Django 2.1.3 LDAP authentication not authenticating to backend



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = 
 ldap.OPT_REFERRALS: 0


AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
 "dc=example,dc=com",
 ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
 'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render 

def login_user(request):

 email = password = ""
 state = ""

 if request.POST:
 email = request.POST.get('email')
 password = request.POST.get('password')

 print (email, password)

 user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
 if user is not None:
 login(request, user)
 state = "Valid account"
 else:
 state = "Inactive account"

 return render(request, 'KPI/auth.html', 'state': state, 'email': email)


auth.html



<html>
 <head>
 <title>Login</title>
 </head>
 <body>
 state
 <form action="" method="post"> % csrf_token %
 Email address: <input type="text" name="email" value=" email " />
 Password: <input type="password" name="password" value="" />
 <input type="submit" value="Log in" />
 </form>
 </body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)',)






python django ldap







share|improve this question
























  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31












  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35


















1















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = 
 ldap.OPT_REFERRALS: 0


AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
 "dc=example,dc=com",
 ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
 'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render 

def login_user(request):

 email = password = ""
 state = ""

 if request.POST:
 email = request.POST.get('email')
 password = request.POST.get('password')

 print (email, password)

 user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
 if user is not None:
 login(request, user)
 state = "Valid account"
 else:
 state = "Inactive account"

 return render(request, 'KPI/auth.html', 'state': state, 'email': email)


auth.html



<html>
 <head>
 <title>Login</title>
 </head>
 <body>
 state
 <form action="" method="post"> % csrf_token %
 Email address: <input type="text" name="email" value=" email " />
 Password: <input type="password" name="password" value="" />
 <input type="submit" value="Log in" />
 </form>
 </body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)',)






python django ldap







share|improve this question
























  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31












  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35














1












1








1


0






I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = 
 ldap.OPT_REFERRALS: 0


AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
 "dc=example,dc=com",
 ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
 'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render 

def login_user(request):

 email = password = ""
 state = ""

 if request.POST:
 email = request.POST.get('email')
 password = request.POST.get('password')

 print (email, password)

 user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
 if user is not None:
 login(request, user)
 state = "Valid account"
 else:
 state = "Inactive account"

 return render(request, 'KPI/auth.html', 'state': state, 'email': email)


auth.html



<html>
 <head>
 <title>Login</title>
 </head>
 <body>
 state
 <form action="" method="post"> % csrf_token %
 Email address: <input type="text" name="email" value=" email " />
 Password: <input type="password" name="password" value="" />
 <input type="submit" value="Log in" />
 </form>
 </body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)',)






python django ldap







share|improve this question
















I am trying to create a django(v2.1.3) web app with a simple LDAP authentication. The code runs and i don't exactly know why it isn't working. It doesn't seem to be authenticating the user info to the LDAP backend i have connected to. When i fill out the form it will always return with "inactive user", when i know the user is on the test server. All i want is to just have it recognize that it is a "valid user"



I'm running it against a LDAP test server found here http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/



here are the changes i've made in the project:



settings.py



import ldap
from django_auth_ldap.config import LDAPSearch


AUTH_LDAP_SERVER_URI = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_CONNECTION_OPTIONS = 
 ldap.OPT_REFERRALS: 0


AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
 "dc=example,dc=com",
 ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

AUTHENTICATION_BACKENDS = [
 'django_auth_ldap.backend.LDAPBackend',
]


views.py



from django.contrib.auth import authenticate, login
from django.shortcuts import render 

def login_user(request):

 email = password = ""
 state = ""

 if request.POST:
 email = request.POST.get('email')
 password = request.POST.get('password')

 print (email, password)

 user = authenticate(username=request.POST.get('email'), password=request.POST.get('password'))
 if user is not None:
 login(request, user)
 state = "Valid account"
 else:
 state = "Inactive account"

 return render(request, 'KPI/auth.html', 'state': state, 'email': email)


auth.html



<html>
 <head>
 <title>Login</title>
 </head>
 <body>
 state
 <form action="" method="post"> % csrf_token %
 Email address: <input type="text" name="email" value=" email " />
 Password: <input type="password" name="password" value="" />
 <input type="submit" value="Log in" />
 </form>
 </body>
</html>


EDIT:



i know the settings configuration is correct because when i run ldapsearch -W -h ldap.forumsys.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it will return with just the 'boyle' info



EDIT 2:



I used a logger to get this error when a user comes back as none



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)',)






python django ldap




python django ldap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 '18 at 20:01







Mfreeman

















asked Nov 15 '18 at 15:24









MfreemanMfreeman

177121




177121












  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31












  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35


















  • I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

    – Steven Graham
    Nov 18 '18 at 5:04











  • authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

    – Mfreeman
    Nov 19 '18 at 0:25











  • Found the debug error, don't know what to make of it, check latest edit please.

