LDAP not working, no logs generated

[hutch]

Hello all,

Working on getting LDAP integrated into our netbox instance, and after configuration none of our login efforts work - we just get the error:

 "Please enter a correct username and password. Note that both fields may be case-sensitive.

I've turned on logging with the configuration under "Troubleshooting LDAP" on the Netbox documentation site.

However, there are no logs/files created at all under /opt/netbox/logs, nor anything related to LDAP present in the /var/log/supervisor directory. Why could this be?

My (slightly obfuscated) LDAP config is below:

import ldap

#LOGGING BLOCK

import logging, logging.handlers

logfile = "/opt/netbox/logs/django-ldap-debug.log"

my_logger = logging.getLogger('django_auth_ldap')

my_logger.setLevel(logging.DEBUG)

handler = logging.handlers.RotatingFileHandler(

   logfile, maxBytes=1024 * 500, backupCount=5)

my_logger.addHandler(handler)

## ENG LOGGING BLOCK

# Server URI

AUTH_LDAP_SERVER_URI = "ldap://ad.site.com"

# The following may be needed if you are binding to Active Directory.

AUTH_LDAP_CONNECTION_OPTIONS = {

    ldap.OPT_REFERRALS: 0

}

# Set the DN and password for the NetBox service account.

AUTH_LDAP_BIND_DN = "CN=bindusername,OU=Service Accounts,DC=ad,DC=site,DC=com"

AUTH_LDAP_BIND_PASSWORD = "REDACTED"

# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.

# Note that this is a NetBox-specific setting which sets:

#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

LDAP_IGNORE_CERT_ERRORS = True

######   PART 2 BELOW   #######

from django_auth_ldap.config import LDAPSearch

# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's

# username is not in their DN (Active Directory).

AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People,dc=ad,dc=site,dc=com",

                                    ldap.SCOPE_SUBTREE,

                                    "(sAMAccountName=%(user)s)")

# If a user's DN is producible from their username, we don't need to search.

AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=People,dc=ad,dc=site,dc=com"

# You can map user attributes to Django attributes as so.

AUTH_LDAP_USER_ATTR_MAP = {

    "first_name": "givenName",

    "last_name": "sn",

    "email": "mail"

}

#####    PART 3 BELOW   ######

from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType

# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group

# hierarchy.

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=ad,dc=site,dc=com", ldap.SCOPE_SUBTREE,

                                    "(objectClass=group)")

AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()

# Define a group required to login.

AUTH_LDAP_REQUIRE_GROUP = "CN=netbox-actives,OU=netbox,OU=Groups,OU=ENG,DC=ad,DC=site,DC=com"

# Mirror LDAP group assignments.

AUTH_LDAP_MIRROR_GROUPS = True

# Define special user types using groups. Exercise great caution when assigning superuser status.

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "is_active": "cn=netbox-actives,ou=netbox,ou=Groups,ou=ENG,dc=ad,dc=site,dc=com",

    "is_staff": "cn=netbox-staff,ou=netbox,ou=Groups,ou=ENG,dc=ad,dc=site,dc=com",

    "is_superuser": "cn=netbox-superusers,ou=netbox,ou=Groups,ou=ENG,dc=ad,dc=site,dc=com"

}

# For more granular permissions, we can map LDAP groups to Django groups.

AUTH_LDAP_FIND_GROUP_PERMS = True

# Maybe comment this out?

# Cache groups for one hour to reduce LDAP traffic

AUTH_LDAP_CACHE_GROUPS = True

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

[hutch]

Furthermore - I've tried ldaps://ad.site.com too, to no avail

[Moh Ahmed]

One thing that worked for us is to use the IP address of the LDAP server

[Brian Candler]

On Monday, 25 November 2019 16:30:18 UTC, hutch wrote:

However, there are no logs/files created at all under /opt/netbox/logs, nor anything related to LDAP present in the /var/log/supervisor directory. Why could this be?

supervisord tends to eat logs on stdout/stderr.  I suggest you run Netbox in the foreground:

cd /opt/netbox/netbox

python3 manage.py runserver 0.0.0.0:8000 --insecure

Then point your browser at http://x.x.x.x:8000/

Also check that /opt/netbox/logs/ is owned by the user you're running netbox as.

[Aske Ejlertsen]

Have the exact same issue, and nothing works too.

If i change the ip to the machine its running on it will say it can't connect at all when using a test-command that serches for a user.

Have also just made sure that the user that is running netbox does own the /opt/netbox/logs, but there is still nothing in the log...

[hutch]

Tweaked supervisor log verbosity, gave this a try, and ensured ownership was www-data. Still no responses. Could it be a python configuration issue?

[Brian Candler]

Please try running Netbox in the foreground as shown.  Show what it logs when you connect with a browser and try to login.

Is it even trying to make an LDAP connection at all? (Use tcpdump to check).  If not, you've missed some fundamental step.

[hutch]

Gave this a full try - with Debug = True and running in the foreground as www-data. Still nothing produced in /opt/netbox/logs. 

