LDAP Authentication error ( Active Directory 2019)

98 views
Skip to first unread message

Matt P

unread,
Jan 12, 2021, 10:35:05 AM1/12/21
to NetBox

So I am unable to authenticate any users via LDAP.  I tried both raw username and with domain attached to see if either work.   People mentioned "nested groups" possibly being a problem, but I think that would fail on group mapping, we are getting a raw  DN/Password rejection here, so we arent even getting that far.

There is not a lot of help for this in the NetBox or Djago LDAP documentation.

------------------------------------------

Current LDAP errors being logged

Authentication failed for XXXXXXXXXX: user DN/password rejected by LDAP server.
Authentication failed for XXXXX...@YYYYY.com: user DN/password rejected by LDAP server.


------------------------------------------

Configs:

Here is my current LDAP config.

import ldap

import logging, logging.handlers
logfile = "/data/netbox/logs/django-ldap-debug.log"
my_logger = logging.getLogger('django_auth_ldap')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.RotatingFileHandler(
    logfile, maxBytes=1024 * 500, backupCount=5
)
my_logger.addHandler(handler)

AUTH_LDAP_SERVER_URI = "ldap://ldap.xxxxxxxxxxxxxxxx.com"
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0
}

AUTH_LDAP_BIND_DN = "CN=netbox-sa,OU=Service Accounts,DC=xxxxxxxxxxxxxx,DC=com"
AUTH_LDAP_BIND_PASSWORD = "xxxxxxxxxxxxxxxxxxxxx"
LDAP_IGNORE_CERT_ERRORS = True

from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=Privileged.Users,OU=Delegated.Access,DC=xxxxxxxxxxxxx,DC=com",
                                    ldap.SCOPE_SUBTREE,
                                    "(sAMAccountName=%(user)s)")

# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail"
}

from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=xxxxxxxxxxxxxx,dc=com", ldap.SCOPE_SUBTREE,"(objectClass=group)")

AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()

AUTH_LDAP_REQUIRE_GROUP = "CN=netbox-admin,OU=xxxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxx,DC=com"

# Mirror LDAP group assignments.
# AUTH_LDAP_MIRROR_GROUPS = True

# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=CN=netbox-user,OU=xxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxxxxxx,DC=com",
    "is_staff": "CN=netbox-user,OU=xxxxxxxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxxxxxxx,DC=com",
    "is_superuser": "CN=netbox-admin,OU=xxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxxxxxx,DC=com"
}

AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_CACHE_TIMEOUT = 3600

-------------------------------------
From configuration.py

# Remote authentication support
REMOTE_AUTH_ENABLED = True
# REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}




Justin H.

unread,
Jan 12, 2021, 3:08:32 PM1/12/21
to NetBox
I don't see anything that clashes with my LDAP config which works.  I
have never had to include the domain with the username to log in via
LDAP, FYI.

I guess the next question would be are you sure you have the right password?
> <http://ldap.xxxxxxxxxxxxxxxx.com>"
> --
> You received this message because you are subscribed to the Google
> Groups "NetBox" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to netbox-discus...@googlegroups.com
> <mailto:netbox-discus...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/netbox-discuss/1b2e7429-0820-4e74-af8c-b0cffd85e445n%40googlegroups.com
> <https://groups.google.com/d/msgid/netbox-discuss/1b2e7429-0820-4e74-af8c-b0cffd85e445n%40googlegroups.com?utm_medium=email&utm_source=footer>.

Matt P

unread,
Jan 14, 2021, 10:21:03 AM1/14/21
to NetBox
Yep, even tried a few different accounts
Reply all
Reply to author
Forward
0 new messages