Django 2.1.3 LDAP authentication not authenticating to backend
I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"
I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
here are the changes i've made in the project:
settings.py
import ldap
from django_auth_ldap.config import LDAPSearch
AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]
views.py
from django.contrib.auth import authenticate, login
from django.shortcuts import render
def login_user(request):
email = password = ""
state = ""
if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')
print (email, password)
user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"
return render(request, 'KPI/auth.html', {'state': state, 'email': email})
auth.html
<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>
EDIT:
i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it will return with just the 'boyle' info
EDIT 2:
I used a logger to get this error when a user comes back as none
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)
python django ldap
add a comment |
I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"
I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
here are the changes i've made in the project:
settings.py
import ldap
from django_auth_ldap.config import LDAPSearch
AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]
views.py
from django.contrib.auth import authenticate, login
from django.shortcuts import render
def login_user(request):
email = password = ""
state = ""
if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')
print (email, password)
user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"
return render(request, 'KPI/auth.html', {'state': state, 'email': email})
auth.html
<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>
EDIT:
i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it will return with just the 'boyle' info
EDIT 2:
I used a logger to get this error when a user comes back as none
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)
python django ldap
I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html
– Steven Graham
Nov 18 '18 at 5:04
authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
this sets the email variable to the uid i believe, i will try to debug it.. thanks
– Mfreeman
Nov 19 '18 at 0:25
Found the debug error, don't know what to make of it, check latest edit please.
– Mfreeman
Nov 19 '18 at 19:59
That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting:AUTH_LDAP_START_TLS = False
in the settings. Looking at that site they don't have TLS configured on their ldap server.
– Steven Graham
Nov 19 '18 at 21:31
I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.
– Mfreeman
Nov 19 '18 at 21:35
add a comment |
I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"
I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
here are the changes i've made in the project:
settings.py
import ldap
from django_auth_ldap.config import LDAPSearch
AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]
views.py
from django.contrib.auth import authenticate, login
from django.shortcuts import render
def login_user(request):
email = password = ""
state = ""
if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')
print (email, password)
user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"
return render(request, 'KPI/auth.html', {'state': state, 'email': email})
auth.html
<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>
EDIT:
i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it will return with just the 'boyle' info
EDIT 2:
I used a logger to get this error when a user comes back as none
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)
python django ldap
I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"
I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
here are the changes i've made in the project:
settings.py
import ldap
from django_auth_ldap.config import LDAPSearch
AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]
views.py
from django.contrib.auth import authenticate, login
from django.shortcuts import render
def login_user(request):
email = password = ""
state = ""
if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')
print (email, password)
user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"
return render(request, 'KPI/auth.html', {'state': state, 'email': email})
auth.html
<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>
EDIT:
i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it will return with just the 'boyle' info
EDIT 2:
I used a logger to get this error when a user comes back as none
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)
python django ldap
python django ldap
edited Nov 19 '18 at 20:01
Mfreeman
asked Nov 15 '18 at 15:24
MfreemanMfreeman
113115
113115
I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html
– Steven Graham
Nov 18 '18 at 5:04
authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
this sets the email variable to the uid i believe, i will try to debug it.. thanks
– Mfreeman
Nov 19 '18 at 0:25
Found the debug error, don't know what to make of it, check latest edit please.
– Mfreeman
Nov 19 '18 at 19:59
That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting:AUTH_LDAP_START_TLS = False
in the settings. Looking at that site they don't have TLS configured on their ldap server.
– Steven Graham
Nov 19 '18 at 21:31
I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.
– Mfreeman
Nov 19 '18 at 21:35
add a comment |
I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html
– Steven Graham
Nov 18 '18 at 5:04
authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
this sets the email variable to the uid i believe, i will try to debug it.. thanks
– Mfreeman
Nov 19 '18 at 0:25
Found the debug error, don't know what to make of it, check latest edit please.
– Mfreeman
Nov 19 '18 at 19:59
That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting:AUTH_LDAP_START_TLS = False
in the settings. Looking at that site they don't have TLS configured on their ldap server.
