authentication in django admin using ldap profiles

Question

I'm working on a Django application which needs to support LDAP authentication directly into default admin page.
I've integrated django-auth-ldap and followed the documentation until i could understand it.
I've already configured a local LDAP server using OpenLDAP and a php graphic interface (i'm also able to use ldif file configuration). When i try login into Admin page, Django finds the local server and the user objects inside of it, and also recognizes to which group a user belongs. Despite this i'm not able to login. The error i find:

[21/Aug/2014 11:06:53] "GET /admin/ HTTP/1.1" 200 1870
search_s('ou=users,dc=whiteqube', 2, '(cn=%(user)s)') returned 1 objects: cn=sonia,ou=users,dc=whiteqube
DEBUG:django_auth_ldap:search_s('ou=users,dc=whiteqube', 2, '(cn=%(user)s)') returned 1 objects: cn=sonia,ou=users,dc=whiteqube
Authentication failed for sonia
DEBUG:django_auth_ldap:Authentication failed for sonia
[21/Aug/2014 11:06:56] "POST /admin/ HTTP/1.1" 200 2046

In the Admin interface, just fail to login.
My settings.py:

# - - - - LDAP CONFIGURATION - - - - #
#
# Importing ldap libraries and applications
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, PosixGroupType

# ...connecting to ldap server (local environment uses IP)
AUTH_LDAP_SERVER_URI = "ldap://10.0.2.15"

# ...account to enter into ldap server (anonymous is not always allowed)
#AUTH_LDAP_BIND_DN = "cn=admin,dc=whiteqube"
#AUTH_LDAP_BIND_PASSWORD = "root"

# ...path where to start to search groups
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=whiteqube",
                                    ldap.SCOPE_SUBTREE, # allow searching from current node to all nodes below
                                    "(objectClass=posixGroup)" # type of object
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType() # a posixGroup is identified by the keyword "cn" into ldap server

# ...associations between ldap and django groups
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=groups,dc=whiteqube",
    "is_staff": "cn=staff,ou=groups,dc=whiteqube",
    "is_superuser": "cn=superuser,ou=groups,dc=whiteqube"
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUPS = {
    "is_awesome": ["cn=awesome,ou=groups,dc=whiteqube"]
}


# ...node where to start to search users
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=whiteqube",
                                   ldap.SCOPE_SUBTREE, # allow searching from current node to all nodes below
                                   "(cn=%(user)s)"
                                   #"(objectClass=posixAccount)"
                                   #"(objectClass=inetOrgPerson)"
)
# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

# Enable debug for ldap server connection
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
# - - - - END  LDAP CONFIGURATION - - - - #

My LDAP is filled with these objects:

• ou=groups,dc=whitecube
• • cn=superuser,ou=groups,dc=whiteqube
• • cn=staff,ou=groups,dc=whiteqube
• ou=users,dc=whiteqube
• • cn=sonia,ou=users,dc=whiteqube

where "groups" and "users" are OrganizationalUnit, "staff" and "superuser" are posixGroup, "sonia" is a posixAccount.
view the picture for the

I'm sure ldap objects are configured as must, inasmuch as Django debug recognizes user's group dependace.

Ps: i'm able to login admin when i use a django local account.

Where am I mistaking? Are there any further attributes configuration i missed?

Answer 1

I finally got it working! Debug: a user MUST belong to all groups (active, staff, superuser) to login admin interface, at least that a new personal group has been created.

The configuration of settings.py and of the LDAP tree is correct on my last post, so you can keep information about how to create your LDAP and implement in your django app. Just remember: if you are using default groups, add a user in all groups to allow admin login.

Thank you. Bye

Answer 2

Actually i've solved problems concerning LDAP object.
I added some parts to settings.py and changed the structure of the LDAP tree (link to image below).
Now, if i try to login with LDAP user's information, the programme populates a row in the Django Users table. Checking in the Django database i noticed that the user password can't be read by Django admin, but the django_auth_ldap documentation specifies it is normal.

