Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Active Directory integration with ldaps

See original GitHub issue

Hi, I get a AD configured with LDAPS, and i can connect to domain controller from uwsgi docker container with ldapsearch and retrieve info from AD with specified account :

root@410b9cec85b7:/code# ldapsearch -H "ldaps://gcs.xxx.net:3269" -D "cn=kdmc343,ou=Service,ou=NPA,dc=emea,dc=xxx,dc=net" -W -b "OU=Accounts,DC=emea,DC=xxx,DC=net" cn=krhr138
Enter LDAP Password:
extended LDIF

LDAPv3
base <OU=Accounts,DC=emea,DC=xxx,DC=net> with scope subtree
filter: cn=krhr138
requesting: ALL


krhr138, Partners, Accounts, emea.xxx.net
dn: CN=krhr138,OU=Partners,OU=Accounts,DC=emea,DC=xxx,DC=net
...

But when i try to do this from web form, logs from uwsgi shows error, that i can not connect to DC:

uwsgi_1   | Caught LDAPError while authenticating krhr138: SERVER_DOWN({'info': '(unknown error code)', 'desc': "Can't contact LDAP server"},)
uwsgi_1   | [pid: 82|app: 0|req: 2/4] 10.114.156.57 () {50 vars in 1208 bytes} [Tue Mar 26 10:19:43 2019] POST /ldap_auth/login/?next=http://sregistry.scp.xxx.net/login/ => generated 5972 bytes in 5307 msecs (HTTP/1.1 200) 7 headers in 395 bytes (1 switches on core 3)

The configuration looks like this:

import ldap
from django_auth_ldap.config import LDAPSearch, PosixGroupType

# The URI to our LDAP server (may be ldap:// or ldaps://)
AUTH_LDAP_SERVER_URI = "ldaps://gcs.xxx.net:3269"

# DN and password needed to bind to LDAP to retrieve user information
# Can leave blank if anonymous binding is sufficient
AUTH_LDAP_BIND_DN = "cn=kdmc343,ou=Service,ou=NPA,dc=emea,dc=xxx,dc=net"
AUTH_LDAP_BIND_PASSWORD = "<my_password>"

# Any user account that has valid auth credentials can login
AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=emea,dc=xxx,dc=net",
                                   ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
                                   )

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Groups,ou=XEM,dc=emea,dc=xxx,dc=net",
                                    ldap.SCOPE_SUBTREE, "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
                                    )

AUTH_LDAP_GROUP_TYPE = PosixGroupType()

# Populate the Django user model from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail"
}

# Map LDAP group membership into Django admin flags
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_superuser": "CN=XEM-SCP,OU=Groups,OU=XEM,DC=emea,DC=xxx,DC=net"
}

Do you have any ideas how to cope with this error, or how to configure plugin to work with TLS? I think, that LDAPS may cause this. I am not able to check the connection on ldap protocol without TLS.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
sgabenovcommented, Mar 27, 2019

Finally got this working, the problem was that docker image should have correctly configured OpenLDAP inside and got the CA certificate installed inside. So to do so:

  1. Get into the container uwsgi docker exec -it sregistry_uwsgi_1 /bin/bash
  2. Configure OpenLDAP and get CA cert into container. Let say our DC is gcs.xxx.net
echo -n | openssl s_client -connect gcs.xxx.net:3269 -showcerts 2>/dev/null | awk '/ 0 s/,/ 1 s/{print}' | tail -n +3 | head -n -1 > /usr/local/share/ca-certificates/gcs.crt
echo "TLS_REQCERT never" >> /etc/ldap/ldap.conf
0reactions
vsochcommented, Mar 27, 2019

Excellent, thank you.

Read more comments on GitHub >

github_iconTop Results From Across the Web

LDAP authentication with Azure Active Directory
Integrated with Azure AD. Additions of users and groups, or attribute changes to their objects are automatically synchronized from your Azure AD ......
Read more >
Configuring LDAP Authentication Using Active Directory
Enabling LDAP for the Instance · Log in to Sugar as an administrator and navigate to Admin > Password Management. · Scroll down...
Read more >
Setting Up LDAP Integration with Active Directory - Parallels
An LDAP integration allows IT administrators to incorporate the organization's knowledge base and existing LDAP servers. This enables them to ...
Read more >
Active Directory and LDAP Authentication Guide - DNSstuff
The way you begin an LDAP session is by connecting to an LDAP server, known as a Directory System Agent, which “listens” for...
Read more >
Enable LDAP over SSL (LDAPS) for Microsoft Active Directory ...
Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers · Create root certificate · Import root certificate into trusted store of domain...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Django trouble

Next page

Support for several tags per image