通过 Active Directory 2008 进行 Django LDAP 身份验证
我正在尝试通过公司 Active Directory 服务器对我的用户进行身份验证。 我无法正确配置它,我知道 LDAP 可以工作 我有一个已配置并正在运行的 MediaWiki 在 Active Directory 服务器上进行身份验证。
系统:
Active Directory 2008
Django (1, 3, 0, 'final', 0)
django-auth-ldap 1.0.9
这是我在settings.py中的配置
from django_auth_ldap.config import LDAPSearch
import logging
# makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0)
LDAP_SERVER_URI = 'ldap://ad.exemple.com'
AUTH_LDAP_BIND_DN = 'my_user'
AUTH_LDAP_BIND_PASSWORD = 'my_pass'
AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
我还通过添加新的URI尝试了ssl方式
LDAP_SERVER_URI = 'ldaps://ad.exemple.com:636'
我使用主组用户进行搜索我不需要任何我想要验证的特定组。
它返回错误的错误消息:
WARNING 2011-05-31 16:50:19,429 backend 3968 140632428340992 Caught LDAPError while authenticating my_user: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772', 'desc': 'Invalid credentials'},)
[31/May/2011 16:50:19] "POST /admin/ HTTP/1.1" 200 9648
看到此错误并查找 LDAP 错误 DSID-0C0903AA 我发现我应该尝试像这样设置用户名
[email protected]
它不起作用,它返回错误:
ERROR 2011-05-31 16:55:38,947 config 6505 139868662060800 search_s('dc=ubilium,dc=loc', 2, '(SAMAccountName=my_user)') raised OPERATIONS_ERROR({'info': '000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772', 'desc': 'Operations error'},)
DEBUG 2011-05-31 16:55:38,947 backend 6505 139868662060800 Authentication failed for my_user
有人知道如何让它连接?
I'm trying to authenticate my user through the corporate Active Directory server.
I am unable to configure it properly, I know the LDAP works I have a MediaWiki that is configured and working to
authenticate on the Active Directory Server.
system:
Active Directory 2008
Django (1, 3, 0, 'final', 0)
django-auth-ldap 1.0.9
Here is my configuration in settings.py
from django_auth_ldap.config import LDAPSearch
import logging
# makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0)
LDAP_SERVER_URI = 'ldap://ad.exemple.com'
AUTH_LDAP_BIND_DN = 'my_user'
AUTH_LDAP_BIND_PASSWORD = 'my_pass'
AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
I also tried the ssl way by adding the new URI
LDAP_SERVER_URI = 'ldaps://ad.exemple.com:636'
I used the main group User to search into I don't need any particular group that I want to authenticate.
The error message it returns the error :
WARNING 2011-05-31 16:50:19,429 backend 3968 140632428340992 Caught LDAPError while authenticating my_user: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772', 'desc': 'Invalid credentials'},)
[31/May/2011 16:50:19] "POST /admin/ HTTP/1.1" 200 9648
Seeing this error and looking for the LDAP error DSID-0C0903AA I found that I should try to set the username like this
[email protected]
It didn't work, it returns the error :
ERROR 2011-05-31 16:55:38,947 config 6505 139868662060800 search_s('dc=ubilium,dc=loc', 2, '(SAMAccountName=my_user)') raised OPERATIONS_ERROR({'info': '000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772', 'desc': 'Operations error'},)
DEBUG 2011-05-31 16:55:38,947 backend 6505 139868662060800 Authentication failed for my_user
Does anyone has any clue how to get it to connect?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您收到的第一个错误是 LDAP 49,子代码为 525,这意味着未找到用户。即您的绑定 DN 不正确。
您的第二次尝试使用 userPrincipalName 格式将会失败,正如您的配置所示:
AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')因此,您尝试在过滤器:
(SAMAccountName=%(user)s)我想知道这是否是在每一端都有一个额外的
s?即(SAMAccountName=%(user))会更正确吗?它的作用是,对于 $(user) 变量,在 AD 中找到 sAMAccountName 属性与该值匹配的对象,然后使用返回的 DN 作为绑定 DN。但您没有获得正确的 DN,因此出现 LDAP 49 - 525 错误。
The first error you are getting is LDAP 49 with a subcode of 525 which means User not found. I.e. Your bind DN is not correct.
Your second attempt, using the userPrincipalName formatting will fail, as your configuration says:
AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=exemple,dc=com', ldap.SCOPE_SUBTREE, '(SAMAccountName=%(user)s)')Thus you are trying to use the passed in user name in the filter of:
(SAMAccountName=%(user)s)I wonder if that is an extra
sat the every end? I.e. Would(SAMAccountName=%(user))be more correct?What it is doing is saying, for the $(user) variable, find me the object in AD whose sAMAccountName attribute matches that value, and then use that DN returned as the bind DN. But you are not getting a correct DN and thus the LDAP 49 - 525 error.