– Steven Graham
Nov 19 '18 at 21:31
I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.
– Mfreeman
Nov 19 '18 at 21:35
I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html
– Steven Graham
Nov 18 '18 at 5:04
I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html
– Steven Graham
Nov 18 '18 at 5:04
authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
this sets the email variable to the uid i believe, i will try to debug it.. thanks– Mfreeman
Nov 19 '18 at 0:25
authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
this sets the email variable to the uid i believe, i will try to debug it.. thanks– Mfreeman
Nov 19 '18 at 0:25
Found the debug error, don't know what to make of it, check latest edit please.
– Mfreeman
Nov 19 '18 at 19:59
Found the debug error, don't know what to make of it, check latest edit please.
– Mfreeman
Nov 19 '18 at 19:59
That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting:
AUTH_LDAP_START_TLS = False
in the settings. Looking at that site they don't have TLS configured on their ldap server.– Steven Graham
Nov 19 '18 at 21:31
That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting:
AUTH_LDAP_START_TLS = False
in the settings. Looking at that site they don't have TLS configured on their ldap server.– Steven Graham
Nov 19 '18 at 21:31
I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.
– Mfreeman
Nov 19 '18 at 21:35
I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.
– Mfreeman
Nov 19 '18 at 21:35
add a comment |
1 Answer
1
active
oldest
votes
It looks like you aren't using the right hostname for the server.
ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389
Using an ldap search tool such as ldapsearch
can help verify if the server is responding correctly:
$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com'
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top
If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.
It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle)
, then find the DN: uid=boyle,dc=example,dc=com
. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com
, password
supplied via login page.
In reponse to Edit 2 above:
The following error means that the library is trying to negotiate a TLS connection:
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc':
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)
If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:
AUTH_LDAP_START_TLS = False
In settings.py.
For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS
dictionary.
Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code
– Mfreeman
Nov 16 '18 at 12:52
when i runldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it returns all the boyle info but says# search result search: 2 result: 0 Success
doesresult: 0 Success
mean that my user could come back as "none" when i authenticate?
– Mfreeman
Nov 16 '18 at 15:34
You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry.-D "uid=boyle,dc=example,dc=com"
that bind worked for me, so looks like it might be an issue with your code (or django setup)
– Steven Graham
Nov 18 '18 at 5:07
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It looks like you aren't using the right hostname for the server.
ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389
Using an ldap search tool such as ldapsearch
can help verify if the server is responding correctly:
$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com'
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top
If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.
It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle)
, then find the DN: uid=boyle,dc=example,dc=com
. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com
, password
supplied via login page.
In reponse to Edit 2 above:
The following error means that the library is trying to negotiate a TLS connection:
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc':
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)
If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:
AUTH_LDAP_START_TLS = False
In settings.py.
For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS
dictionary.
Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code
– Mfreeman
Nov 16 '18 at 12:52
when i runldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it returns all the boyle info but says# search result search: 2 result: 0 Success
doesresult: 0 Success
mean that my user could come back as "none" when i authenticate?
– Mfreeman
Nov 16 '18 at 15:34
You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry.-D "uid=boyle,dc=example,dc=com"
that bind worked for me, so looks like it might be an issue with your code (or django setup)
– Steven Graham
Nov 18 '18 at 5:07
add a comment |
It looks like you aren't using the right hostname for the server.
ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389
Using an ldap search tool such as ldapsearch
can help verify if the server is responding correctly:
$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com'
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top
If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.
It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle)
, then find the DN: uid=boyle,dc=example,dc=com
. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com
, password
supplied via login page.
In reponse to Edit 2 above:
The following error means that the library is trying to negotiate a TLS connection:
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc':
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)
If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:
AUTH_LDAP_START_TLS = False
In settings.py.
For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS
dictionary.
Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code
– Mfreeman
Nov 16 '18 at 12:52
when i runldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it returns all the boyle info but says# search result search: 2 result: 0 Success
doesresult: 0 Success
mean that my user could come back as "none" when i authenticate?
