Tuesday, October 10, 2017

Re: LDAPSearch Troubleshooting

I fixed the DN for the service account:

AUTH_LDAP_BIND_DN = "UID=netbox,CN=users,DC=kenset,DC=priv"

I've tried at least a 100 different things so far and nothing is getting me there.

from django_auth_ldap.config import LDAPSearch, PosixGroupType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv", ldap.SCOPE_SUBTREE, (objectClass=posixGroup)")
AUTH_LDAP_GROUP_TYPE = PosixGroupType()

AUTH_LDAP_USER_ATTR_MAP = { 
   "first_name": "cn",
   "last_name":  "sn"
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
     "is_staff": f"cn={AUTH_LDAP_USER_STAFF},cn=groups,dc={dc1},dc={dc2}",
    "is_superuser": f"cn={AUTH_LDAP_USER_SUPERUSER},cn=groups,dc={dc1},dc={dc2}"
}

There must be a better way to troubleshoot this than shooting in the dark. posixGroup is set on each group but I'm not sure if that's the best way to search for the groups since it's still not working. I've opened up a ticket with Synology in the meantime.

On Sunday, October 8, 2017 at 10:34:31 PM UTC-4, Ken Jenney wrote:
I've got LDAPSearch configured to work with my Synology Directory Server. Users can authenticate fine but when I try to map a user to a group I get INVALID_CREDENTIALS:

import ldap


# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://synology.kensnet.priv"


# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=netbox,CN=users,DC=kensnet,DC=priv"
AUTH_LDAP_BIND_PASSWORD = bindpassword


LDAP_IGNORE_CERT_ERRORS = True


from django_auth_ldap.config import LDAPSearch, PosixGroupType, GroupOfNamesType


AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=users,dc=kensnet,dc=priv",
                                    ldap.SCOPE_SUBTREE,
                                    "(sAMAccountName=%(user)s)")


# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,dc=kensnet,dc=priv"


### EVERYTHING WORKS UP UNTIL HERE


#### Groups


# # This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# # heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv", ldap.SCOPE_SUBTREE,
                                    "(objectClass=organizationalRole")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()


# # Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "cn=users,cn=groups,dc=kensnet,dc=priv"


# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_staff": "cn=staff,cn=groups,dc=kensnet,dc=priv",
    "is_superuser": "cn=administrators,cn=groups,dc=kensnet,dc=priv"
}


How can I troubleshoot the group search/mapping to figure out what the issue is? 

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7c28114a-d7b5-46c7-9fc2-9d1693172425%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)