django-ldap-auth, Active Directory and “data 52e, v1db1”

[Lachlan Simpson]

Hola,

Am struggling a bit with django-ldap-auth and AD. I keep getting invalid credentials (49) errors, despite having correct credentials:

    additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

Using python-ldap (2.4.13), Django 1.5.2 and django-auth-ldap (1.1.4) on Ubuntu 12.04.3 against Windows Server 2008 R2. I followed the installation instructions here: http://pythonhosted.org/django-auth-ldap/install.html and here: http://www.djm.org.uk/using-django-auth-ldap-active-directory-ldaps

The second link recommends testing the connection using:

    ldapsearch -H ldaps://ldap-x.companygroup.local:636 -D "CN=Something LDAP,OU=Random Group,DC=companygroup,DC=local" -w "p4ssw0rd" -v -d 1

Locally, that would be:

    ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,dc=fds,dc=local" -w "password" -v -d 1

This didn't work for me, but the following did

    ldapsearch -H ldap://192.168.0.3 -D "dc=fds,dc=local" -U "testadmin" -w "password" -v -d 1

so I was happy. Before moving the user out into the -U flag I had also tried the following without success:

    ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1

    ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,dc=fds,dc=local" -w "password" -v -d 1

    ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1

My django-auth-ldap settings are:

    import ldap

    from django_auth_ldap.config import LDAPSearch

    

    AUTHENTICATION_BACKENDS = (

        'django_auth_ldap.backend.LDAPBackend',

        'django.contrib.auth.backends.ModelBackend',

    )

    

    AUTH_LDAP_SERVER_URI = 'ldap://192.168.0.3'

    

    AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local'

    AUTH_LDAP_BIND_PASSWORD = 'password'

    AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local",

        ldap.SCOPE_SUBTREE, "(uid=%(user))")

           

    AUTH_LDAP_CONNECTION_OPTIONS = {

            ldap.OPT_DEBUG_LEVEL: 0,

            ldap.OPT_REFERRALS: 0,

    }

This doesn't work, with the same error as above. As you can see, I try logging in using the three forms: testadmin, [domain]\testadmin and testadmin@[domain].local, each with the same error.

    Development server is running at http://0.0.0.0:8000/

    Quit the server with CONTROL-C.

    Caught LDAPError while authenticating testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},)

    [06/Sep/2013 08:51:38] "POST /admin/ HTTP/1.1" 200 2027

    Caught LDAPError while authenticating test...@fds.local: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},)

    [06/Sep/2013 08:53:40] "POST /admin/ HTTP/1.1" 200 2037

    Caught LDAPError while authenticating fds\testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},)

    [06/Sep/2013 08:53:50] "POST /admin/ HTTP/1.1" 200 2031

I have tried a number of alterations to the settings in various comibinations of/including:

    AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Domain Users,ou=Users,dc=fds,dc=local'

    AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local'

    AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local'

    AUTH_LDAP_BIND_DN = 'uid=testadmin,dc=fds,dc=local'

    AUTH_LDAP_BIND_DN = 'cn=testadmin,dc=fds,dc=local'

    AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Domain Users,ou=Users,dc=fds,dc=local",

        ldap.SCOPE_SUBTREE, "(uid=%(user))")

    AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=FDS Users,dc=fds,dc=local",

        ldap.SCOPE_SUBTREE, "(uid=%(user))")

    AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=IT Users,ou=FDS Users,dc=fds,dc=local",

        ldap.SCOPE_SUBTREE, "(uid=%(user))")

I don't fully understand AD or LDAP, but am working from examples I've found online - each of those ou's is an existing ou in my domain that contains users or other ou's containing users.

It seems to me that the problem relates to either the settings

    AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local'

    AUTH_LDAP_BIND_PASSWORD = 'password'

or 

    AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local",

        ldap.SCOPE_SUBTREE, "(uid=%(user))")

Since trying this, I found a post on this mailing list claiming to have django-auth-ldap working with server2008r2:

https://groups.google.com/d/msg/django-auth-ldap/20-l9a0jPRg/WBhhuICC46IJ

I have since changed my settings to be:

import ldap

from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType

AUTHENTICATION_BACKENDS = (

    'django_auth_ldap.backend.LDAPBackend',

    'django.contrib.auth.backends.ModelBackend',

)

AUTH_LDAP_SERVER_URI = 'ldap://192.168.0.3'

AUTH_LDAP_BIND_DN = 'cn=testadmin,cn=Users,dc=fds,dc=local'

AUTH_LDAP_BIND_PASSWORD = 'password'

AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

AUTH_LDAP_GROUP_SEARCH = LDAPSearch('ou=readout_ou,ou=groups,dc=fds,dc=local', ldap.SCOPE_SUBTREE, '(objectClass=group)')

AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()

AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=readout_ou,ou=groups,dc=fds,dc=local'

# Populate the Django user from the LDAP directory.

AUTH_LDAP_USER_ATTR_MAP = {

    'first_name': 'givenName',

    'last_name': 'sn',

    'email': 'mail'

}

AUTH_LDAP_GLOBAL_OPTIONS = {

    ldap.OPT_X_TLS_REQUIRE_CERT: False,

    ldap.OPT_REFERRALS: False,

}

AUTH_LDAP_CONNECTION_OPTIONS = {

        ldap.OPT_DEBUG_LEVEL: 0,

        ldap.OPT_REFERRALS: 0,

}

but am still getting the same credentials errors.