– Mfreeman
Nov 16 '18 at 15:34
You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry.-D "uid=boyle,dc=example,dc=com"
that bind worked for me, so looks like it might be an issue with your code (or django setup)
– Steven Graham
Nov 18 '18 at 5:07
add a comment |
It looks like you aren't using the right hostname for the server.
ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389
Using an ldap search tool such as ldapsearch
can help verify if the server is responding correctly:
$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com'
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top
If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.
It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle)
, then find the DN: uid=boyle,dc=example,dc=com
. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com
, password
supplied via login page.
In reponse to Edit 2 above:
The following error means that the library is trying to negotiate a TLS connection:
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc':
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)
If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:
AUTH_LDAP_START_TLS = False
In settings.py.
For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS
dictionary.
It looks like you aren't using the right hostname for the server.
ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389
Using an ldap search tool such as ldapsearch
can help verify if the server is responding correctly:
$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com'
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top
If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.
It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle)
, then find the DN: uid=boyle,dc=example,dc=com
. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com
, password
supplied via login page.
In reponse to Edit 2 above:
The following error means that the library is trying to negotiate a TLS connection:
Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc':
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)
If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:
AUTH_LDAP_START_TLS = False
In settings.py.
For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS
dictionary.
edited Nov 19 '18 at 22:43
answered Nov 15 '18 at 22:42
Steven GrahamSteven Graham
650510
650510
Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code
– Mfreeman
Nov 16 '18 at 12:52
when i runldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it returns all the boyle info but says# search result search: 2 result: 0 Success
doesresult: 0 Success
mean that my user could come back as "none" when i authenticate?
– Mfreeman
Nov 16 '18 at 15:34
You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry.-D "uid=boyle,dc=example,dc=com"
that bind worked for me, so looks like it might be an issue with your code (or django setup)
– Steven Graham
Nov 18 '18 at 5:07
add a comment |
Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code
– Mfreeman
Nov 16 '18 at 12:52
when i runldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it returns all the boyle info but says# search result search: 2 result: 0 Success
doesresult: 0 Success
mean that my user could come back as "none" when i authenticate?
– Mfreeman
Nov 16 '18 at 15:34
You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry.-D "uid=boyle,dc=example,dc=com"
that bind worked for me, so looks like it might be an issue with your code (or django setup)
– Steven Graham
Nov 18 '18 at 5:07
Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code
– Mfreeman
Nov 16 '18 at 12:52
Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code
– Mfreeman
Nov 16 '18 at 12:52
when i run
ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it returns all the boyle info but says # search result search: 2 result: 0 Success
does result: 0 Success
mean that my user could come back as "none" when i authenticate?– Mfreeman
Nov 16 '18 at 15:34
when i run
ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle"
it returns all the boyle info but says # search result search: 2 result: 0 Success
does result: 0 Success
mean that my user could come back as "none" when i authenticate?– Mfreeman
Nov 16 '18 at 15:34
You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry.
-D "uid=boyle,dc=example,dc=com"
that bind worked for me, so looks like it might be an issue with your code (or django setup)– Steven Graham
Nov 18 '18 at 5:07
You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry.
-D "uid=boyle,dc=example,dc=com"
that bind worked for me, so looks like it might be an issue with your code (or django setup)– Steven Graham
Nov 18 '18 at 5:07
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html
– Steven Graham
Nov 18 '18 at 5:04
authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
this sets the email variable to the uid i believe, i will try to debug it.. thanks– Mfreeman
Nov 19 '18 at 0:25
Found the debug error, don't know what to make of it, check latest edit please.
– Mfreeman
Nov 19 '18 at 19:59
That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting:
AUTH_LDAP_START_TLS = False
in the settings. Looking at that site they don't have TLS configured on their ldap server.– Steven Graham
Nov 19 '18 at 21:31
I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.
– Mfreeman
Nov 19 '18 at 21:35