I still can't login, however.
The new error i find is:

[26/Aug/2014 09:42:15] "GET /admin/ HTTP/1.1" 200 1870
search_s('ou=users,dc=whiteqube', 2, '(uid=%(user)s)') returned 1 objects: cn=marco rossi,ou=users,dc=whiteqube
DEBUG:django_auth_ldap:search_s('ou=users,dc=whiteqube', 2, '(uid=%(user)s)') returned 1 objects: cn=marco rossi,ou=users,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is a member of cn=enabled,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is a member of cn=enabled,ou=groups,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=disabled,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=disabled,ou=groups,dc=whiteqube
Populating Django user mrossi
DEBUG:django_auth_ldap:Populating Django user mrossi
cn=marco rossi,ou=users,dc=whiteqube is a member of cn=superuser,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is a member of cn=superuser,ou=groups,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=staff,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=staff,ou=groups,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is a member of cn=active,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is a member of cn=active,ou=groups,dc=whiteqube
/home/andrea/PycharmProjects/wq_asja_gateway_v1/env/local/lib/python2.7/site-packages/django_auth_ldap/backend.py:590: DeprecationWarning: The use of AUTH_PROFILE_MODULE to define user profiles has been deprecated.
  profile = self._user.get_profile()

WARNING:py.warnings:/home/andrea/PycharmProjects/wq_asja_gateway_v1/env/local/lib/python2.7/site-packages/django_auth_ldap/backend.py:590: DeprecationWarning: The use of AUTH_PROFILE_MODULE to define user profiles has been deprecated.
  profile = self._user.get_profile()

Django user mrossi does not have a profile to populate
DEBUG:django_auth_ldap:Django user mrossi does not have a profile to populate

My new settings.py configuration:

#  #  #  #  #  #  #  #  #  #  #  #  #  #  #
# - - - - LDAP CONFIGURATION - - - - #
#
# Importing ldap libraries and applications
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, PosixGroupType

# ...connecting to ldap server (local environment uses IP)
AUTH_LDAP_GLOBAL_OPTIONS = {
    ldap.OPT_X_TLS_REQUIRE_CERT: False,
    ldap.OPT_REFERRALS: False
}
AUTH_LDAP_SERVER_URI = "ldap://10.0.2.15"

# ...account to enter into ldap server (anonymous is not always allowed)
AUTH_LDAP_BIND_DN = "cn=admin,dc=whiteqube"
AUTH_LDAP_BIND_PASSWORD = "root"

# ...node where to start to search users
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=whiteqube",
                                   ldap.SCOPE_SUBTREE,  # allow searching from current node to all nodes below
                                   "(uid=%(user)s)"
                                   #"(objectClass=posixAccount)"
                                   #"(objectClass=simpleSecurityObject)"
)

# ...path where to start to search groups
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=whiteqube",
                                    ldap.SCOPE_SUBTREE,  # allow searching from current node to all nodes below
                                    "(objectClass=posixGroup)"  # type of object
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")  # a posixGroup is identified by the keyword "cn" into ldap server

# ...simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=groups,dc=whiteqube"
AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=whiteqube"

# ...populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
    "username": "uid",
    "password": "userPassword",
}
AUTH_LDAP_PROFILE_ATTR_MAP = {
    "home_directory": "homeDirectory"
}

# ...associations between ldap and django groups
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=groups,dc=whiteqube",
    "is_staff": "cn=staff,ou=groups,dc=whiteqube",
    "is_superuser": "cn=superuser,ou=groups,dc=whiteqube"
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUPS = {
    "is_awesome": ["cn=awesome,ou=groups,dc=whiteqube"]
}

# ...use LDAP group membership to calculate permission
AUTH_LDAP_FIND_GROUP_PERMS = True

# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

# Enable debug for ldap server connection
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
# - - - - END  LDAP CONFIGURATION - - - - #
#  #  #  #  #  #  #  #  #  #  #  #  #  #  #

LDAP tree ...where:

• cn=marco rossi (the account i use to login) is a posixAccount, member of cn=superuser and cn=enabled, both posixGroup.

Some suggestion to go on?