ldapsearch, django-ldap-auth and “data 52e, v1db1”

匿名 (未验证) 提交于 2019-12-03 01:45:01

问题:

I'm trying to get django-auth-ldap working, but I keep getting invalid credentials (49) errors, despite having correct credentials:

additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 

Using python-ldap (2.4.13) and django-auth-ldap (1.1.4) on Ubuntu 12.04.3 against Windows Server 2008 R2. I followed the installation instructions here: http://pythonhosted.org/django-auth-ldap/install.html and here: http://www.djm.org.uk/using-django-auth-ldap-active-directory-ldaps

The second link recommends testing the connection using:

ldapsearch -H ldaps://ldap-x.companygroup.local:636 -D "CN=Something LDAP,OU=Random Group,DC=companygroup,DC=local" -w "p4ssw0rd" -v -d 1 

Locally, that would be:

ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,dc=fds,dc=local" -w "password" -v -d 1 

This didn't work for me, but the following did

ldapsearch -H ldap://192.168.0.3 -D "dc=fds,dc=local" -U "testadmin" -w "password" -v -d 1 

so I was happy. Before moving the user out into the -U flag I had also tried the following without success:

ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1 ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,dc=fds,dc=local" -w "password" -v -d 1 ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1 

My django-auth-ldap settings are:

import ldap from django_auth_ldap.config import LDAPSearch  AUTHENTICATION_BACKENDS = (     'django_auth_ldap.backend.LDAPBackend',     'django.contrib.auth.backends.ModelBackend', )  AUTH_LDAP_SERVER_URI = 'ldap://192.168.0.3'  AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_PASSWORD = 'password' AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local",     ldap.SCOPE_SUBTREE, "(uid=%(user))")  AUTH_LDAP_CONNECTION_OPTIONS = {         ldap.OPT_DEBUG_LEVEL: 0,         ldap.OPT_REFERRALS: 0, } 

This doesn't work, with the same error as above. As you can see, I try logging in using the three forms: testadmin, [domain]\testadmin and testadmin@[domain].local, each with the same error.

Development server is running at http://0.0.0.0:8000/ Quit the server with CONTROL-C. Caught LDAPError while authenticating testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},) [06/Sep/2013 08:51:38] "POST /admin/ HTTP/1.1" 200 2027 Caught LDAPError while authenticating testadmin@fds.local: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},) [06/Sep/2013 08:53:40] "POST /admin/ HTTP/1.1" 200 2037 Caught LDAPError while authenticating fds\testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},) [06/Sep/2013 08:53:50] "POST /admin/ HTTP/1.1" 200 2031 

I have tried a number of alterations to the settings in various comibinations of/including:

AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Domain Users,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'uid=testadmin,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'cn=testadmin,dc=fds,dc=local'  AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Domain Users,ou=Users,dc=fds,dc=local",     ldap.SCOPE_SUBTREE, "(uid=%(user))")  AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=FDS Users,dc=fds,dc=local",     ldap.SCOPE_SUBTREE, "(uid=%(user))")  AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=IT Users,ou=FDS Users,dc=fds,dc=local",     ldap.SCOPE_SUBTREE, "(uid=%(user))") 

I don't fully understand AD or LDAP, but am working from examples I've found online - each of those ou's is an existing ou in my domain that contains users or other ou's containing users.

It seems to me that the problem relates to either the settings

AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_PASSWORD = 'password' 

or

AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local",     ldap.SCOPE_SUBTREE, "(uid=%(user))") 

but am unsure - and don't know what to do next to solve this problem. Any ideas?

回答1:

Turns out I was looking for the error in the wrong place. It was a BIND error, not a user auth error. Note that there was confusion between whether the error was in AUTH_LDAP_BIND_DN or AUTH_LDAP_USER_SEARCH.

Solution was

AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=FDS Users,dc=fds,dc=local'

AUTH_LDAP_BIND_DN needs to refer to a Distinguished Name, ie, it needs to point to exactly where the user is located - it isn't a case of "search a group or OU" so much as "this is the link".

The above worked.



标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!