LDAP in Django default admin

Karlisson picture Karlisson · Jan 4, 2012 · Viewed 7.3k times · Source

UPDATED

How it is possible to Django default admin authenticate on a LDAP server instead of the default database? I have found the package Django Auth LDAP but nothing about configuring it to be used by admin login. I've tried putting the lines below within settings.py besides the LDAP configuration:

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

But it doesn't works. If I remove the last line, it doesn't authenticate on LDAP and shows me the default auth error, as the ModelBackend is a fallback. I've tried copying and modifying the configs listed in the documentation and I'm getting this error on console:

Caught LDAPError while authenticating karlisson: INVALID_DN_SYNTAX({'info': 'invalid DN', 'desc': 'Invalid DN syntax'},)

My settings.py:

AUTH_LDAP_SERVER_URI = "ldap://192.168.0.2"

AUTH_LDAP_BIND_DN = "example_nt"
AUTH_LDAP_BIND_PASSWORD = "example"
AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=admin,dc=example_nt,dc=com,dc=br",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

Have no idea where is the syntax error, LDAP beginner.

Answer

gruszczy picture gruszczy · Jan 4, 2012

Admin login should work the same way as normal login. Simply adding backend is not enough, you need to configure it. The docs say a lot actually:

You probably need to set this:

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=groups,dc=example,dc=com",
    "is_staff": "cn=staff,ou=groups,dc=example,dc=com",
    "is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"
}

These flags are IIRC used by admin, at least is_superuser.

But the most important is this stuff in settings.py:

AUTH_LDAP_SERVER_URI = "ldap://ldap.example.com"
import ldap
from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",
    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

Please try configuring all this stuff to connect to your ldap and if you still experience problems, we can try to debug it from there.

Also try to get debugging information so you have information if requests to your ldap are sent (maybe you can also check logs made by your ldap to see, if it receives requests from your app).