LDAP authentication with Graphite

Question

I have setup Graphite Web 0.9.9 on CentOS 6.2 x86_64 at EC2 and I'm trying to get LDAP authentication to work against 389 Directory Server. I have configured local_settings.py with:

USE_LDAP_AUTH
LDAP_URI
LDAP_SEARCH_BASE
LDAP_BASE_USER
LDAP_BASE_PASS
LDAP_USER_QUERY

But I still get "Authentication attempt failed" every time I try to log in. Looking at the logs on the LDAP server, it doesn't look like graphite-web is connecting to the LDAP server at all. Unfortunately, I don't see anything useful in the logs on the graphite server - I only see "access.log" and "info.log". "error.log" and "exception.log" are empty.

Any bright ideas on what can I do to further troubleshoot this?

If you connect using those credentials from a different ldap client can you connect? Have you tried looking at a packet capture? — Zoredache, Feb 27 '12 at 20:15
Yes, I have LDAP authentication working in a number of other webapps ranging from mod_authnz_ldap in Apache to Tomcat to JIRA. As well as pam_ldap for Linux auth. — organicveggie, Feb 28 '12 at 00:35
It might be easier to just use mod_authnz_ldap instead of the graphic-provided LDAP. — robbyt, Jan 14 '15 at 05:20
missng LDAP library in python? My troubleshoot hint is to write a python scrpt to query the LDAP. This would assure you all the components are in-place. — Francesco Malvezzi, Oct 25 '15 at 11:27

score 1 · Answer 1 · answered Jul 03 '16 at 07:21

Did you have the python-ldap package installed on this centos 6 host?

I got this working after installing it, a minimal centos installation does not include it, and the graphite packages from epel don't mark it a a dependency. You will need to reload httpd after installing it.

score 0 · Answer 2 · answered Apr 28 '21 at 16:20

Since django 1.11,

The HttpRequest is now passed to authenticate() which in turn passes it to the authentication backend if it accepts a request argument.

Then, since django 2.1,

The authenticate() method of authentication backends requires request as the first positional argument.

And it seems like graphite, in particular graphite/account/ldapBackend.py was never updated. I added request as first parameter of authenticate in that file and login worked for me:

--- /usr/lib/python3/dist-packages/graphite/account/ldapBackend.py.old  2021-04-28 18:15:22.691462314 +0200
+++ /usr/lib/python3/dist-packages/graphite/account/ldapBackend.py  2021-04-28 18:19:30.654464317 +0200
@@ -18,7 +18,7 @@


 class LDAPBackend:
-  def authenticate(self, username=None, password=None):
+  def authenticate(self, request, username=None, password=None):
     if settings.LDAP_USER_DN_TEMPLATE is not None:
       settings.LDAP_BASE_USER = settings.LDAP_USER_DN_TEMPLATE % {'username': username}
       settings.LDAP_BASE_PASS = password

score 0 · Answer 3 · answered Aug 24 '12 at 13:29

0

Access logs should include everything about the connection request. Start with isolating firewall & try a telnet. If you can telnet, Try to run native ldapsearch against ldap server & see if it returns data.

Access logs will contain all data related to that connection. Paste access logs after sanitizing IP address to investigate the issue. You can also mail to 389-users@lists.fedoraproject.org for any issues.

answered Aug 24 '12 at 13:29

atvt

454
4
11

As I mentioned in the original post, the access logs are empty. – organicveggie Aug 24 '12 at 23:07

score 0 · Answer 4 · answered Sep 09 '13 at 23:41

If you're using LDAP to communicate with an Active Directory server, Try turning off referral chasing.

I added these lines to local_settings.py.

import ldap
ldap.set_option(ldap.OPT_REFERRALS, 0) 
# Critcal for preventing timeouts due to AD search referrals not supported by LDAP v3.
# http://code.google.com/p/reviewboard/issues/detail?id=1641

LDAP authentication with Graphite

4 Answers4