There are two ways to authenticate a user using Django Auth LDAP
- Search/Bind and
- Direct Bind.
The first one involves connecting to the LDAP server either anonymously or with a fixed account and searching for the distinguished name of the authenticating user. Then we can attempt to bind again with the user’s password.
The second method is to derive the user’s DN from his username and attempt to bind as the user directly.
I want to be able to do a direct bind using the userid (sAMAccountName) and password of the user who is trying to gain access to the application. Please let me know if there is a way to achieve this? At the moment, I cannot seem to make this work due to the problem explained below.
In my case, the DN of users in LDAP is of the following format
**'CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'**
This basically translates to 'CN=FirstName LastName,OU=Users,OU=Central,OU=US,DC=client,DC=corp'
This is preventing me from using Direct Bind as the sAMAccountName of the user is sjones and this is the parameter that corresponds to the user name (%user) and I can't figure out a way to frame a proper AUTH_LDAP_USER_DN_TEMPLATE to derive the User's DN using.
Due to the above explained problem, I am using Search/Bind for now but this requires me to have a fixed user credential to be specified in AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD.
Here is my current settings.py configuration
AUTH_LDAP_SERVER_URI = "ldap://10.5.120.161:389"
AUTH_LDAP_BIND_DN='CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_BIND_PASSWORD='fga.1234'
#AUTH_LDAP_USER_DN_TEMPLATE = 'CN=%(user)s,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch("OU=Users, OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
LDAPSearch("OU=Users,OU=Regional,OU=Locales,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
)
AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn","email":"mail"}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = 'CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'
Looking forward for some guidance from the wonderful folks in here.
(This is actually a comment to @amethystdragon's answer, but it's a bunch of code, so posting as a separate answer.) The problem still seems to exist with django_auth_ldap 1.2.5. Here's an updated patch. If you don't want or can't modify the source code, monkey-patching is possible. Just put this code to eg. end of
settings.py
. (And yes, I know monkey-patching is ugly.)I had the same issue.
I ran accross: https://bitbucket.org/psagers/django-auth-ldap/issue/21/cant-bind-and-search-on-activedirectory
The author brought up a way to change the library files for django-auth-ldap so that it could do a direct bind.
It came down to changing /django_auth_ldap/backend.py to include two lines around line 364:
I was able to get this to work on my local macheine that was running Arch Linux 3.9.8-1-ARCH, but I was unable to replicate it on the dev server running Ubuntu 13.04.
Hopefully this can help.
I also had this problem where the old ldap server had a dn that started with uid, but the DN of the new one starts with CN ('Steven Jones'). I used this configuration (which solved it for me) in setting.py:
I also had this issue, but I didn't want to modify the
settings.py
file. The fix for me was to comment out the line "AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=path,dc=to,dc=domain"". I also addedNestedActiveDirectoryGroupType
as part of my troubleshooting. Not sure if it's necessary, but it's working now so I'm leaving it. Here's myldap_config.py
file.