I don't even know what to test at this point. I've got the DEBUG coming to console, but the most information I get is the error as listed above.

INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}

Any tips or new avenues of investigation would be appreciated.

cheers

L.

--

Lachlan Simpson
IT Manager

Flight Data Systems

Post: P.O Box 681, Tullamarine,  Victoria, AUSTRALIA, 3043
Phone: +61 3 8331 2900
Fax: +61 3 9336 1758
Web: www.flightdata.com.au

[Peter Sagerson]

> Locally, that would be:
>
> ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,dc=fds,dc=local" -w "password" -v -d 1
>
> This didn't work for me, but the following did
>
> ldapsearch -H ldap://192.168.0.3 -D "dc=fds,dc=local" -U "testadmin" -w "password" -v -d 1

I believe this is the key observation. If you look at the man page for ldapsearch, you'll see that -U triggers a SASL bind rather than a simple bind. These are two different ways to authenticate against an LDAP server. At present, django-auth-ldap doesn't have any support for SASL.

I haven't used AD myself, so I can't give any specific advice on configuring your server. One way or another, you need to get that first ldapsearch command to work with your credentials. Once it does, you should be unstuck.

[Lachlan Simpson]

Yes, I'm sorry - I've been looking at this issue for over 11 hours now, so my brain is fried. Having come from a time when an email to a group too early got one a RTFM response, I prefer to be completely thorough before reaching out.

I believe I have solved that part - the BIND connection. I just didn't add it into my email.

I have found that this works:

ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,cn=FDS Users,cn=Users,dc=fds,dc=local" -U -w "password" -v -d 1

ie, explicitly naming the user, using cn, "all the way down" - test admin is in the FDS Users OU, and the Users OU.

Unfortunately this hasn't solved the problem - I'm still getting the credentials problem when attempting to login via the Django admin interface.

I have even changed my AUTH_LDAP_USER_SEARCH options to mirror this discovery:

#AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=Domain Users,cn=Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

#AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=FDS IT,cn=FDS Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

#AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=Domain Users,cn=Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

#AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=FDS IT,cn=FDS Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

#AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)") (this was the original)

cheers

L.

--
You received this message because you are subscribed to the Google Groups "django-auth-ldap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-auth-ld...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Peter Sagerson]

Well. one other thing to note is that with AUTH_LDAP_USER_SEARCH, there will be two binds, so you should be sure you know which one is failing. The first bind will use AUTH_LDAP_BIND_DN/AUTH_LDAP_BIND_PASSWORD, which just gets you access to search for the user. The second is to test the supplied credentials.

It's probably not too early to step through LDAPBackend a bit and see exactly what it's sending to the LDAP server that's leading to the exception. It kind of sounds like it's still the first one; if your search parameters aren't set up correctly, you would more likely see a search failure than a credentials exception in the debug logs.

[Lachlan Simpson]

Peter,

Thanks for the tips. Is there an easy pointer to stepping through LDAPBackend (like "where do I start?")? Ok, I've found it in the docs - but I'd still appreciate a nudge re things I might try.

cheers
L.

[Peter Sagerson]

The entry point for authentication--as defined by Django--is LDAPBackend.authenticate. In the latest source, this is django_auth_ldap/backend.py:145. If you want to catch the invalid credentials specifically, look for the call to simple_bind_s (line 693). This will let you see exactly how we're attempting to authenticate to LDAP at both stages.

[Peter Sagerson]

That could work in principle, as long as you're okay with the update lag. This project won't really help with syncing, though.


On Sep 5, 2013, at 9:43 PM, lachlan...@flightdata.com.au wrote:

> It has occurred to me that I could populate the local Django user table from AD periodically (cron, daily at midnight most likely).
>
> Is this approach feasible? The organisation I work for is small enough that it should be fine - we only have the one domain that requires access, with one PDC. Total users is roughly 20.
>
> Given that I seem to be able to connect (in the BIND phase) effectively, is it possible to just suck the required data out and populate the User table?
>
> cheers
> L.

[lachlan...@flightdata.com.au]

On Friday, September 6, 2013 3:12:43 PM UTC+10, Peter Sagerson wrote:

Well. one other thing to note is that with AUTH_LDAP_USER_SEARCH, there will be two binds, so you should be sure you know which one is failing. The first bind will use AUTH_LDAP_BIND_DN/AUTH_LDAP_BIND_PASSWORD, which just gets you access to search for the user. The second is to test the supplied credentials.

It's probably not too early to step through LDAPBackend a bit and see exactly what it's sending to the LDAP server that's leading to the exception. It kind of sounds like it's still the first one; if your search parameters aren't set up correctly, you would more likely see a search failure than a credentials exception in the debug logs.

You were correct - it took me a while to work out the exact syntax - the keywords in the docs that I missed were "distinguished name to use when binding to the LDAP server" - I looked up DN and sure enough, I started getting search failure (which while not perfect, is a forward step). Thanks.

L.

[Di majo]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638