Sunday, October 8, 2017

LDAPSearch Troubleshooting

I've got LDAPSearch configured to work with my Synology Directory Server. Users can authenticate fine but when I try to map a user to a group I get INVALID_CREDENTIALS:

import ldap


# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://synology.kensnet.priv"


# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=netbox,CN=users,DC=kensnet,DC=priv"
AUTH_LDAP_BIND_PASSWORD = bindpassword


LDAP_IGNORE_CERT_ERRORS = True


from django_auth_ldap.config import LDAPSearch, PosixGroupType, GroupOfNamesType


AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=users,dc=kensnet,dc=priv",
                                    ldap.SCOPE_SUBTREE,
                                    "(sAMAccountName=%(user)s)")


# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,dc=kensnet,dc=priv"


### EVERYTHING WORKS UP UNTIL HERE


#### Groups


# # This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# # heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv", ldap.SCOPE_SUBTREE,
                                    "(objectClass=organizationalRole")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()


# # Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "cn=users,cn=groups,dc=kensnet,dc=priv"


# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_staff": "cn=staff,cn=groups,dc=kensnet,dc=priv",
    "is_superuser": "cn=administrators,cn=groups,dc=kensnet,dc=priv"
}


How can I troubleshoot the group search/mapping to figure out what the issue is? 

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/e4de4251-dfbc-464e-a356-2297ac6c670d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)