I'm trying to get django-auth-ldap working, but I keep getting invalid credentials (49) errors, despite having correct credentials:
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Using python-ldap (2.4.13) and django-auth-ldap (1.1.4) on Ubuntu 12.04.3 against Windows Server 2008 R2. I followed the installation instructions here: http://pythonhosted.org/django-auth-ldap/install.html and here: http://www.djm.org.uk/using-django-auth-ldap-active-directory-ldaps
The second link recommends testing the connection using:
ldapsearch -H ldaps://ldap-x.companygroup.local:636 -D "CN=Something LDAP,OU=Random Group,DC=companygroup,DC=local" -w "p4ssw0rd" -v -d 1
Locally, that would be:
ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,dc=fds,dc=local" -w "password" -v -d 1
This didn't work for me, but the following did
ldapsearch -H ldap://192.168.0.3 -D "dc=fds,dc=local" -U "testadmin" -w "password" -v -d 1
so I was happy. Before moving the user out into the -U flag I had also tried the following without success:
ldapsearch -H ldap://192.168.0.3 -D "cn=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1 ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,dc=fds,dc=local" -w "password" -v -d 1 ldapsearch -H ldap://192.168.0.3 -D "uid=testadmin,ou=Users,dc=fds,dc=local" -w "password" -v -d 1
My django-auth-ldap settings are:
import ldap from django_auth_ldap.config import LDAPSearch AUTHENTICATION_BACKENDS = ( 'django_auth_ldap.backend.LDAPBackend', 'django.contrib.auth.backends.ModelBackend', ) AUTH_LDAP_SERVER_URI = 'ldap://192.168.0.3' AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_PASSWORD = 'password' AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(uid=%(user))") AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_DEBUG_LEVEL: 0, ldap.OPT_REFERRALS: 0, }
This doesn't work, with the same error as above. As you can see, I try logging in using the three forms: testadmin, [domain]\testadmin and testadmin@[domain].local, each with the same error.
Development server is running at http://0.0.0.0:8000/ Quit the server with CONTROL-C. Caught LDAPError while authenticating testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},) [06/Sep/2013 08:51:38] "POST /admin/ HTTP/1.1" 200 2027 Caught LDAPError while authenticating testadmin@fds.local: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},) [06/Sep/2013 08:53:40] "POST /admin/ HTTP/1.1" 200 2037 Caught LDAPError while authenticating fds\testadmin: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'},) [06/Sep/2013 08:53:50] "POST /admin/ HTTP/1.1" 200 2031
I have tried a number of alterations to the settings in various comibinations of/including:
AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Domain Users,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'cn=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'uid=testadmin,dc=fds,dc=local' AUTH_LDAP_BIND_DN = 'cn=testadmin,dc=fds,dc=local' AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Domain Users,ou=Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(uid=%(user))") AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=FDS Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(uid=%(user))") AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=IT Users,ou=FDS Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(uid=%(user))")
I don't fully understand AD or LDAP, but am working from examples I've found online - each of those ou's is an existing ou in my domain that contains users or other ou's containing users.
It seems to me that the problem relates to either the settings
AUTH_LDAP_BIND_DN = 'uid=testadmin,ou=Users,dc=fds,dc=local' AUTH_LDAP_BIND_PASSWORD = 'password'
or
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=fds,dc=local", ldap.SCOPE_SUBTREE, "(uid=%(user))")
but am unsure - and don't know what to do next to solve this problem. Any ideas?