pythondjangoactive-directorydjango-authenticationdjango-auth-ldap

Django Auth LDAP - Direct Bind using sAMAccountName

There are two ways to authenticate a user using Django Auth LDAP

  1. Search/Bind and
  2. Direct Bind.

The first one involves connecting to the LDAP server either anonymously or with a fixed account and searching for the distinguished name of the authenticating user. Then we can attempt to bind again with the user’s password.

The second method is to derive the user’s DN from his username and attempt to bind as the user directly.

I want to be able to do a direct bind using the userid (sAMAccountName) and password of the user who is trying to gain access to the application. Please let me know if there is a way to achieve this? At the moment, I cannot seem to make this work due to the problem explained below.

In my case, the DN of users in LDAP is of the following format

**'CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'**

This basically translates to 'CN=FirstName LastName,OU=Users,OU=Central,OU=US,DC=client,DC=corp'

This is preventing me from using Direct Bind as the sAMAccountName of the user is sjones and this is the parameter that corresponds to the user name (%user) and I can't figure out a way to frame a proper AUTH_LDAP_USER_DN_TEMPLATE to derive the User's DN using.

Due to the above explained problem, I am using Search/Bind for now but this requires me to have a fixed user credential to be specified in AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD.

Here is my current settings.py configuration

AUTH_LDAP_SERVER_URI = "ldap://10.5.120.161:389"
AUTH_LDAP_BIND_DN='CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_BIND_PASSWORD='fga.1234'
#AUTH_LDAP_USER_DN_TEMPLATE = 'CN=%(user)s,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch("OU=Users, OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
    LDAPSearch("OU=Users,OU=Regional,OU=Locales,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
    )
AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn","email":"mail"}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = 'CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'

Looking forward for some guidance from the wonderful folks in here.

Solution

  • I had the same issue.

    I ran across ticket 21 in the now-deleted bitbucket repository. (cant-bind-and-search-on-activedirectory). The issues were not migrated to their github, but the author brought up a way to change the library files for django-auth-ldap so that it could do a direct bind.

    It came down to changing <python library path>/django_auth_ldap/backend.py to include two lines in _authenticate_user_dn:

    if sticky and ldap_settings.AUTH_LDAP_USER_SEARCH:
    self._search_for_user_dn()

    I was able to get this to work on my local machine that was running Arch Linux 3.9.8-1-ARCH, but I was unable to replicate it on the dev server running Ubuntu 13.04.

    Hopefully this can help.