Django 2.1.3 LDAP authentication not authenticating to backend












1















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap

from django_auth_ldap.config import LDAPSearch





AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"

AUTH_LDAP_CONNECTION_OPTIONS = {

    ldap.OPT_REFERRALS: 0

}



AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"

AUTH_LDAP_BIND_PASSWORD = "password"

AUTH_LDAP_USER_SEARCH = LDAPSearch(

    "dc=example,dc=com",

    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")



BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))



AUTHENTICATION_BACKENDS = [

    'django_auth_ldap.backend.LDAPBackend',

]


views.py



from django.contrib.auth import authenticate, login

from django.shortcuts import render    



def login_user(request):



    email = password = ""

    state = ""



    if request.POST:

        email = request.POST.get('email')

        password = request.POST.get('password')



        print (email, password)



        user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))

        if user is not None:

            login(request, user)

            state = "Valid account"

        else:

            state = "Inactive account"



    return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>

    <head>

        <title>Login</title>

    </head>

    <body>

        {{state}}

        <form action="" method="post"> {% csrf_token %}

            Email address: <input type="text" name="email" value="{{ email }}" />

            Password: <input type="password" name="password" value="" />

            <input type="submit" value="Log in" />

        </form>

    </body>

</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)






python django ldap







share|improve this question

























  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35


















1















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap

from django_auth_ldap.config import LDAPSearch





AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"

AUTH_LDAP_CONNECTION_OPTIONS = {

    ldap.OPT_REFERRALS: 0

}



AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"

AUTH_LDAP_BIND_PASSWORD = "password"

AUTH_LDAP_USER_SEARCH = LDAPSearch(

    "dc=example,dc=com",

    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")



BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))



AUTHENTICATION_BACKENDS = [

    'django_auth_ldap.backend.LDAPBackend',

]


views.py



from django.contrib.auth import authenticate, login

from django.shortcuts import render    



def login_user(request):



    email = password = ""

    state = ""



    if request.POST:

        email = request.POST.get('email')

        password = request.POST.get('password')



        print (email, password)



        user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))

        if user is not None:

            login(request, user)

            state = "Valid account"

        else:

            state = "Inactive account"



    return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>

    <head>

        <title>Login</title>

    </head>

    <body>

        {{state}}

        <form action="" method="post"> {% csrf_token %}

            Email address: <input type="text" name="email" value="{{ email }}" />

            Password: <input type="password" name="password" value="" />

            <input type="submit" value="Log in" />

        </form>

    </body>

</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)






python django ldap







share|improve this question

























  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35
















1












1








1


0






I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap

from django_auth_ldap.config import LDAPSearch





AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"

AUTH_LDAP_CONNECTION_OPTIONS = {

    ldap.OPT_REFERRALS: 0

}



AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"

AUTH_LDAP_BIND_PASSWORD = "password"

AUTH_LDAP_USER_SEARCH = LDAPSearch(

    "dc=example,dc=com",

    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")



BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))



AUTHENTICATION_BACKENDS = [

    'django_auth_ldap.backend.LDAPBackend',

]


views.py



from django.contrib.auth import authenticate, login

from django.shortcuts import render    



def login_user(request):



    email = password = ""

    state = ""



    if request.POST:

        email = request.POST.get('email')

        password = request.POST.get('password')



        print (email, password)



        user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))

        if user is not None:

            login(request, user)

            state = "Valid account"

        else:

            state = "Inactive account"



    return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>

    <head>

        <title>Login</title>

    </head>

    <body>

        {{state}}

        <form action="" method="post"> {% csrf_token %}

            Email address: <input type="text" name="email" value="{{ email }}" />

            Password: <input type="password" name="password" value="" />

            <input type="submit" value="Log in" />

        </form>

    </body>

</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)






python django ldap







share|improve this question
















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap

from django_auth_ldap.config import LDAPSearch





AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"

AUTH_LDAP_CONNECTION_OPTIONS = {

    ldap.OPT_REFERRALS: 0

}



AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"

AUTH_LDAP_BIND_PASSWORD = "password"

AUTH_LDAP_USER_SEARCH = LDAPSearch(

    "dc=example,dc=com",

    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")



BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))



