LDAP authentication with group #5823
-
|
Hi, I have LDAP structure and ldap_config.py like below.
...
# Where to look for users
AUTH_LDAP_USER_SEARCH_BASEDN = "OU=Accounts,DC=company,DC=local"
AUTH_LDAP_USER_SEARCH_ATTR = "sAMAccountName"
AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_SEARCH_BASEDN, ldap.SCOPE_SUBTREE,
"(" + AUTH_LDAP_USER_SEARCH_ATTR + "=%(user)s)")
AUTH_LDAP_GROUP_SEARCH_BASEDN = "OU=netbox,OU=tools,OU=Groups,DC=company,DC=local"
AUTH_LDAP_GROUP_SEARCH_CLASS = "group"
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_BASEDN, ldap.SCOPE_SUBTREE,
"(objectClass=" + AUTH_LDAP_GROUP_SEARCH_CLASS + ")")
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP_DN = "CN=netbox_active,OU=netbox,OU=tools,OU=Groups,DC=company,DC=local"
AUTH_LDAP_IS_ADMIN_DN = "CN=netbox_staff,OU=netbox,OU=tools,OU=Groups,DC=company,DC=local"
AUTH_LDAP_IS_SUPERUSER_DN = "CN=netbox_superuser,OU=netbox,OU=tools,OU=Groups,DC=company,DC=local"
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "CN=netbox_active,OU=netbox,OU=tools,OU=Groups,DC=company,DC=local",
"is_staff": "CN=netbox_staff,OU=netbox,OU=tools,OU=Groups,DC=company,DC=local",
"is_superuser": "CN=netbox_superuser,OU=netbox,OU=tools,OU=Groups,DC=company,DC=local"
}
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTH_LDAP_CACHE_GROUPS = False
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
...Here is the debug logs from netbox_auth_log userC login (success) Initiating TLS
search_s('OU=Accounts,DC=company,DC=local', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=userC,ou=accounts,dc=company,dc=local
Populating Django user yyyyyy # user ID
cn=userC,ou=accounts,dc=company,dc=local is a member of cn=netbox_active,ou=netbox,ou=tools,ou=groups,dc=company,dc=local
cn=userC,ou=accounts,dc=company,dc=local is not a member of cn=netbox_staff,ou=netbox,ou=tools,ou=groups,dc=company,dc=local
cn=userC,ou=accounts,dc=company,dc=local is not a member of cn=netbox_superuser,ou=netbox,ou=tools,ou=groups,dc=company,dc=local
search_s('OU=netbox,OU=tools,OU=Groups,DC=company,DC=local', 2, '(&(objectClass=group)(member=cn=userC,ou=accounts,dc=company,dc=local))') returned 1 objects: cn=netbox_active,ou=netbox,ou=tools,ou=groups,dc=company,dc=localuserA login (fails) Initiating TLS
search_s('OU=Accounts,DC=company,DC=local', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=userA,ou=accounts,dc=company,dc=local
Populating Django user xxxxxx # user ID
cn=userA,ou=accounts,dc=company,dc=local is not a member of cn=netbox_active,ou=netbox,ou=tools,ou=groups,dc=company,dc=local
cn=userA,ou=accounts,dc=company,dc=local is not a member of cn=netbox_staff,ou=netbox,ou=tools,ou=groups,dc=company,dc=local
cn=userA,ou=accounts,dc=company,dc=local is not a member of cn=netbox_superuser,ou=netbox,ou=tools,ou=groups,dc=company,dc=local
search_s('OU=netbox,OU=tools,OU=Groups,DC=company,DC=local', 2, '(&(objectClass=group)(member=cn=userA,ou=accounts,dc=company,dc=local))') returned 0 objects:Is it possible to authenticate users who recursively belong to the netbox group like this situation? If so, how should I change ldap_config.py? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
Don't quote me on it, but I have a feeling you just need to change your AUTH_LDAP_GROUP_TYPE to NestedActiveDirectoryGroupType() instead of NestedGroupOfNamesType(). I'm assuming you are attempting to authenticate to an AD server here given your reference to sAMAccountName. Give that a go and see how you get on. |
Beta Was this translation helpful? Give feedback.
-
|
Here is the debug logs. |
Beta Was this translation helpful? Give feedback.
-
|
Question: is TeamX their default or primary group? If so, my recollection is that the call that netbox uses to check membership doesn't return true for the primary group because it's not stored in the MemberOf attribute in AD. |
Beta Was this translation helpful? Give feedback.
-
|
No, TeamX is not default or primary group |
Beta Was this translation helpful? Give feedback.
-
|
Ah. In your bullet pointed tree structure above, you are showing TeamX as an OU. Is this a typo? Is TeamX actually a group? |
Beta Was this translation helpful? Give feedback.
-
|
Spotted it... I think. Your AUTH_LDAP_GROUP_SEARCH_BASEDN = "OU=netbox,OU=tools,OU=Groups,DC=company,DC=local" tells NetBox to look for any group of which the user is a member under the OU netbox in the OU tool in the OU groups. If your TeamX group isn't in the Netbox OU but a level or two higher it will never work as that group will never be seen by the LDAP search. Move the group to under the NetBox OU or make your group search basedn start higher up (perhaps OU=Groups,DC=company,DC=local" and you may have more success. |
Beta Was this translation helpful? Give feedback.
-
|
Git it... You are right. |
Beta Was this translation helpful? Give feedback.
Question: is TeamX their default or primary group? If so, my recollection is that the call that netbox uses to check membership doesn't return true for the primary group because it's not stored in the MemberOf attribute in AD.