Django 2.1.3 LDAP authentication not authenticating to backend












1















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}

AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render

def login_user(request):

email = password = ""
state = ""

if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')

print (email, password)

user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"

return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)










share|improve this question

























  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35


















1















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}

AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render

def login_user(request):

email = password = ""
state = ""

if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')

print (email, password)

user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"

return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)










share|improve this question

























  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35
















1












1








1


0






I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}

AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render

def login_user(request):

email = password = ""
state = ""

if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')

print (email, password)

user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"

return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)










share|improve this question
















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}

AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render

def login_user(request):

email = password = ""
state = ""

if request.POST:
email = request.POST.get('email')
password = request.POST.get('password')

print (email, password)

user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
if user is not None:
login(request, user)
state = "Valid account"
else:
state = "Inactive account"

return render(request, 'KPI/auth.html', {'state': state, 'email': email})


auth.html



<html>
<head>
<title>Login</title>
</head>
<body>
{{state}}
<form action="" method="post"> {% csrf_token %}
Email address: <input type="text" name="email" value="{{ email }}" />
Password: <input type="password" name="password" value="" />
<input type="submit" value="Log in" />
</form>
</body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)







python django ldap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 '18 at 20:01







Mfreeman

















asked Nov 15 '18 at 15:24









MfreemanMfreeman

113115




113115













  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35





















  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31













  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35



















I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

– Steven Graham
Nov 18 '18 at 5:04





I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

– Steven Graham
Nov 18 '18 at 5:04













authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

– Mfreeman
Nov 19 '18 at 0:25





authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

– Mfreeman
Nov 19 '18 at 0:25













Found the debug error, don't know what to make of it, check latest edit please.

– Mfreeman
Nov 19 '18 at 19:59





Found the debug error, don't know what to make of it, check latest edit please.

– Mfreeman
Nov 19 '18 at 19:59













That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

– Steven Graham
Nov 19 '18 at 21:31







That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

– Steven Graham
Nov 19 '18 at 21:31















I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

– Mfreeman
Nov 19 '18 at 21:35







I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

– Mfreeman
Nov 19 '18 at 21:35














1 Answer
1






active

oldest

votes


















1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer


























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer


























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07
















1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer


























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07














1





+50







1





+50



1




+50





It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer















It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only-
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com'
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR({'desc': 
'Connect error', 'info': 'error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self
signed certificate in certificate chain)'},)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 19 '18 at 22:43

























answered Nov 15 '18 at 22:42









Steven GrahamSteven Graham

650510




650510













  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07



















  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52













  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34













  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07

















Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

– Mfreeman
Nov 16 '18 at 12:52







Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

– Mfreeman
Nov 16 '18 at 12:52















when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

– Mfreeman
Nov 16 '18 at 15:34







when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

– Mfreeman
Nov 16 '18 at 15:34















You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

– Steven Graham
Nov 18 '18 at 5:07





You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

– Steven Graham
Nov 18 '18 at 5:07


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

Xamarin.form Move up view when keyboard appear

Post-Redirect-Get with Spring WebFlux and Thymeleaf

Anylogic : not able to use stopDelay()