Search code examples
pythondjangoldap

Django ldap search restriction by group does not work, search by CN does not work

If I search with this query:

AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=E,DC=i,DC=e,DC=int", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

The person is located and logged in.

If with a request like this

AUTH_LDAP_USER_SEARCH = LDAPSearch("CN=allow,OU=Groups,DC=i,DC=e,DC=int", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

I get the following error:

Invoking search_s('CN=allow,OU=Groups,DC=i,DC=e,DC=int', 2, '(sAMAccountName=a.t)')
search_s('CN=allow,OU=Groups,DC=i,DC=e,DC=int', 2, '(sAMAccountName=%(user)s)') returned 0 objects:
Authentication failed for a.t: failed to map the username to a DN.

Why? I need to allow access to people in a limited group. If I do this

AUTH_LDAP_REQUIRE_GROUP = "CN=allow,OU=Groups,DC=i,DC=e,DC=int"
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch( "CN=allow,OU=Groups,DC=i,DC=e,DC=int", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")

I get this error:

cn=Tim Allen,ou=1,ou=2,ou=e,dc=i,dc=e,dc=int is not a member of cn=allow,ou=groups,dc=i,dc=e,dc=int
Authentication failed for a.t: user does not satisfy AUTH_LDAP_REQUIRE_GROUP

In this case, of course, there is a user in the group. Please tell me what to fix? Thank you

Solution 
  • AUTH_LDAP_USER_SEARCH = LDAPSearch("CN=allow,OU=Groups,DC=i,DC=e,DC=int", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

    I get the following error: [...] Why?

    Because you're confusing two different concepts ("base DN" is the position in hierarchy whereas "group" is a list of DNs). The search is unable to find the user entry because user entries are not physically "under" the group entry, they are merely mentioned in the group entry.

    Specifying a group DN as base will not expand to that group's members; it will merely return the group entry itself (and therefore will find nothing as the filter won't match).

    The "base DN" search parameter needs to reflect the actual location (OU or "directory") that contains the user account entries.

    If I do this

    AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch( "CN=allow,OU=Groups,DC=i,DC=e,DC=int", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")

    I get this error:

    You have a groupOfNames entry in LDAP (based on your search filter), but you're telling Django to interpret it according to the groupOfUniqueNames format. Those are not the same – they use different attribute types, for one, so when your entry has 'memberDN' but Django expects 'uniqueMember', it's going to think that the group has zero members.

    Use GroupOfNamesType().

    (The base DN is okay in this case because the goal is to retrieve just the 'group' entry itself.)