{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 仙女界的扛把子 的问题《ldapsearch, django-ldap-auth and “data 52e, v1db1”》','https://www.manongdao.com/q-1093858.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to get django-auth-ldap working, but I keep getting invalid credentials (49) errors, despite having correct credentials:
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Using python-ldap (2.4.13) and django-auth-ldap (1.1.4) on Ubuntu 12.04.3 against Windows Server 2008 R2. I followed the installation instructions here: http://pythonhosted.org/django-auth-ldap/install.html and here: http://www.djm.org.uk/using-django-auth-ldap-active-directory-ldaps
The second link recommends testing the connection using:
ldapsearch -H ldaps://ldap-x.companygroup.local:636 -D "CN=Something LDAP,OU=Random Group,DC=companygroup,DC=local" -w "p4ssw0rd" -v -d 1
Locally, that would be:
ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,dc=fds,dc=local" -w "password" -v -d 1
This didn't work for me, but the following did
ldapsearch -H ldap://192.168.0.3 -D "dc=fds,dc=local" -U "testadmin" -w "password" -v -d 1
so I was happy. Before moving the user out into the -U flag I had also tried the following without success:
ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1
ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,dc=fds,dc=local" -w "password" -v -d 1
ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1
My django-auth-ldap settings are:
import ldap
from django_auth_ldap.config import LDAPSearch
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
AUTH_LDAP_SERVER_URI = 'ldap://192.168.0.3'
AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local'
AUTH_LDAP_BIND_PASSWORD = 'password'
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local",
ldap.SCOPE_SUBTREE, "(uid=%(user))")
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_DEBUG_LEVEL: 0,
ldap.OPT_REFERRALS: 0,
}
This doesn't work, with the same error as above. As you can see, I try logging in using the three forms: testadmin, [domain]\testadmin and testadmin@[domain].local, each with the same error.
Development server is running at http://0.0.0.0:8000/
Quit the server with CONTROL-C.
Caught LDAPError while authenticating testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},)
[06/Sep/2013 08:51:38] "POST /admin/ HTTP/1.1" 200 2027
Caught LDAPError while authenticating testadmin@fds.local: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},)
[06/Sep/2013 08:53:40] "POST /admin/ HTTP/1.1" 200 2037
Caught LDAPError while authenticating fds\testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},)
[06/Sep/2013 08:53:50] "POST /admin/ HTTP/1.1" 200 2031
I have tried a number of alterations to the settings in various comibinations of/including:
AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Domain Users,ou=Users,dc=fds,dc=local'
AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local'
AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local'
AUTH_LDAP_BIND_DN = 'uid=testadmin,dc=fds,dc=local'
AUTH_LDAP_BIND_DN = 'cn=testadmin,dc=fds,dc=local'
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Domain Users,ou=Users,dc=fds,dc=local",
ldap.SCOPE_SUBTREE, "(uid=%(user))")
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=FDS Users,dc=fds,dc=local",
ldap.SCOPE_SUBTREE, "(uid=%(user))")
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=IT Users,ou=FDS Users,dc=fds,dc=local",
ldap.SCOPE_SUBTREE, "(uid=%(user))")
I don't fully understand AD or LDAP, but am working from examples I've found online - each of those ou's is an existing ou in my domain that contains users or other ou's containing users.
It seems to me that the problem relates to either the settings
AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local'
AUTH_LDAP_BIND_PASSWORD = 'password'
or
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local",
ldap.SCOPE_SUBTREE, "(uid=%(user))")
but am unsure - and don't know what to do next to solve this problem. Any ideas?
Turns out I was looking for the error in the wrong place. It was a BIND error, not a user auth error. Note that there was confusion between whether the error was in AUTH_LDAP_BIND_DN or AUTH_LDAP_USER_SEARCH.
Solution was
AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=FDS Users,dc=fds,dc=local'
AUTH_LDAP_BIND_DN needs to refer to a Distinguished Name, ie, it needs to point to exactly where the user is located - it isn't a case of "search a group or OU" so much as "this is the link".
The above worked.