Unable to get user's groups from LDAP user

[Eyla]

My Django ( Django 1.11) project is using  django-auth-ldap 1.2  as authentication backed.

I have no problem to authenticate any user agents LDAP database  using:

    @login_required(login_url='/accounts/login/')

and in this case, any user from any group can login to the site.

I want to allow only user from 'group1' to be able to access the website.

I used the code listed below

    from django.shortcuts import render

    from django.template import loader

    from django.http import HttpResponse

    from django.contrib.auth.decorators import login_required

    from django.contrib.auth import views as auth_views

      @user_passes_test(

                lambda u: hasattr(u, 'ldap_user') and 'group1' in u.ldap_user.group_names,

                login_url='/accounts/login/')

        def index(request):

            template = loader.get_template('main/index.html')

            return HttpResponse(template.render()) 

This is code is not working and user will never pass the test.

According to the document I can use ldap_user.group_names to get group names of a user.

Here is my ldap settings from settings.py:

    import os

    import django

    

    

    

    AUTHENTICATION_BACKENDS = ('django_auth_ldap.backend.LDAPBackend',)

    

    import ldap

    from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

    

    

    AUTH_LDAP_SERVER_URI = "ldap://mydomain.com"

    

    AUTH_LDAP_BIND_DN = "cn=admin,dc=mydomain,dc=com"

    

    AUTH_LDAP_BIND_PASSWORD = "mypass"

    

    AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=ou_org_unit,dc=mydomain,dc=com",

    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

    

    AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=ou_org_unit,cn=group1,cn=group2,dc=mydomain,dc=com",

        ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"

    )

    

    AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

    

    AUTH_LDAP_USER_ATTR_MAP = {

        "first_name": "givenName",

        "last_name": "sn",

        "email": "mail"

    }

    

    AUTH_LDAP_FIND_GROUP_PERMS = True

    AUTH_LDAP_CACHE_GROUPS = True

    AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

         

My question is:

Why I am not able to authenticate any user with this code? 

  [

[Peter Sagerson]

Have you looked at what u.ldap_user.group_names actually contains? Have you turned on debug logging[1] to see if the LDAP queries match your expectations?

[1] https://django-auth-ldap.readthedocs.io/en/1.2.x/logging.html

--
You received this message because you are subscribed to the Google Groups "django-auth-ldap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-auth-ld...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Eyla]

Thank you Peter,


When I test User.ldap_user.group_names, it will return nothing and the debug logging will return correct query:

search_s('ou=ou_org_unit,dc=mydomain,dc=com', 2, '(uid=%(user)s)') returned 1 objects: cn=my user,cn=Group1,ou=ou_org_unit,dc=mydomain,dc=com
Populating Django user muser
cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com does not have a value for the attribute mail


I also modified setting.py
This code:


  AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=ou_org_unit,cn=group1,cn=group2,dc=mydomain,dc=com",

        ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"

    )

    

    AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

To this code :
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=ou_org_unit,dc=mydomain,dc=com",
    ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")

and I am getting same result.

[Peter Sagerson]

I would expect to see another debug log with search_s results for the group membership. I would suggest opening a Django shell, manually authenticating[1], and inspecting the user from there. Don't be afraid to set a breakpoint in django_auth_ldap.config.LDAPSearch.execute if necessary.

Side note: defining ACLs directly in terms of groups is generally considered bad form. Ultimately, you may want to consider using permissions.

Peter

[1[ https://docs.djangoproject.com/en/1.11/topics/auth/default/#django.contrib.auth.authenticate

[Eyla]

Here is some of the result from Django shell:

>>> user = authenticate(username='muser', password='mypassword')
Populating Django user muser
search_s('cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com', 0, '(objectClass=*)') returned 1 objects: cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com

cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com does not have a value for the attribute mail
>>>
>>>

>>> user.groups.filter(name='Group1').exists()
False
>>>
>>> from django_auth_ldap.backend import LDAPBackend
>>> from django_auth_ldap.backend import populate_user
>>> user = LDAPBackend().populate_user('muser')
search_s('cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com', 0, '(objectClass=*)') returned 1 objects: cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com

Populating Django user muser
cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com does not have a value for the attribute mail
>>>

>>> user.ldap_user.group_dns
search_s('cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com', 2, '(&(objectClass=groupOfNames)(member=cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com))') returned 0 objects:
set()
>>> list(user.ldap_user.group_dns)
[]
>>>
>>> user.ldap_user.group_names
set()
>>> list(user.ldap_user.group_names)
[]
>>>

[Peter Sagerson]

There you go. It's searching for groups that this user is a member of and it's not finding any. That's a legitimate outcome. Maybe there's a typo in the configuration or maybe this user isn't a member of the group that you think it is.

[Eyla]

I am not sure where is the problem I tried many different configuration.
I am using PosixGroupType group type and I modified my setting for group search to :

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=ou_org_unit,dc=dydomain,dc=com",ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)")
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")

And I am getting same result.

and for the group name I am sure it is not typo and I checked again and made sure that the user is belong to the group.


>>> import ldap
>>> from django_auth_ldap.config import LDAPSearch, PosixGroupType
>>> AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=ou_org_unit,dc=dydomain,dc=com",ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)")
>>> AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")

>>> user = LDAPBackend().populate_user('muser')
search_s('cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com', 0, '(objectClass=*)') returned 1 objects: cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com
Populating Django user muser
cn=my user,cn=Group1,ou=ou_org_unit,dc=dydomain,dc=com does not have a value for the attribute mail

>>> list(user.ldap_user.group_names)
[]
>>> AUTH_LDAP_MIRROR_GROUPS = True
>>> list(user.ldap_user.group_dns)
search_s('ou=ou_oh_cuyahoga,dc=dynamoracle,dc=com', 2, '(&(objectClass=groupOfNames)(member=cn=admin euclid,cn=group_euclid,ou=ou_oh_cuyahoga,dc=dynamoracle,dc=com))') returned 0 objects:
[]

On Tuesday, November 14, 2017 at 1:48:46 PM UTC-5, Eyla wrote:

[Di majo]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638