    – Mfreeman
    Nov 19 '18 at 19:59











  • That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

    – Steven Graham
    Nov 19 '18 at 21:31












  • I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

    – Mfreeman
    Nov 19 '18 at 21:35

















I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

– Steven Graham
Nov 18 '18 at 5:04





I see that you are using 'email' are you really passing an email: 'boyle@foo.com' or just 'boyle'? It might help to enable debug logging in Django: django-auth-ldap.readthedocs.io/en/latest/logging.html

– Steven Graham
Nov 18 '18 at 5:04













authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

– Mfreeman
Nov 19 '18 at 0:25





authenticate(username=request.POST.get('email'), password=request.POST.get('password')) this sets the email variable to the uid i believe, i will try to debug it.. thanks

– Mfreeman
Nov 19 '18 at 0:25













Found the debug error, don't know what to make of it, check latest edit please.

– Mfreeman
Nov 19 '18 at 19:59





Found the debug error, don't know what to make of it, check latest edit please.

– Mfreeman
Nov 19 '18 at 19:59













That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

– Steven Graham
Nov 19 '18 at 21:31






That looks like it is trying to connect to the LDAP server with TLS. Not sure why since you are specifying ldap://.. You can try setting: AUTH_LDAP_START_TLS = False in the settings. Looking at that site they don't have TLS configured on their ldap server.

– Steven Graham
Nov 19 '18 at 21:31














I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

– Mfreeman
Nov 19 '18 at 21:35






I set it to false and it worked! thank you! Edit your answer to add that and ill award you the bounty.

– Mfreeman
Nov 19 '18 at 21:35













1 Answer
1






active

oldest

votes


















1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 
'Connect error', 'info': 'error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self 
signed certificate in certificate chain)',)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer

























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52












  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34












  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 
'Connect error', 'info': 'error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self 
signed certificate in certificate chain)',)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer

























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52












  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34












  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07















1





+50









It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 
'Connect error', 'info': 'error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self 
signed certificate in certificate chain)',)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer

























  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52












  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34












  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07













1





+50







1





+50



1




+50





It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 
'Connect error', 'info': 'error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self 
signed certificate in certificate chain)',)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.






share|improve this answer















It looks like you aren't using the right hostname for the server.



ldap://ldap.forumsys:389 should be: ldap://ldap.forumsys.com:389



Using an ldap search tool such as ldapsearch can help verify if the server is responding correctly:



$ ldapsearch -LLL -h ldap.forumsys -p 389 -D 'cn=read-only-admin,dc=example,dc=com' 
-w password -b 'ou=mathematicians,dc=example,dc=com' -s sub "(objectclass=*)"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

$ ldapsearch -LLL -h ldap.forumsys.com -p 389 -D 'cn=read-only- 
admin,dc=example,dc=com' -w password -b 'ou=mathematicians,dc=example,dc=com' 
-s sub "(objectclass=*)"
dn: ou=mathematicians,dc=example,dc=com
uniqueMember: uid=euclid,dc=example,dc=com
uniqueMember: uid=riemann,dc=example,dc=com
uniqueMember: uid=euler,dc=example,dc=com
uniqueMember: uid=gauss,dc=example,dc=com
uniqueMember: uid=test,dc=example,dc=com
ou: mathematicians
cn: Mathematicians
objectClass: groupOfUniqueNames
objectClass: top


If you get data back that means it is finding the user. The result: 0 Success just means that the ldap server was able to successfully search the tree.



It looks like the Django module has two methods of authenticating a user. The setup you have configured first attempts to lookup the record (via uid) and then uses the found DN to then bind (again) with the password supplied. As an example it will search (uid=boyle), then find the DN: uid=boyle,dc=example,dc=com. Then it will bind to the LDAP server with DN: uid=boyle,dc=example,dc=com, password supplied via login page.



In reponse to Edit 2 above:



The following error means that the library is trying to negotiate a TLS connection:



Caught LDAPError while authenticating tesla: CONNECT_ERROR('desc': 
'Connect error', 'info': 'error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self 
signed certificate in certificate chain)',)


If you are connecting to ldap on port 389 (ldap://) then TLS shouldn't be negotiated and can be disabled by setting:



AUTH_LDAP_START_TLS = False


In settings.py.



