ldap authentication setup help

[Chris Stinemetz]

Hello,

I have been trying to get ldap authentication to work but I have been unsuccessful. I don't know what else to try so I am turning to this group.

Here are the details. I'm sure it is something minor any help is appreciated! I changed a few of the details to help conceal information.

-Chris

settings.py file:

############################## django-auth-ldap ##############################

AUTHENTICATION_BACKENDS = (

    'django_auth_ldap.backend.LDAPBackend',

    'django.contrib.auth.backends.ModelBackend',

)

import ldap

from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_SERVER_URI = "ldap://server:389"

AUTH_LDAP_BIND_DN = "CN=rfeng_svc,OU=Denver,OU=Service Accounts,DC=example,DC=com"

AUTH_LDAP_BIND_PASSWORD = "W*@*[3-AU*BfF2"

AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",

    #ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "is_active": "cn=active,ou=groups,dc=example,dc=com",

    #"is_staff": "cn=staff,ou=groups,dc=example,dc=com",

"is_staff": "dc=example,dc=com",

    "is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"

}

if DEBUG:

    import logging, logging.handlers

    logfile = "django-ldap-debug.log"

    my_logger = logging.getLogger('django_auth_ldap')

    my_logger.setLevel(logging.DEBUG)

 

    handler = logging.handlers.RotatingFileHandler(

       logfile, maxBytes=1024 * 500, backupCount=5)

 

    my_logger.addHandler(handler)

############################ end django-auth-ldap ############################

data from my log file:

search_s('ou=users,dc=example,dc=com', 2, '(sAMAccountName=cstinemetz)') raised NO_SUCH_OBJECT({'info': "0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=example,DC=com'\n", 'matched': 'DC=example,DC=com', 'desc': 'No such object'},)

search_s('ou=users,dc=example,dc=com', 2, '(sAMAccountName=%(user)s)') returned 0 objects: 

Authentication failed for cstinemetz

[Peter Sagerson]

So far it looks like it's legitimately not finding the user object. I'll assume that "ou=users,dc=example,dc=com" is an obfuscation. I would probably suggest firing up a Python shell and doing a blanket search to see what's in there (assuming it's not a huge directory):

> ldapobj.search_s("ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=*)")

> --
> You received this message because you are subscribed to the Google Groups "django-auth-ldap" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-auth-ld...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Chris Stinemetz]

On Tuesday, January 28, 2014 6:12:42 PM UTC-6, Peter Sagerson wrote:

So far it looks like it's legitimately not finding the user object. I'll assume that "ou=users,dc=example,dc=com" is an obfuscation. I would probably suggest firing up a Python shell and doing a blanket search to see what's in there (assuming it's not a huge directory):

> ldapobj.search_s("ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=*)")

I am pretty new to django and really new to ldap. Would you please give me an example on how to do the blanket search within Python shell? Do I use django shell? "manage.py shell" After that I am not sure how to test the blanket search.

Thanks in advance,

Chris

[Peter Sagerson]

This quick example would look like this (from any Python shell):

>>> import ldap
>>>
>>> ldapobj = ldap.initialize(ldap-url)
>>> ldapobj.simple_bind_s(user-dn, user-password)
>>> ldapobj.search_s(base-dn, ldap.SCOPE_SUBTREE, "(objectClass=*)")

An LDAP directory is a kind of database, so I can't help you with the placeholders there; only the administrator knows what the base DN is, for example. If you're not familiar with the structure of your LDAP directory, I would highly recommend installing something like phpLDAPAdmin somewhere. You can run it behind a local HTTP server, but configure it to talk to your LDAP server anywhere. As long as you have enough details to log in, you can get a clear look at where everything is, which should help a lot.

