-1

I'm trying to setup the university ldap for my bachelor thesis but cannot figure out, what i do wrong. Get this message:

Caught LDAPError while authenticating my_actual_id: SERVER_DOWN({'desc': "Can't contact LDAP server"})

My settings are:

LDAP_AUTH_FORMAT_USERNAME = "django_python3_ldap.utils.format_username_active_directory"
# LDAP_AUTH_CONNECTION_USERNAME = "dc=my-university,dc=de"

# The URL of the LDAP server.
AUTH_LDAP_SERVER_URI = "ldaps://ldap.my-university.de:636"
AUTH_LDAP_START_TLS = True
# AUTH_LDAP_BIND_DN = "dc=my-university,dc=de"
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=people,dc=2017,dc=INF,dc=Studenten,dc=my-university,dc=de",ldap.SCOPE_SUBTREE,"(uid=%(user)s)")
# AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=people, dc=my-university,dc=de",ldap.SCOPE_SUBTREE,"(uid=%(user)s)")
# AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_REFERRALS: False}

I need to search anonymous and need to do a search/bind. That told me my universtiy. But they won't provide any help. The configured user search is selected because I study computer science and my uid is under this path. I wanted it to work at least for me.

The structure of my university ldap is this:

my-university
├── dc=BW
│   ├── dc=Insitute1
│   │   ├── ou=people
│   ├── dc=Insitute2
│   │   ├── ou=people
├── dc=Students
│   ├── dc=INF
│   │   ├── dc=2018
│   │   │   └──ou=people
│   │   ├── dc=2019
│   ├── dc=PSY
│   │   ├── dc=2018
│   │   │   └──ou=people
│   │   ├── dc=2019

and so on

That means that the ou=people are on several levels. Somtimes on level 3, sometimes on level 4. If you know what I mean by saying "level".

Dominicus1165
  • 11
  • 4

1 Answers1

0

  1. STARTTLS is not used with LDAPS -- STARTTLS is a way to negotiate encryption on a clear text connection. LDAPS negotiates encryption from the start. Comment out AUTH_LDAP_START_TLS = True if you are using ldaps in the server URI.

  2. Verify you can communicate with the hostname on port 636 (e.g. nmap -P0 -p636 ldap.example.com or telnet ldap.example.com 636) -- if you are unable to communicate with the host, you're resolving a network/firewall/name resolution type of problem completely unrelated to your code.

  3. Are you able to use clear text LDAP (i.e. eliminate SSL negotiation as a problem)? This may not be possible as the University may not expose clear-text LDAP for security reasons, but AUTH_LDAP_SERVER_URI = "ldap://ldap.example.com:389" would be the likely clear text LDAP host:port

  4. Are you able to use an LDAP client to bind and search against the directory? On Linux, ldapsearch is a common utility. Apache Directory Studio is a full-featured GUI client. Windows has ldp.exe too, which is a simpler client. Put in the hostname, port, and your credentials.

  5. Are you certain they require an anonymous bind? From the first line, it appears that you are using Active Directory (AD) as the LDAP provider. AD has disabled anonymous binds by default since Windows 2003. There's a setting to enable it, so it's possible they've got an AD set up to allow anonymous binds ... but that's the only other thing that stands out to me in your config.

If you are able to use clear text LDAP, then the likely culprit is the certificate trust. There are plenty of sites that walk through setting up the certificate trust. If you are unable to use clear text LDAP, possibly the University's admins would be more willing to answer direct questions than they are to support general "it doesn't work" issues. Is clear text LDAP available?

Once you get to the point of connecting, the search scope SUBTREE is designed to handle exactly what you're talking about where users are at various locations in the tree. A subtree search at the base dc=Studenten,dc=my-university,dc=de should identify accounts anywhere under that 'level'. There's also a "search union" which allows you to specify more than one search base. This would be useful if you intend to locate students in PHY and INF but not ART or CHEM.

LisaJ
  • 1,666
  • 1
  • 12
  • 18