Django-Ldap-Authentication

Question

I am trying to authenticate the user with the LDAP server in django.

I have configured my settings.py as follows :

AUTH_LDAP_SERVER_URI = "ldap.forumsys.com"
AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=example,dc=com",
    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_START_TLS = True


AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
    )

In my views i have tried to authenticate it with the LDAPBACKEND

from django.http import HttpResponse
from django_auth_ldap.backend import LDAPBackend
from django.contrib.auth.models import User


from django.conf import settings


def login_user(request):

    state = ""

    username = settings.AUTH_LDAP_BIND_DN
    password = settings.AUTH_LDAP_BIND_PASSWORD

    auth = LDAPBackend()

    try:
        User = auth.authenticate(username=username,password=password) 
        if User is not None:
            state = "Valid"

        else:
            state = "Invalid"

    except LDAPError as e:
            state = "Error"

    return HttpResponse(state)  

But i am getting an error as

LDAPError while authenticating cn=read-only-admin,dc=example,dc=com: LDAPError(0,'Error')

And I do have another doubt. Is the username and password is same as the bind_username and bind_password?

Answer 1

Make sure AUTH_LDAP_SERVER_URI should be hostname or IP address of AD. In django settings.py :

AUTH_LDAP_SERVER_URI = "ldap://hostname or Ip address of active directory"
AUTH_LDAP_BIND_DN = "CN=sAMAccountName,CN=Users,DC=yourdomain,DC=com"
AUTH_LDAP_BIND_PASSWORD = *******
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0,
}
AUTH_LDAP_USER_SEARCH = LDAPSearch('CN=Users,DC=yourdomain,DC=com', 
ldap.SCOPE_SUBTREE, "userPrincipalName=%(user)s")

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend')

And views.py should be like this,

from django.contrib.auth import views as auth_views
from forms import ProjectRequestForm, ExAuthenticationForm

def login(request):
    return auth_views.login(request, template_name='login.html', authentication_form=ExAuthenticationForm)

Answer 2

My experience with LDAP didn't call for any view changes. I used the django-auth-ldap library which only required additional settings to use:

#-----------------------------------------------------------------------------#
#
#   LDAP Settings
#
#-----------------------------------------------------------------------------#

AUTHENTICATION_BACKENDS += ('django_auth_ldap.backend.LDAPBackend',) 

AUTH_LDAP_SERVER_URI = "ldaps://your.ldap.server"

AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"

Using a bind login works as well with these additional settings:

import ldap
from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_BIND_DN = "<user>"
AUTH_LDAP_BIND_PASSWORD = "<password>"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

Normal Django login views work fine with this setup.

EDIT: I should add that one should confirm that LDAP is working via the command line on the server before trying with Django. This is what held me up at first.