AUTHENTICATION_BACKENDS = [

    'django_auth_ldap.backend.LDAPBackend',

]


views.py



from django.contrib.auth import authenticate, login

from django.shortcuts import render    



def login_user(request):



    email = password = ""

    state = ""



    if request.POST:

        email = request.POST.get('email')

        password = request.POST.get('password')



        print (email, password)



        user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))

        if user is not None:

            login(request, user)

            state = "Valid account"

        else:

            state = "Inactive account"



    return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>

    <head>

        <title>Login</title>

    </head>

    <body>

        {{state}}

        <form action="" method="post"> {% csrf_token %}

            Email address: <input type="text" name="email" value="{{ email }}" />

            Password: <input type="password" name="password" value="" />

            <input type="submit" value="Log in" />

        </form>

    </body>

</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)






python django ldap




python django ldap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 '18 at 20:01







Mfreeman

















asked Nov 15 '18 at 15:24









MfreemanMfreeman

113115




113115













  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35





















  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35



















I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

– Steven Graham
Nov 18 '18 at 5:04





I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

– Steven Graham
Nov 18 '18 at 5:04













authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

– Mfreeman
Nov 19 '18 at 0:25





authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

– Mfreeman
Nov 19 '18 at 0:25













Found the debug error, don't know what to make of it, check latest edit please.

– Mfreeman
Nov 19 '18 at 19:59





Found the debug error, don't know what to make of it, check latest edit please.

– Mfreeman
Nov 19 '18 at 19:59













That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

– Steven Graham
Nov 19 '18 at 21:31







That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

– Steven Graham
Nov 19 '18 at 21:31















I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

– Mfreeman
Nov 19 '18 at 21:35







I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

– Mfreeman
Nov 19 '18 at 21:35














1 Answer
1






active

oldest

votes


















1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 

-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 

admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 

-s sub "(objectclass=*)"

dn: ou=mathematicians,dc=example,dc=com

uniqueMember: uid=euclid,dc=example,dc=com

uniqueMember: uid=riemann,dc=example,dc=com

uniqueMember: uid=euler,dc=example,dc=com

uniqueMember: uid=gauss,dc=example,dc=com

uniqueMember: uid=test,dc=example,dc=com

ou: mathematicians

cn: Mathematicians

objectClass: groupOfUniqueNames

objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 

'Connect error', 'info': 'error:14090086:SSL 

routines:ssl3_get_server_certificate:certificate verify failed (self 

signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer


























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 

-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 

admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 

-s sub "(objectclass=*)"

dn: ou=mathematicians,dc=example,dc=com

uniqueMember: uid=euclid,dc=example,dc=com

uniqueMember: uid=riemann,dc=example,dc=com

uniqueMember: uid=euler,dc=example,dc=com

uniqueMember: uid=gauss,dc=example,dc=com

uniqueMember: uid=test,dc=example,dc=com

ou: mathematicians

cn: Mathematicians

objectClass: groupOfUniqueNames

objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 

'Connect error', 'info': 'error:14090086:SSL 

routines:ssl3_get_server_certificate:certificate verify failed (self 

signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer


























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07
















1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 

-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 

admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 

-s sub "(objectclass=*)"

dn: ou=mathematicians,dc=example,dc=com

uniqueMember: uid=euclid,dc=example,dc=com

uniqueMember: uid=riemann,dc=example,dc=com

uniqueMember: uid=euler,dc=example,dc=com

uniqueMember: uid=gauss,dc=example,dc=com

uniqueMember: uid=test,dc=example,dc=com

ou: mathematicians

cn: Mathematicians

objectClass: groupOfUniqueNames

objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 

'Connect error', 'info': 'error:14090086:SSL 

routines:ssl3_get_server_certificate:certificate verify failed (self 

signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer


























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07














1





+50







1





+50



1




+50





It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 

-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 

admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 

-s sub "(objectclass=*)"

dn: ou=mathematicians,dc=example,dc=com

uniqueMember: uid=euclid,dc=example,dc=com

uniqueMember: uid=riemann,dc=example,dc=com

uniqueMember: uid=euler,dc=example,dc=com

uniqueMember: uid=gauss,dc=example,dc=com

uniqueMember: uid=test,dc=example,dc=com

ou: mathematicians

cn: Mathematicians

objectClass: groupOfUniqueNames

objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 

'Connect error', 'info': 'error:14090086:SSL 

routines:ssl3_get_server_certificate:certificate verify failed (self 

signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer















It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 

-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 

admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 

-s sub "(objectclass=*)"

