LDAP authenticationnot working on Direct installation

When things don't work as they should.
Post Reply
GeekRambo
Posts: 1
Joined: Fri Jul 08, 2022 3:25 pm

LDAP authenticationnot working on Direct installation

Post by GeekRambo »

Hello All,

I have set up a direct installation of Mayan EMDS 4.2.5 on Debian 11/Bullseye. I have followed all I can find for configuring LDAP authentication but still cannot log in with an Active Directory user. I know that my LDAP settings file in /opt/mayan-edms/media/user_settings is being read, as when initially configured, I could not log in with a local admin user until I added the local backend authentication string ('django.contrib.auth.backends.ModelBackend') to the file. The file is *not* called lday.py, I just used the default name from the Gitlab example, ldap_connection_settings.py.

I've seen many people showing logs for authentication, but I'm not sure where those logs are on my system. The only thing I can find is related to supervisor. After the ldap_connection_settings.py file, I have a piece of the logs I could find.

Also, I've manually run my ldap_connection_settings.py in Python3 just to verify if there are errors, but none showed.

Here are links that I used for various reasons:

Tutorial on how to setup LDAP Authentication: viewtopic.php?t=1606
LDAP example file used: https://gitlab.com/mayan-edms/mayan-edm ... ettings.py
Add local backend authentication to the LDAP file: viewtopic.php?t=825

Below are the files contents (all internal information has been scrubbed):

# Ensure this file is not saved as "ldap.py" or you will run
# into name conflicts (https://gitlab.com/mayan-edms/mayan-edms/issues/743)
# Install Python LDAP with:
# $ pip install python-ldap
# or if using Docker, pass the following environment variables:
# -e MAYAN_PIP_INSTALLS="python-ldap django_auth_ldap"
# -e MAYAN_APT_INSTALLS="gcc libldap2-dev/buster-backports libsasl2-dev python3-dev"
# Finally instruct Mayan to use this file.
# -e MAYAN_SETTINGS_MODULE=user_settings.ldap_connection_settings

import ldap

from django_auth_ldap.config import (
LDAPSearch, LDAPSearchUnion, NestedActiveDirectoryGroupType, GroupOfNamesType
)

from mayan.settings.production import * # NOQA

# Makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, False)

# Turn of debug output, turn this off when everything is working as expected
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)

# Whether to update the user record on every login
# Default: True
AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Use TLS to talk to the LDAP server
# Requires acquiring the server's certificate
# $ openssl s_client -connect <LDAP server>:636
# Part of the output of this file will be the Base-64 encoded .cer file
# that was presented for LDAPS. Cut and paste into a file beginning at
# "-Begin Certificate" through "-End Certificate--" and save as a .crt, for
# example: ldapserver.crt
# $ CERT=ldapserver.crt
# $ cp /root/$CERT /usr/share/ca-certificates/$CERT
# # notice the + sign which tells to activate the certificate.
# $ echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
# $ dpkg-reconfigure ca-certificates;
AUTH_LDAP_START_TLS = False
# This option disables certificate checking if the method above does not work
# potentially dangerous!
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

LDAP_ADDITIONAL_USER_DN = 'dc=people'
LDAP_ADMIN_DN = 'DN of Admin User'
LDAP_BASE_DN = 'OU=*Base OU*,DC=*companyname*,DC=com'
LDAP_PASSWORD = 'SuPeRsEcReTpAsSwOrD'
LDAP_USER_AUTO_CREATION = 'False'
LDAP_URL = 'ldap://*IP to AD DC*:389/'

AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD
AUTH_LDAP_SERVER_URI = LDAP_URL

# Simple search
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
ldap.SCOPE_SUBTREE, '(SamAccountName=%(user)s)'
)

# If you need to search in more than one place for a user, you can use
# LDAPSearchUnion. This takes multiple LDAPSearch objects and returns the
# union of the results. The precedence of the underlying searches is
# unspecified.
# https://django-auth-ldap.readthedocs.io ... ation.html
# AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
# LDAPSearch(
# 'ou=Users,ou=Admin,dc=<top level DC>,dc=local', ldap.SCOPE_SUBTREE,
# '(samaccountname=%(user)s)'
# ),
# LDAPSearch(
# 'ou=Users,ou=<second OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
# ),
# LDAPSearch(
# 'ou=Users,ou=<third OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
# ),
# )