Attempted to login with the desired LDAP credentials, and it still did not work. Here's the output from the console:

[06/Dec/2019 14:18:27] "GET / HTTP/1.1" 200 28066

[06/Dec/2019 14:18:30] "GET / HTTP/1.1" 200 28066

[06/Dec/2019 14:18:31] "GET /static/font-awesome-4.7.0/css/font-awesome.min.css HTTP/1.1" 200 31000

[06/Dec/2019 14:18:31] "GET /static/css/base.css?v2.6.6 HTTP/1.1" 200 11697

[06/Dec/2019 14:18:31] "GET /static/jquery-ui-1.12.1/jquery-ui.css HTTP/1.1" 200 37326

[06/Dec/2019 14:18:31] "GET /static/select2-bootstrap-0.1.0-beta.10/select2-bootstrap.min.css HTTP/1.1" 200 16792

[06/Dec/2019 14:18:31] "GET /static/select2-4.0.5/css/select2.min.css HTTP/1.1" 200 15196

[06/Dec/2019 14:18:31] "GET /static/js/jquery-3.4.1.min.js HTTP/1.1" 200 88145

[06/Dec/2019 14:18:31] "GET /static/bootstrap-3.4.1-dist/css/bootstrap.min.css HTTP/1.1" 200 121457

[06/Dec/2019 14:18:31] "GET /static/clipboard-2.0.4.min.js HTTP/1.1" 200 10754

[06/Dec/2019 14:18:31] "GET /static/select2-4.0.5/js/select2.min.js HTTP/1.1" 200 66606

[06/Dec/2019 14:18:31] "GET /static/bootstrap-3.4.1-dist/js/bootstrap.min.js HTTP/1.1" 200 39680

[06/Dec/2019 14:18:31] "GET /static/js/forms.js?v2.6.6 HTTP/1.1" 200 14330

[06/Dec/2019 14:18:31] "GET /static/jquery-ui-1.12.1/jquery-ui.min.js HTTP/1.1" 200 253669

[06/Dec/2019 14:18:31] "GET /static/img/netbox_logo.png HTTP/1.1" 200 2257

[06/Dec/2019 14:18:31] "GET /static/font-awesome-4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1" 200 77160

[06/Dec/2019 14:18:31] "GET /static/img/netbox.ico HTTP/1.1" 200 1174

[06/Dec/2019 14:18:42] "GET /login/?next=/ HTTP/1.1" 200 17847

[06/Dec/2019 14:18:58] "POST /login/ HTTP/1.1" 200 18236

[hutch]

Just found this....

So I double checked that I had placed the LDAP config file in the right spot per the documentation, and found I had it under /opt/netbox/netbox when I should have had it under /opt/netbox/netbox/netbox...... poor structuring aside, my logs are now showing:

[06/Dec/2019 14:54:44] "GET / HTTP/1.1" 200 28066

[06/Dec/2019 14:54:50] "GET /login/?next=/ HTTP/1.1" 200 17847

Authentication failed for MYUSER: user DN/password rejected by LDAP server.

[06/Dec/2019 14:54:58] "POST /login/ HTTP/1.1" 200 18226

Authentication failed for MYU...@ad.site.com: user DN/password rejected by LDAP server.

The same is present in /opt/netbox/logs/django-ldap-debug.log.

Password is right, which leads me to believe that this is something incorrect with my configuration file?

On Wednesday, December 4, 2019 at 1:21:47 PM UTC-5, Brian Candler wrote:

[hutch]

Update: cleared this up by ensure I had the right "nested" configuration. ldap_config.py is now as below:

import ldap

#LOGGING BLOCK

import logging, logging.handlers

logfile = "/opt/netbox/logs/django-ldap-debug.log"

my_logger = logging.getLogger('django_auth_ldap')

my_logger.setLevel(logging.DEBUG)

handler = logging.handlers.RotatingFileHandler(

   logfile, maxBytes=1024 * 500, backupCount=5)

my_logger.addHandler(handler)

## ENG LOGGING BLOCK

#Part 1

AUTH_LDAP_SERVER_URI = "ldap://ad.site.com"

AUTH_LDAP_CONNECTION_OPTIONS = {

            ldap.OPT_REFERRALS: 0

            }

AUTH_LDAP_BIND_DN = "CN=BINDACCHERE,OU=Service Accounts,DC=ad,dc=site,dc=com"

AUTH_LDAP_BIND_PASSWORD = "REDACTED"

LDAP_IGNORE_CERT_ERRORS = True

from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=People,DC=ad,dc=site,dc=com",

                                                    ldap.SCOPE_SUBTREE,

                                                    "(sAMAccountName=%(user)s)")

# You can map user attributes to Django attributes as so

AUTH_LDAP_USER_ATTR_MAP = {

           "first_name": "givenName",

           "last_name": "sn",

           "email": "mail"

                        }

from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("DC=ad,dc=site,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=group)")

AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()

AUTH_LDAP_REQUIRE_GROUP = "CN=netbox-actives,OU=netbox,OU=Groups,OU=ENG,DC=ad,dc=site,dc=com"

# Define special user types using groups. Exercise great caution when assigning superuser status.

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "is_active": "CN=netbox-actives,OU=netbox,OU=Groups,OU=ENG,DC=ad,dc=site,dc=com",

    "is_staff": "CN=netbox-staff,OU=netbox,OU=Groups,OU=ENG,DC=ad,dc=site,dc=com",

    "is_superuser": "CN=netbox-superusers,OU=netbox,OU=Groups,OU=ENG,DC=ad,dc=site,dc=com"

}

AUTH_LDAP_FIND_GROUP_PERMS = True

AUTH_LDAP_CACHE_GROUPS = True

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600