Cannot auth ldap user by django-auth-ldap

Question

I´m having problems getting ldap users authenticated with django-auth-ldap 1.2.8. I can log-in by use of Apache Directory Studio as followed:

hostname: private.pai.org
port: 389
Auth: Bind DN – cn=testuser1@test.com,ou=users,dc=ldap,dc=pai,dc=org`
Bind Password: thePassword

But when trying with Django with following settings:

import ldap
from django_auth_ldap.config import LDAPSearch,GroupOfUniqueNamesType

# logging
import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)

# where to search
AUTH_LDAP_SERVER_URI = "ldap://private.pai.org:389"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=ldap,dc=pai,dc=org",
ldap.SCOPE_SUBTREE, "(cn=%(user)s)"
)

# group settings
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=ldap,dc=pai,dc=org",
ldap.SCOPE_SUBTREE, "(objectClass=GroupOfUniqueNames)"
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()

# disable caching
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 0
AUTH_LDAP_CACHE_GROUPS = 0

# bind user to django groups
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
 "is_active": ("ou=users,dc=ldap,dc=pai,dc=org" ),
 "is_staff": ("ou=users,dc=ldap,dc=pai,dc=org")
}

AUTH_LDAP_USER_ATTR_MAP = {
"email": "cn"
}

I´m getting following error

search_s('ou=users,dc=ldap,dc=pai,dc=org', 2, '(cn=testuser1@test.com)') raised NO_SUCH_OBJECT({'desc': u'No such object'},)

This looks like the cn cannot be found in ou? Can somebody say how to overcome this error?

NO_SUCH_OBJECT on a search request means the base of the search cannot be found. It could be because the DN has a typo, or it could be that the user has no permissions to read or search within that part of the tree and the server is just returning an error that wouldn't leak information about the data. — Ludovic Poitou, Mar 15 '19 at 08:14
thanks @LudovicPoitou what irritates is that this user can connect via Apache Diretory Studio without problems? Same bind, same credentials, same host? — Anatol, Mar 15 '19 at 10:10
as shown above this is the dn bind in apache studio `cn=testuser1@test.com,ou=users,dc=ldap,dc=pai,dc=org` and this is the search in django-auth-ldap `AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=ldap,dc=pai,dc=org", ldap.SCOPE_SUBTREE, "(cn=%(user)s)" )` looks correct, right? — Anatol, Mar 15 '19 at 10:16
With Apache Studio, you are doing a bind. In Django, you are doing a search to find the user (and that will give you the DN). The server may refuse to do the search if there is no authentication (anonymous search). — Ludovic Poitou, Mar 18 '19 at 08:38
thanks, @LudovicPoitou this makes sense. In case the server does not allow anonymous search I could use a privileged user by subclassing LDAP backend, correct? (https://django-auth-ldap.readthedocs.io/en/latest/authentication.html#customizing-authentication) — Anatol, Mar 18 '19 at 09:10
Nope I was wrong with that I think the way to got is: "If you can’t search anonymously, you can set AUTH_LDAP_BIND_DN to the distinguished name of an authorized user and AUTH_LDAP_BIND_PASSWORD to the password." — Anatol, Mar 18 '19 at 09:14

Cannot auth ldap user by django-auth-ldap

0 Answers0