dn: ou=mathematicians,dc=example,dc=com

uniqueMember: uid=euclid,dc=example,dc=com

uniqueMember: uid=riemann,dc=example,dc=com

uniqueMember: uid=euler,dc=example,dc=com

uniqueMember: uid=gauss,dc=example,dc=com

uniqueMember: uid=test,dc=example,dc=com

ou: mathematicians

cn: Mathematicians

objectClass: groupOfUniqueNames

objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 

'Connect error', 'info': 'error:14090086:SSL 

routines:ssl3_get_server_certificate:certificate verify failed (self 

signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 19 '18 at 22:43

























answered Nov 15 '18 at 22:42









Steven GrahamSteven Graham

650510




650510













  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07



















  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07

















Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

– Mfreeman
Nov 16 '18 at 12:52







Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

– Mfreeman
Nov 16 '18 at 12:52















when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

– Mfreeman
Nov 16 '18 at 15:34







when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

– Mfreeman
Nov 16 '18 at 15:34















You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

– Steven Graham
Nov 18 '18 at 5:07





You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

– Steven Graham
Nov 18 '18 at 5:07


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

這個網誌中的熱門文章

Hercules Kyvelos

圖片
Hercules Kyvelos Statistics Real name Hercules Kyvelos Nickname(s) The God Weight(s) Middleweight Light Middleweight Welterweight Height 5 ft 10 in (180 cm) Reach 72 in (183 cm) Nationality Canadian Born ( 1975-02-25 ) February 25, 1975 (age 43) Montreal, Quebec Stance Orthodox Boxing record Total fights 27 Wins 24 Wins by KO 12 Losses 3 Draws 0 No contests 0 Hercules Kyvelos Medal record Men's Boxing Representing   Canada Pan American Games 1995 Mar del Plata Welterweight Hercules Kyvelos (born February 25, 1975) is a Greek-Canadian boxer in the Welterweight division and is the former Canadian Welterweight Champion. [1] He fought at the 1996 Summer Olympics in Atlanta, Georgia. Contents 1 Early life 2 Amateur career 3 Pro career 3.1 WBO Welterweight Championship 3.2 Personal life 4 References 5 External links Early life Hercules was born in
閱讀完整內容

Tangent Lines Diagram Along Smooth Curve

圖片
7 1 I am trying to replicate a diagram and have a minimal example. I don't know how to add additional tangents between the specified points and preserve smoothness. documentclass{article} usepackage{tikz} usetikzlibrary{calc,intersections} begin{document} begin{tikzpicture} % Axes draw [->, name path=x] (-1,0) -- (11,0) node [right] {$x$}; draw [->] (0,-1) -- (0,6) node [above] {$y$}; % Origin node at (0,0) [below left] {$0$}; % Points coordinate (start) at (1,-0.8); coordinate (c1) at (3,3); coordinate (c2) at (5.5,1.5); coordinate (c3) at (8,4); coordinate (end) at (10.5,-0.8); % show the points foreach n in {start,c1,c2,c3,end} fill [black] (n) circle (2pt) node [below] {}; % join the coordinates draw [thick,name path=curve] (start) to[out=70,in=180] (c1) to[out=0,in=180]
閱讀完整內容

Yusuf al-Mu'taman ibn Hud

圖片
Main article: Taifa of Zaragoza Al-Mu'taman Ruler of Zaragoza Reign 1081–1085 Predecessor Ahmad al-Muqtadir Successor Al-Mustain II Born Zaragoza Died 1085 Full name Yusuf ibn Ahmad al-Mu'taman ibn Hūd House Banu Hud Yusuf ibn Ahmad al-Mu'taman ibn Hūd (Arabic: المؤتمن بالله يوسف إبن أحمد إبن هود ‎, al-Mutaman bi l-Lah , died c. 1085) was the third king of the Banu Hud dynasty who ruled over the Taifa of Zaragoza from 1081 to 1085. Yusuf al-Mutaman reigned during the height of power of Muslim Zaragoza , following the thriving period of his father Ahmad al-Muqtadir. He continued his father's efforts and created around him a court of intellectuals, living in the beautiful palace of Aljafería, nicknamed as "the palace of joy". Al-Mu'taman was also a scholarly king and a patron of science, philosophy and arts. As an example of a wise king, he knew astrology, philosophy, and especially mathematics, a discipline in which
閱讀完整內容