Django LDAP authentication through Active Directory 2008

Question

I'm trying to authenticate my user through the corporate Active Directory server. I am unable to configure it properly, I know the LDAP works I have a MediaWiki that is configured and working to authenticate on the Active Directory Server.

system:

    Active Directory 2008
    Django (1, 3, 0, 'final', 0)
    django-auth-ldap 1.0.9

Here is my configuration in settings.py

    from django_auth_ldap.config import LDAPSearch
    import logging

    # makes sure this works in Active Directory
    ldap.set_option(ldap.OPT_REFERRALS, 0)

    LDAP_SERVER_URI = 'ldap://ad.exemple.com'
    AUTH_LDAP_BIND_DN = 'my_user'
    AUTH_LDAP_BIND_PASSWORD = 'my_pass'
    AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

    # Populate the Django user from the LDAP directory.
    AUTH_LDAP_USER_ATTR_MAP = {
            "first_name": "givenName",
            "last_name": "sn",
            "email": "mail"
    }

    # This is the default, but I like to be explicit.
    AUTH_LDAP_ALWAYS_UPDATE_USER = True

    AUTHENTICATION_BACKENDS = (
            'django_auth_ldap.backend.LDAPBackend',
            'django.contrib.auth.backends.ModelBackend',
    )

I also tried the ssl way by adding the new URI

    LDAP_SERVER_URI = 'ldaps://ad.exemple.com:636'

I used the main group User to search into I don't need any particular group that I want to authenticate.

The error message it returns the error :

    WARNING 2011-05-31 16:50:19,429 backend 3968 140632428340992 Caught LDAPError while authenticating my_user: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772', 'desc': 'Invalid credentials'},)
    [31/May/2011 16:50:19] "POST /admin/ HTTP/1.1" 200 9648

Seeing this error and looking for the LDAP error DSID-0C0903AA I found that I should try to set the username like this

[email protected]

It didn't work, it returns the error :

    ERROR 2011-05-31 16:55:38,947 config 6505 139868662060800 search_s('dc=ubilium,dc=loc', 2, '(SAMAccountName=my_user)') raised OPERATIONS_ERROR({'info': '000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772', 'desc': 'Operations error'},)
    DEBUG 2011-05-31 16:55:38,947 backend 6505 139868662060800 Authentication failed for my_user

Does anyone has any clue how to get it to connect?

Answer 1

The first error you are getting is LDAP 49 with a subcode of 525 which means User not found. I.e. Your bind DN is not correct.

Your second attempt, using the userPrincipalName formatting will fail, as your configuration says: AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')

Thus you are trying to use the passed in user name in the filter of: (SAMAccountName=%(user)s)

I wonder if that is an extra s at the every end? I.e. Would (SAMAccountName=%(user)) be more correct?

What it is doing is saying, for the $(user) variable, find me the object in AD whose sAMAccountName attribute matches that value, and then use that DN returned as the bind DN. But you are not getting a correct DN and thus the LDAP 49 - 525 error.