examine what is happening?

This issue will likely be illuminated very easily by the detailed logs on each side of the connection.

-James

Ken Jenney

unread,
Oct 9, 2017, 12:44:37 AM10/9/17
to Django users
1) I'm using a service account. I verified the DN's by connecting using Apache Directory Studio. 
2) I just promoted the service account user but I'm still facing the same error.
3) Logging is not helping: it's only reiterating what the original error is telling me: Caught LDAPError while authenticating ken: INVALID_CREDENTIALS({'desc': 'Invalid credentials'},) I added logging by adding this to the config:

import logging


logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)

James Schneider

unread,
Oct 9, 2017, 3:57:33 AM10/9/17
to django...@googlegroups.com


On Oct 8, 2017 9:44 PM, "Ken Jenney" <kje...@gmail.com> wrote:
1) I'm using a service account. I verified the DN's by connecting using Apache Directory Studio. 

I'm assuming this means that you only verified that your intended DN strings are valid and that the passwords for both the service account and your user account are correct?

2) I just promoted the service account user but I'm still facing the same error.
3) Logging is not helping: it's only reiterating what the original error is telling me: Caught LDAPError while authenticating ken: INVALID_CREDENTIALS({'desc': 'Invalid credentials'},) I added logging by adding this to the config:

I'd be interested to see what the Synology says. You may need to increase the logging verbosity.




Couple other questions:

a) What do you have listed in AUTHENTICATION_BACKENDS? I'm assuming you have both the LDAP module and the built-in back-end listed in that order since you are requesting groups?

a.1) Is it possible that your initial authentication is failing against LDAP but succeeding against the local authentication back-end, potentially leading you to believe that LDAP is partially working when it isn't?

a.2) Do you see the service account successfully authenticating on the Synology upon login at least once?

b) Is this the correct DN for your service account?

AUTH_LDAP_BIND_DN = "CN=netbox,CN=users,DC=kensnet,DC=priv"

Shouldn't that be uid=netbox?

-James

Ken Jenney

unread,
Oct 10, 2017, 2:55:33 PM10/10/17
to Django users
I fixed the DN for the service account:

AUTH_LDAP_BIND_DN = "UID=netbox,CN=users,DC=kenset,DC=priv"

I've tried at least a 100 different things so far and nothing is getting me there.

from django_auth_ldap.config import LDAPSearch, PosixGroupType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv", ldap.SCOPE_SUBTREE, (objectClass=posixGroup)")
AUTH_LDAP_GROUP_TYPE = PosixGroupType()

AUTH_LDAP_USER_ATTR_MAP = { 
   "first_name": "cn",
   "last_name":  "sn"
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
     "is_staff": f"cn={AUTH_LDAP_USER_STAFF},cn=groups,dc={dc1},dc={dc2}",
    "is_superuser": f"cn={AUTH_LDAP_USER_SUPERUSER},cn=groups,dc={dc1},dc={dc2}"
}

There must be a better way to troubleshoot this than shooting in the dark. posixGroup is set on each group but I'm not sure if that's the best way to search for the groups since it's still not working. I've opened up a ticket with Synology in the meantime.

James Schneider

unread,
Oct 10, 2017, 3:10:39 PM10/10/17
to django...@googlegroups.com


On Oct 10, 2017 11:55 AM, "Ken Jenney" <kje...@gmail.com> wrote:
I fixed the DN for the service account:

AUTH_LDAP_BIND_DN = "UID=netbox,CN=users,DC=kenset,DC=priv"

I've tried at least a 100 different things so far and nothing is getting me there.

from django_auth_ldap.config import LDAPSearch, PosixGroupType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv", ldap.SCOPE_SUBTREE, (objectClass=posixGroup)")


I also just noticed that the dc= values are different between your BIND_DN and GROUP_SEARCH as well. 

kensnet vs. kesnet

-James

Ken Jenney

unread,
Oct 10, 2017, 3:38:37 PM10/10/17
to Django users
Good catch! I just fixed it and re-tried and it works now. I had to get past the group search but ultimately my mispellings caught me up. Thanks for all the help James!

James Schneider

unread,
Oct 10, 2017, 11:51:00 PM10/10/17
to django...@googlegroups.com


On Oct 10, 2017 12:38 PM, "Ken Jenney" <kje...@gmail.com> wrote:
Good catch! I just fixed it and re-tried and it works now. I had to get past the group search but ultimately my mispellings caught me up. Thanks for all the help James!

Nice. Glad to have helped.

Interestingly enough, your original post has the correct dc= value (I'm assuming), so it must have been accidentally modified amidst the troubleshooting you were doing.

-James
Reply all
Reply to author
Forward
0 new messages