Django LDAP config not working

601 views
Skip to first unread message

Ross Skeels

unread,
Sep 9, 2021, 2:32:03 PM9/9/21
to NetBox
I used the config in the Netbox setup docs. It didn't work from the start. I've messed with the config for a while. I'm now to the point that I get 


user does not satisfy AUTH_LDAP_REQUIRE_GROUP


in my logs (I have debugging enabled).


This is what the complaining config looks like:

AUTH_LDAP_REQUIRE_GROUP = "CN=Users,DC=internal,DC=example,DC=net".


This is the same AD config we use on other servers that work correctly. What is different about the Django setup?

Please let me know if any additional info is needed to lend a hand.

Thanks!

justi...@gmail.com

unread,
Sep 9, 2021, 2:40:28 PM9/9/21
to NetBox
Perhaps AUTH_LDAP_GROUP_TYPE?  I had to set mine to NestedGroupOfNamesType().

Ross Skeels

unread,
Sep 9, 2021, 4:43:02 PM9/9/21
to NetBox
Sorry, didn't realize I wrote a private message.

When I remove "CN=Users" from AUTH_LDAP_USER_SEARCH and AUTH_LDAP_GROUP_SEARCH, I get this error:

search_s('DC=internal,DC=example,DC=net', 2, '(sAMAccountName=ross)') raised OPERATIONS_ERROR({'msgtype': 100, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'})

search_s('DC=internal,DC=example,DC=net', 2, '(sAMAccountName=%(user)s)') returned 0 objects: 

Authentication failed for ross: failed to map the username to a DN.


Ross Skeels

unread,
Sep 9, 2021, 4:44:01 PM9/9/21
to NetBox
oooo so it looks like the binding process isn't working correctly

justi...@gmail.com

unread,
Sep 9, 2021, 4:45:18 PM9/9/21
to NetBox
Yup.  So AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD.

Ross Skeels

unread,
Sep 9, 2021, 5:23:39 PM9/9/21
to NetBox
I have this

AUTH_LDAP_BIND_DN = "CN=service.ldap,CN=Users,DC=internal,DC=example,DC=net"

AUTH_LDAP_BIND_PASSWORD = "*******"


in my config. service.ldap is the bind user. I what in the world is wrong with that?

justi...@gmail.com

unread,
Sep 9, 2021, 5:32:42 PM9/9/21
to NetBox
Shouldn't be anything, that I'm aware of.  My vague recollection is that if it were a password issue, even on the bind user, you would get a password error.

Is the "Users" group a CN or an OU?  I'm not super clear on the difference or whether it matters how you reference it, but worth checking.  I'm afraid my LDAP knowledge is rather shallow in some regards.

The other thing I've run into before, if your LDAP is an AD server, is making sure that nobody set the "must change password" flag on the bind user.

/jh

Ross Skeels

unread,
Sep 9, 2021, 5:35:19 PM9/9/21
to NetBox
The "Users" group is a CN. We use the same bind user on other servers, so the credentials are correct. We are using WinAD.
Reply all
Reply to author
Forward
0 new messages