# User attributes to map from LDAP to Mayan's user model.
#AUTH_LDAP_USER_ATTR_MAP = {
# 'first_name': 'cn',
# 'last_name': 'sn',
# 'email': 'mail'
#}
# Another example map
AUTH_LDAP_USER_ATTR_MAP = {
'username': 'SamAccountName',
'first_name': 'GivenName',
'last_name': 'sn',
'email': 'UserPrincipalName'
}
# Only string fields can be mapped to attributes. Boolean fields can be
# defined by group membership:
# AUTH_LDAP_USER_FLAGS_BY_GROUP = {
# 'is_active': 'cn=active,ou=groups,dc=example,dc=com',
# 'is_staff': (
# LDAPGroupQuery('cn=staff,ou=groups,dc=example,dc=com')
# | LDAPGroupQuery('cn=admin,ou=groups,dc=example,dc=com')
# ),
# 'is_superuser': 'cn=superuser,ou=groups,dc=example,dc=com',
# }

# Simple group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
# 'ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)'
# )
# AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

# Advanced group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
# LDAPSearch(
# 'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE,
# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
# ),
# LDAPSearch(
# 'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE,
# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
# ),
# )
# AUTH_LDAP_CACHE_GROUPS = True
# AUTH_LDAP_FIND_GROUP_PERMS = False
# AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
# AUTH_LDAP_MIRROR_GROUPS = True

# To minimize traffic to the LDAP server, LDAPBackend can make use of
# Django’s cache framework to keep a copy of a user’s LDAP group memberships.
# To enable this feature, set AUTH_LDAP_CACHE_TIMEOUT, which determines
# the timeout of cache entries in seconds.
# AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

# Limiting Access
# The simplest use of groups is to limit the users who are allowed to log in.
# If AUTH_LDAP_REQUIRE_GROUP is set, then only users who are members of that
# group will successfully authenticate. AUTH_LDAP_DENY_GROUP is the reverse:
# if given, members of this group will be rejected.
# AUTH_LDAP_DENY_GROUP = 'cn=disabled,ou=groups,dc=example,dc=com'

AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)

Supervisor log (all internal information has been scrubbed):

ldap_create
ldap_url_parse_ext(ldap://*.*.*.*:389/)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP *.*.*.*:389
ldap_new_socket: 12
ldap_prepare_socket: 12
ldap_connect_to_host: Trying *.*.*.*:389
ldap_pvt_connect: fd: 12 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x2716310 msgid 1
wait4msg ld 0x2716310 msgid 1 (infinite timeout)
wait4msg continue ld 0x2716310 msgid 1 all 1
** ld 0x2716310 Connections:
* host: *.*.*.* port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jul 8 15:59:24 2022


** ld 0x2716310 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x2716310 request count 1 (abandoned 0)
** ld 0x2716310 Response Queue:
Empty
ld 0x2716310 response count 0
ldap_chkResponseList ld 0x2716310 msgid 1 all 1
ldap_chkResponseList returns ld 0x2716310 NULL
ldap_int_select
read1msg: ld 0x2716310 msgid 1 all 1
read1msg: ld 0x2716310 msgid 1 message type bind
read1msg: ld 0x2716310 0 new referrals
read1msg: mark request completed, ld 0x2716310 msgid 1
request done: ld 0x2716310 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(SamAccountName=ADUserAccount)"
put_filter: simple
put_simple_filter: "SamAccountName=ADUserAccount"
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x2716310 msgid 2
wait4msg ld 0x2716310 msgid 2 (infinite timeout)
wait4msg continue ld 0x2716310 msgid 2 all 1
** ld 0x2716310 Connections:
* host: *.*.*.* port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jul 8 15:59:24 2022


** ld 0x2716310 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x2716310 request count 1 (abandoned 0)
** ld 0x2716310 Response Queue:
Empty
ld 0x2716310 response count 0
ldap_chkResponseList ld 0x2716310 msgid 2 all 1
ldap_chkResponseList returns ld 0x2716310 NULL
ldap_int_select
read1msg: ld 0x2716310 msgid 2 all 1
read1msg: ld 0x2716310 msgid 2 message type search-result
read1msg: ld 0x2716310 0 new referrals
read1msg: mark request completed, ld 0x2716310 msgid 2
request done: ld 0x2716310 msgid 2
res_errno: 32, res_error: <0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=BaseOU,DC=company,DC=com'
>, res_matched: <OU=BaseOU,DC=company,DC=com>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_parse_result
ldap_msgfree
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
schubisu
Posts: 6
Joined: Thu Aug 25, 2022 3:54 pm

Re: LDAP authenticationnot working on Direct installation

Post by schubisu »

Hi GeekRambo,

just stumbled over this post and compared your config to mine; it's almost identical except that I don't have an LDAP_ADDITIONAL_USER_DN. However, if I understand the logs you posted correctly, the ldap query returns 0 results. Have you tried to manually query the server with the same credentials, e.g. using ldapsearch?
Post Reply