Switching from LDAP to AD LDAPS using Python Django

Question

Converting authentication from LDAP to AD LDAPS

Python + Django

==============
Following Django Docs: https://django-auth-ldap.readthedocs.io/en/latest/authentication.html

OLD:

AUTH_LDAP_SERVER_URI = "ldap://ldap-example.test.com"

NEW:

AUTH_LDAP_SERVER_URI = "ldaps://ad.example.com"

==============
I have worked with the AD administrator to set these values correctly. I changed the values themselves for obvious privacy reasons.

AUTH_LDAP_BIND_DN = "cn=ex-test,cn=user,dc=test,dc=ad"
AUTH_LDAP_BIND_PASSWORD = "{PASSWORD}"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=sites,dc=test,dc=ad",ldap.SCOPE_SUBTREE,"(uid=%(user)s)")

AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}

AUTH_LDAP_USER_DN_TEMPLATE = "cn=%(user)s,ou=sites,dc=test,dc=ad" 
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("cn=priv-ex,ou=due,ou=ldap,ou=shared,dc=test,dc=ad", ldap.SCOPE_SUBTREE)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr='cn')

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail"
}

AUTH_LDAP_REQUIRE_GROUP = "cn=DUE-MAIN,ou=DUE,ou=Applications,ou=Sharing,o=LDAP"

==============

Problem

It will not work for login. I do not know what I am doing wrong as I am following the docs precisely.

Questions

Q1: Is there anyway I can test the connection from a terminal or command line?

Q2: I have seen the django-pyad package recommened with a settings.py that looks like

# settings.py
AUTHENTICATION_BACKENDS = [
    'django_pyad.backend.ADBackend',
]

# AD configuration
AD_LDAP_SERVER = "ad.example.com"
AD_NT4_DOMAIN = "example"
AD_SEARCH_DN = "OU=Users,DC=ad,DC=example,DC=com"

Should I scrap what I did for the previous LDAP tree and go this route instead? Or can I re-use the previous LDAP connection code but change the values for AD like I am doing now?

"Will not work" can mean a lot of things. What *does* happen? Is there an error message? — Gabriel Luci, Dec 20 '22 at 19:53
@GabrielLuci does not authenticate the given username and password. No error message. — Crunchy, Dec 20 '22 at 19:56
Is the SSL certificate being used from a trusted source, or is it self-signed? Does the domain name on the cert (or one of the subject alternative names) match exactly the domain name you're using to connect (e.g. `ad.example.com`)? — Gabriel Luci, Dec 20 '22 at 19:57
You can try telling it to ignore certificate errors with: `AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER}` If that works, then you know it's an issue with trusting the certificate. — Gabriel Luci, Dec 20 '22 at 20:00
@GabrielLuci I tried adding the global options line and no success. I have not done LDAPS. Am I suppose to have a SSL cert in the project directory? I will try and educate myself on that. However, without the cert my understanding is the global options line would still fix it. I'm wondering if the AD admin gave me some wrong info. Thank you for your replies by the way. — Crunchy, Dec 20 '22 at 20:27
Try to find an error message. See here about the logging: https://django-auth-ldap.readthedocs.io/en/latest/logging.html — Gabriel Luci, Dec 20 '22 at 20:37
@GabrielLuci I have tried that actually. I already have ERROR, INFO, DEBUG, and WARN level logs setup and can view the logs but no error message related to the authentication comes in unfortunately — Crunchy, Dec 20 '22 at 20:56
@GabrielLuci It was actually a misspelling for a argument from the AD admin. Once I changed that I was able to test the connection to the LDAP server successfully. However, still cannot authenticate the user but at the very least I now have a readable error message which is: Authentication failed for MyUser: user DN/password rejected by LDAP server.\r, referer: http://mysite-uat.example.com/site/login/ — Crunchy, Dec 21 '22 at 23:03
So that means either your `AUTH_LDAP_BIND_DN` or `AUTH_LDAP_BIND_PASSWORD` is wrong, I think. Active Directory may want you to use the regular username (`sAMAccountName`) as the `AUTH_LDAP_BIND_DN`, or the `userPrincipalName`. — Gabriel Luci, Dec 22 '22 at 02:41
@GabrielLuci Thank you for your help thus far. Understand, I am able to get it to work on ldap3 using the same argument though. I have posted a new question to further clarify this. I will look into your response though. Please see the link https://stackoverflow.com/questions/74893113/problem-converting-ldaps-connection-from-ldap3-to-django-auth-ldap-in-python-dja — Crunchy, Dec 22 '22 at 19:35

score 0 · Answer 1 · answered Jan 05 '23 at 19:12

Use either #1 or #2 to authenticate but NOT both at the same time. This was my problem.

1

AUTH_LDAP_BIND_DN = 
AUTH_LDAP_BIND_PASSWORD = 
AUTH_LDAP_USER_SEARCH = LDAPSearch()

2

AUTH_LDAP_USER_DN_TEMPLATE = 
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True