5

I'm trying to authenticate my user through the corporate Active Directory server. I am unable to configure it properly, I know the LDAP works I have a MediaWiki that is configured and working to authenticate on the Active Directory Server.

system:

    Active Directory 2008
    Django (1, 3, 0, 'final', 0)
    django-auth-ldap 1.0.9

Here is my configuration in settings.py

    from django_auth_ldap.config import LDAPSearch
    import logging

    # makes sure this works in Active Directory
    ldap.set_option(ldap.OPT_REFERRALS, 0)

    LDAP_SERVER_URI = 'ldap://ad.exemple.com'
    AUTH_LDAP_BIND_DN = 'my_user'
    AUTH_LDAP_BIND_PASSWORD = 'my_pass'
    AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

    # Populate the Django user from the LDAP directory.
    AUTH_LDAP_USER_ATTR_MAP = {
            "first_name": "givenName",
            "last_name": "sn",
            "email": "mail"
    }

    # This is the default, but I like to be explicit.
    AUTH_LDAP_ALWAYS_UPDATE_USER = True

    AUTHENTICATION_BACKENDS = (
            'django_auth_ldap.backend.LDAPBackend',
            'django.contrib.auth.backends.ModelBackend',
    )

I also tried the ssl way by adding the new URI

    LDAP_SERVER_URI = 'ldaps://ad.exemple.com:636'

I used the main group User to search into I don't need any particular group that I want to authenticate.

The error message it returns the error :

    WARNING 2011-05-31 16:50:19,429 backend 3968 140632428340992 Caught LDAPError while authenticating my_user: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772', 'desc': 'Invalid credentials'},)
    [31/May/2011 16:50:19] "POST /admin/ HTTP/1.1" 200 9648

Seeing this error and looking for the LDAP error DSID-0C0903AA I found that I should try to set the username like this

[email protected]

It didn't work, it returns the error :

    ERROR 2011-05-31 16:55:38,947 config 6505 139868662060800 search_s('dc=ubilium,dc=loc', 2, '(SAMAccountName=my_user)') raised OPERATIONS_ERROR({'info': '000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772', 'desc': 'Operations error'},)
    DEBUG 2011-05-31 16:55:38,947 backend 6505 139868662060800 Authentication failed for my_user

Does anyone has any clue how to get it to connect?

Improve this question

1 Answer 1

Reset to default
1

The first error you are getting is LDAP 49 with a subcode of 525 which means User not found. I.e. Your bind DN is not correct.

Your second attempt, using the userPrincipalName formatting will fail, as your configuration says: AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

Thus you are trying to use the passed in user name in the filter of: (SAMAccountName=%(user)s)

I wonder if that is an extra s at the every end? I.e. Would (SAMAccountName=%(user)) be more correct?

What it is doing is saying, for the $(user) variable, find me the object in AD whose sAMAccountName attribute matches that value, and then use that DN returned as the bind DN. But you are not getting a correct DN and thus the LDAP 49 - 525 error.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.