LDAP auth on active directory


#1

I'm looking to set up auth in vespene and connect to an Active Directory server. We've got AD auth working with some other applications in our environment but haven't ever done this with a Django app.

Does anyone have an example /etc/vespene/settings.d/authentication.py they could share where authentication against Active Directory is working?

Here's the minimal config i was thinking should work...

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

AUTH_LDAP_SERVER_URI = 'ldap://local_dc_server'

AUTH_LDAP_BIND_DN = 'CN=bind_account_uid,OU=bindAccounts,OU=Infrastructure,DC=redacted,DC=local'
AUTH_LDAP_BIND_PASSWORD = 'redacted'
AUTH_LDAP_USER_SEARCH = LDAPSearch('OU=allUsers,DC=redacted,DC=local', ldap.SCOPE_SUBTREE, '(uid=%(user)s)',)

#2

Hey @mcodd,

Can you clarify what you mean by "isn't working"? That's somewhat of my favorite trigger phrase, but that may also help you get some help.

Usually it's a question of getting the search string right, and IIRC you can test that out with the LDAP command line tools prior to trying it from Python.

The person who set it up before and did authentication.py is @dncrash

See thread:


#3

This is something I'm in the process of getting working at the moment too.
Having installed Apache Directory Studio and got hold of a bind credential, I'm stuck due to a networking issue, but I think you might need to change the 'filter' part of the LDAP_Search
to something like the following.

AUTH_LDAP_USER_SEARCH = LDAPSearch('OU=allUsers,DC=redacted,DC=local', ldap.SCOPE_SUBTREE, '(&(objectCategory=Person)(sAMAccountName=*))',)

I think this is only the first part of what you'll need, as to be useful you'll also need to get group membership out of AD so that users can be granted access to appropriate objects within vespene.

I can certainly recommend using some kind of ldap query tool to make sure you can connect and search, and then query for groups as well.

Hope this is a bit of a help anyway.

Jon


#4

Thanks Michael and Jon for the pointers!

To be more clear about what i've done so far, basically I found the thread noted above and that got me pointed to the /etc/vespene/settings.d/authentication.py file... after updating it with some settings I thought would work based on the docs at https://django-auth-ldap.readthedocs.io/en/latest/example.html, I tried to log in using my AD credentials and was denied. I looked around for logs that might tell me something along the lines that Michael suggested (e.g. "couldn't find that username", meaning my search string was wrong), but couldn't find anything. I resorted to using plaintext ldap + tcpdump and I think what I'm seeing is the bind credential going thru just fine and then my user's authentication, but the response on the wire wasn't helpful in telling me any more about the failure... thank you both for the suggestion of an ldap query tool, seems like a much more sane way to debug this!

It sounds like there's nothing completely wrong with my basic config and that the search string is almost certainly the problem so that's where I'll focus first!

matt


#5

Success! The LDAP search filter was the issue. The django-auth-ldap documentation uses uid in the example config, but that is not an attribute that has a value in our AD. After updating the filter to use (sAMAccountName=%(user)s) as suggested by Jon, I'm able to log in.

Now to take a look at group membership as well... I suspect after a couple of us have gotten thru this it'd be a good idea to get some documentation up about it as everything about LDAP at this point (that I could find at least) is in the forum here.

matt


#6

Excellent.

On docs, yes definitely... I don't have an LDAP setup I can play with here (anything I set up would be very fake), but including instructions along with basic search strings that usually work would definitely be helpful, as I predict this question will come up a fair amount.

I would be ok with that being a chapter or something, though I'm not sure if there's a better place to put it.

I don't know of the percentages, but someone is probably going to want SAML for SSO at some point. I also don't have a good setup to add/test this, but I'm open to PRs if the code to maintain remains minimal and it adds some decent docs for it. Clearly I'm fine waiting until someone needs it, and if people are more than ok just pointing at LDAP/AD, we have no immediate concerns either.