[Chris Stinemetz]

On Wed, Jan 29, 2014 at 11:04 AM, Peter Sagerson <psa...@ignorare.net> wrote:

This quick example would look like this (from any Python shell):

>>> import ldap
>>>
>>>

ldapobj = ldap.initialize(ldap-url)
>>> ldapobj.simple_bind_s(user-dn, user-password)
>>> ldapobj.search_s(base-dn, ldap.SCOPE_SUBTREE, "(objectClass=*)")

An LDAP directory is a kind of database, so I can't help you with the placeholders there; only the administrator knows what the base DN is, for example. If you're not familiar with the structure of your LDAP directory, I would highly recommend installing something like phpLDAPAdmin somewhere. You can run it behind a local HTTP server, but configure it to talk to your LDAP server anywhere. As long as you have enough details to log in, you can get a clear look at where everything is, which should help a lot.

Thank you Peter.

I had to add the following to get the search to work via Python shell?

ldapobj.set_option(ldap.OPT_REFERRALS, 0)

What exactly does this statement do? And how would I implement it in my settings.py file? I don't see where the connection is initialized in the settings file.

Thank you,

Chris

[Peter Sagerson]

Ah yes, I hear that's common with AD. (I've never had dealings with AD myself). A referral is kind of the LDAP version of redirection.[1] You can instruct django-auth-ldap to set options on LDAPObject with AUTH_LDAP_CONNECTION_OPTIONS. There's actually an example at the bottom of this section: http://pythonhosted.org/django-auth-ldap/authentication.html#server-config.


[1] http://tools.ietf.org/html/rfc4511#section-4.1.10

[Chris Stinemetz]

Thanks again so much. I am definitely getting closer. The authentication is working but I am failing at creating the user.

Here is the error:

    raise ImproperlyConfigured("AUTH_LDAP_GROUP_TYPE must be an LDAPGroupType instance.")

ImproperlyConfigured: AUTH_LDAP_GROUP_TYPE must be an LDAPGroupType instance.

Thanks!

Chris

[Peter Sagerson]

Getting groups working is definitely going to level you up on LDAP. Groups are described here: http://pythonhosted.org/django-auth-ldap/groups.html.

[Chris Stinemetz]

Say for now I just want to create all new users as staff and just change a few to superuser through Django admin. Is this possible without setting group permissions during LDAP authorization? Thank you very much.

-Chris

[Peter Sagerson]

Django-auth-ldap fires a signal every time it creates a new user (just before saving it), so you can populate new users any way you like:

http://pythonhosted.org/django-auth-ldap/users.html#custom-field-population

Settings like AUTH_LDAP_USER_FLAGS_BY_GROUP are just convenient for common scenarios.

[Chris Stinemetz]

Thanks again Peter!

I am struggling a bit to get the user to populate in the user database after LDAP authentication. 

Is there anyway you can advise me what to set my "is_staff": to by looking at the following string that returns a matched object?

cn=chris stinemetz,ou=users,ou=kansas city,ou=central,dc=company,dc=com (this returns a match and gets me past authorization.)

"is_staff": "cn=Users,cn=Global-Users,dc=company,dc=com", (this is failing and I am not sure what to set it to.)

Thanks again!

Chris

[Peter Sagerson]

In order to use AUTH_LDAP_USER_FLAGS_BY_GROUP, you have to set up a bunch stuff having to do with finding group entries and parsing membership. If you don't want to deal with all this, you should remove AUTH_LDAP_USER_FLAGS_BY_GROUP. If you just want everyone to be staff initially, you can do something like this (probably in models.py to be sure it gets run):


from django_auth_ldap.backend import populate_user

def make_staff(sender, user, **kwargs):
user.is_staff = True

populate_user.connect(make_staff)


If you want to make decisions based on the LDAP user's attributes, look at user.ldap_user.attrs.


http://pythonhosted.org/django-auth-ldap/users.html#direct-attribute-access
https://docs.djangoproject.com/en/1.6/topics/signals/

[Chris Stinemetz]

That did it. Thank you!

-Chris

[Di majo]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638