LDAP Working but still can't Authenticate to Netbox

[Ben Lockwood]

Hi all,

So i've been fighting with LDAP Authentication for Netbox for days now, and I just can't seem to get it to work. I've gotten to the point where when i Type an incorrect password i get an:

Authentication failed for <user>: user DN/password rejected by LDAP server.

Error, but when I type the correct password i get:

Creating Django user <user>
Populating Django user <user>
Caught LDAPError while authenticating <user>: INVALID_CREDENTIALS({'desc': 'Invalid credentials', 'info': '80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839'},)

So from what i can gather the part where django_auth_ldap communicates with our AD LDAP server works, but I can't get django to authenticate/login the user and i have no idea why.

I have attached my current ldap_config.py file below. Any assistance with this would be greatly appreciated:

import ldap
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType
#from django_auth_ldap.backend import LDAPBackend

import logging, logging.handlers
logfile = "/opt/netbox/logs/django-ldap-debug.log"
my_logger = logging.getLogger('django_auth_ldap')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.RotatingFileHandler(
logfile, maxBytes=1024 * 500, backupCount=5)
my_logger.addHandler(handler)

AUTH_LDAP_AUTHORIZE_ALL_USERS = True
AUTH_LDAP_SERVER_URI = "ldap://<server>:389"
AUTH_LDAP_BIND_DN = "CN=netbox,OU=Users,DC=<sub>,DC=<domain>,DC=ca"
AUTH_LDAP_BIND_PASSWORD = "<pass>"

AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_DEBUG_LEVEL: 1,
    ldap.OPT_REFERRALS: 0,
}

LDAP_IGNORE_CERT_ERRORS = True

#AUTH_LDAP_USER_SEARCH = LDAPSearch("DC=<sub>,DC=<domain>,DC=ca",
#    ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")


AUTH_LDAP_USER_DN_TEMPLATE = "CN=%(user)s,OU=Users,OU=HOF,OU=Sites,DC=<sub>,DC=<domain>,DC=ca"


#AUTH_LDAP_USER_ATTR_MAP = {
#    "first_name": "givenName",
#    "last_name": "sn",
#    "email": "mail"
#}


AUTH_LDAP_GROUP_SEARCH = LDAPSearch("DC=<sub>,DC=<domain>,DC=ca",
    ldap.SCOPE_SUBTREE, "(objectClass=NestedActiveDirectoryGroup)")
AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()

####################AUTH_LDAP_REQUIRE_GROUP = "CN=HOF-SecurityDeployment1,OU=Groups,OU=HOF,OU=Sites,DC=<sub>,DC=<domain>,DC=ca"

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": ["CN=HOF-SecurityDeployment1,OU=Groups,OU=HOF,OU=Sites,DC=<sub>,DC=<domain,DC=ca"],
}
#AUTH_LDAP_FIND_GROUP_PERMS = True

AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_MIRROR_GROUPS = True

#LDAP_AUTH_FORMAT_USERNAME = "django_python3_ldap.utils.format_username_active_directory"
#LDAP_AUTH_ACTIVE_DIRECTORY_DOMAIN = "<sub>"

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend')

[rossm...@gmail.com]

The LDAP example in the docs didn't work for me either. Attached is my working file (edited for privacy of course). Hope it helps.

[Ben Lockwood]

Hi All,

After fighting with it for a few more hours we managed to get LDAP working, I've posted our config below on the off chance that it manages to help anyone else in the future. Thanks for the help

rossmoutell, i think it did help a bit.

import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion, ActiveDirectoryGroupType, NestedActiveDirectoryGrou$

import logging, logging.handlers
logfile = "/opt/netbox/logs/django-ldap-debug.log"
my_logger = logging.getLogger('django_auth_ldap')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.RotatingFileHandler(
logfile, maxBytes=1024 * 500, backupCount=5)
my_logger.addHandler(handler)

AUTH_LDAP_AUTHORIZE_ALL_USERS = True

AUTH_LDAP_SERVER_URI = "ldap://<IP_ADDR>:389"
AUTH_LDAP_BIND_DN = "CN=LDAPNetbox,ou=NetBox,ou=App Authorization,DC=xxx,DC=yyy,DC=zzz"
AUTH_LDAP_BIND_PASSWORD = "top_secret"

AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_DEBUG_LEVEL: 1,
    ldap.OPT_REFERRALS: 0,
}

LDAP_IGNORE_CERT_ERRORS = True

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch("OU=Users,OU=<ou>,OU=<ou>,DC=xxx,DC=yyy,DC=zzz",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
    LDAPSearch("OU=Users,DC=xxx,DC=yyy,DC=zzz",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
    LDAPSearch("DC=xxx,DC=yyy,DC=zzz",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
)
AUTH_LDAP_USER_DN_TEMPLATE = None

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=NetBox,OU=AppAuthorization,DC=xxx,DC=yyy,DC=zzz",
    ldap.SCOPE_SUBTREE, "(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()

AUTH_LDAP_REQUIRE_GROUP = "CN=NetBox-Users,OU=NetBox,OU=App Authorization,DC=xxx,DC=yyy,DC=zzz"

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": (
        LDAPGroupQuery("CN=NetBox-Users,OU=NetBox,OU=App Authorization,DC=xxx,DC=yyy,DC=zzz")),
    "is_staff": (
        LDAPGroupQuery("CN=NetBox-Admins,OU=NetBox,OU=App Authorization,DC=xxx,DC=yyy,DC=zzz")),
    "is_superuser": (
        LDAPGroupQuery("CN=NetBox-Admins,OU=NetBox,OU=App Authorization,DC=xxx,DC=yyy,DC=zzz"))
}

AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
}

AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_TIMEOUT = 0
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 0
#AUTH_LDAP_MIRROR_GROUPS = True

[Amir Kalhori]

Dear Ben,

I used your configuration, but I get below error.

Caught LDAPError while authenticating test: INVALID_CREDENTIALS({'desc': 'Invalid credentials', 'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'},)

I have a Windows Server 2012 R2 as Active Directory.

I look forward to hearing from you.

Best Regards,

[Terry McKenna]

Were you able to to solve this error? I am getting the same issue: v2.5.12

thanks