For security reasons its a good idea to use ldaps, and configure TLS options via the AUTH_LDAP_CONNECTION_OPTIONS dictionary.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 19 '18 at 22:43

























answered Nov 15 '18 at 22:42









Steven GrahamSteven Graham

685610




685610












  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52












  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34












  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07

















  • Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

    – Mfreeman
    Nov 16 '18 at 12:52












  • when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

    – Mfreeman
    Nov 16 '18 at 15:34












  • You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

    – Steven Graham
    Nov 18 '18 at 5:07
















Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

– Mfreeman
Nov 16 '18 at 12:52






Thanks for replying, and yeah it still doesn't recognize any of the usernames, i've tried so many urls and they don't seem to work even when the ldapsearch does come back. i think it has to do with my code

– Mfreeman
Nov 16 '18 at 12:52














when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

– Mfreeman
Nov 16 '18 at 15:34






when i run ldapsearch -W -h ldap.forumsys.com -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -s sub "uid=boyle" it returns all the boyle info but says # search result search: 2 result: 0 Success does result: 0 Success mean that my user could come back as "none" when i authenticate?

– Mfreeman
Nov 16 '18 at 15:34














You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

– Steven Graham
Nov 18 '18 at 5:07





You can use the DN found via that search to verify that you can bind with it, which is what Django will do once it finds the entry. -D "uid=boyle,dc=example,dc=com" that bind worked for me, so looks like it might be an issue with your code (or django setup)

– Steven Graham
Nov 18 '18 at 5:07



















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322660%2fdjango-2-1-3-ldap-authentication-not-authenticating-to-backend%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Use pre created SQLite database for Android project in kotlin

Image
0 I am trying to use an already existing sqLite database in my android app. I have verified that it is loaded into the project in the assets folder and I can browse it in DB browser when I open it directly from the project. This is the schema for the table I am trying to query CREATE TABLE "ACTIVITY_LIST_TBL" ( `_ID` INTEGER NOT NULL, `ACT_NAME` VARCHAR NOT NULL, `ACT_CODE` VARCHAR, `IS_ACTIVE` INTEGER DEFAULT -1, PRIMARY KEY(`_ID`) ) Below is the activity that creates the sqlite helper and then on a button click I execute a query on the ACTIVITY_LIST_TBL. When the query is executed this exception is thrown: android.database.sqlite.SQLiteException: no such table: ACTIVITY_LIST_TBL (code 1 SQLITE_ERROR): , while compiling: SELECT * FROM ACTIVITY_LIST_TBL class CalendarActivity : AppCompatActivity() { private var cursor:Cursor? = null override fun onCreate(savedInstanceState:Bundle?) { super.onCreate(savedInstanceState) setContentView(R.layout.calendar_activity...
Read more

Darth Vader #20

Image
Wiki Characters Creators Teams Volumes Issues Publishers Locations Concepts Things Story Arcs Movies Series Episodes New Comics Forums Gen. Discussion Bug Reporting Delete/Combine Pages Artist Show-Off Off-Topic Contests Battles Fan-Fic RPG Comic Book Preview API Developers Editing & Tools Podcast Quests Community Top Users Activity Feed User Lists Community Promos Archives News Reviews Videos Podcasts Previews Login / Sign Up All Wiki     Arcs     Characters     Companies     Concepts     Issues     Locations     Movies     People     Teams     Things     Volumes     Series     Episodes Editorial     Videos     Articles     Reviews     Features ...
Read more

Ondo

Image
Der Titel dieses Artikels ist mehrdeutig. Zu weiteren Bedeutungen siehe Ondo (Begriffsklärung). Ondo Basisdaten Hauptstadt: Akure gegründet: 3. Februar 1976 Gouverneur: Rotimi Akeredolu ISO 3166-2: NG-ON Fläche Fläche: 15.500 km² Rang in Nigeria: 25 Bevölkerung Einwohner: 4.671.700 (2016) Bevölkerungsdichte: 320 Einw./km² (2016) Rang in Nigeria: 18 Lage von Ondo in Nigeria Ondo ist ein Bundesstaat des westafrikanischen Landes Nigeria mit der Hauptstadt Akure, die mit 420.623 Einwohnern (2005) auch die größte Stadt des Bundesstaates ist. Inhaltsverzeichnis 1 Geografie 2 Geschichte 2.1 Liste der Gouverneure und Administratoren 3 Verwaltung 4 Wirtschaft Geografie | Der Bundesstaat liegt im Südwesten des Landes und grenzt im Norden an den Bundesstaat Ekiti, im Nordwesten an den Bundesstaat Osun, im Nordosten an den Bundesstaat Kogi, im Süden an den Atlantik, im Südosten an den Bundesstaat Delta, im Westen an den Bundess...
Read more