LDAP/AD authentication again.

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP/AD authentication again.

Andy Thomson
Hi,

I have read a few threads on this topic, but still seem to be missing something.  I'm trying to get users in my Active Directory to login to Baruwa.  I have configured a domain "qirx.com.au", which is one of our externally facing domains.  The AD I want to use for authentication is called "qirx.local".  

I've configured one of our DCs as an authentication server, protocol LDAP, port 389, and ticked "split address", as I only want to pass the username component through, obviously, and left the Username Map Template blank.

In the LDAP configuration, I've started off just trying to authenticate some users in the default "Users" container, so I have the following:

BaseDN: CN=Users,DC=qirx,DC=local

Unsename Attribute: sAMAccountName
Email Attribute: mail
Bind DN: CN=<LDAP Bind User>,CN=Users,DC=qirx,DC=local  (this is a user account/password that we are successfully using for LDAP binds elsewhere)
BindPW: <the password for the above>

Use TLS: No
Search for UserDN: Yes
Auth Search Filter: Have tried leaving this empty, "sAMAccountName=%u", and various other things.
Auth Search Scope: Subtree

I have successfully bound to the AD
When I attempt to log in, I get "The username or password you entered is incorrect", and the output to what-who.log is included below.  To me, the "no identities found, not authenticating" message suggests that the FriendlyFormPlugin is not processing the information correctly, although logging in with the locally defined administrator account works fine.


2014-10-28 10:16:49,096 -- repoze.who request started (/login) --
2014-10-28 10:16:49,098 request classification: browser
2014-10-28 10:16:49,099 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,099 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,104 authenticator plugins registered [<repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin object at 0x7f77a7870610>, <BaruwaLDAPAuthPlugin 140151888480976>, <baruwa.lib.auth.pop3auth.BaruwaPOPAuthPlugin object at 0x7f77a7639e90>, <baruwa.lib.auth.imapauth.BaruwaIMAPAuthPlugin object at 0x7f77a75efcd0>, <baruwa.lib.auth.smtpauth.BaruwaSMTPAuthPlugin object at 0x7f77a7639d90>, <baruwa.lib.auth.radiusauth.BaruwaRadiusAuthPlugin object at 0x7f77a787c750>]
2014-10-28 10:16:49,104 authenticator plugins matched for classification "browser": [<repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin object at 0x7f77a7870610>, <BaruwaLDAPAuthPlugin 140151888480976>, <baruwa.lib.auth.pop3auth.BaruwaPOPAuthPlugin object at 0x7f77a7639e90>, <baruwa.lib.auth.imapauth.BaruwaIMAPAuthPlugin object at 0x7f77a75efcd0>, <baruwa.lib.auth.smtpauth.BaruwaSMTPAuthPlugin object at 0x7f77a7639d90>, <baruwa.lib.auth.radiusauth.BaruwaRadiusAuthPlugin object at 0x7f77a787c750>]
2014-10-28 10:16:49,194 static downstream application replaced with The resource was found at
2014-10-28 10:16:49,196 no challenge required
2014-10-28 10:16:49,196 -- repoze.who request ended (/login) --
2014-10-28 10:16:49,229 -- repoze.who request started (/accounts/loggedin) --
2014-10-28 10:16:49,229 request classification: browser
2014-10-28 10:16:49,229 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,229 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,230 no identities found, not authenticating
2014-10-28 10:16:49,250 no challenge required
2014-10-28 10:16:49,250 -- repoze.who request ended (/accounts/loggedin) --
2014-10-28 10:16:49,284 -- repoze.who request started (/accounts/login) --
2014-10-28 10:16:49,284 request classification: browser
2014-10-28 10:16:49,284 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,284 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,285 no identities found, not authenticating
2014-10-28 10:16:49,318 no challenge required
2014-10-28 10:16:49,318 -- repoze.who request ended (/accounts/login) --
2014-10-28 10:16:49,383 -- repoze.who request started (/jsi18n.js) --
2014-10-28 10:16:49,386 request classification: browser
2014-10-28 10:16:49,386 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,387 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,388 no identities found, not authenticating
2014-10-28 10:16:49,407 no challenge required
2014-10-28 10:16:49,407 -- repoze.who request ended (/jsi18n.js) --


Any help or suggestions would be greatly appreciated.


Thanks

Andy.


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP/AD authentication again.

jeremymcs
I’m not sure if the community edition will allow you to bind. I’ll let Andrew reply. (but i don’t think it does)

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.net | Endless Solutions
Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955

On Oct 27, 2014, at 6:35 PM, Andy Thomson <[hidden email]> wrote:

Hi,

I have read a few threads on this topic, but still seem to be missing something.  I'm trying to get users in my Active Directory to login to Baruwa.  I have configured a domain "qirx.com.au", which is one of our externally facing domains.  The AD I want to use for authentication is called "qirx.local".  

I've configured one of our DCs as an authentication server, protocol LDAP, port 389, and ticked "split address", as I only want to pass the username component through, obviously, and left the Username Map Template blank.

In the LDAP configuration, I've started off just trying to authenticate some users in the default "Users" container, so I have the following:

BaseDN: CN=Users,DC=qirx,DC=local

Unsename Attribute: sAMAccountName
Email Attribute: mail
Bind DN: CN=<LDAP Bind User>,CN=Users,DC=qirx,DC=local  (this is a user account/password that we are successfully using for LDAP binds elsewhere)
BindPW: <the password for the above>

Use TLS: No
Search for UserDN: Yes
Auth Search Filter: Have tried leaving this empty, "sAMAccountName=%u", and various other things.
Auth Search Scope: Subtree

I have successfully bound to the AD
When I attempt to log in, I get "The username or password you entered is incorrect", and the output to what-who.log is included below.  To me, the "no identities found, not authenticating" message suggests that the FriendlyFormPlugin is not processing the information correctly, although logging in with the locally defined administrator account works fine.


2014-10-28 10:16:49,096 -- repoze.who request started (/login) --
2014-10-28 10:16:49,098 request classification: browser
2014-10-28 10:16:49,099 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,099 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,104 authenticator plugins registered [<repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin object at 0x7f77a7870610>, <BaruwaLDAPAuthPlugin 140151888480976>, <baruwa.lib.auth.pop3auth.BaruwaPOPAuthPlugin object at 0x7f77a7639e90>, <baruwa.lib.auth.imapauth.BaruwaIMAPAuthPlugin object at 0x7f77a75efcd0>, <baruwa.lib.auth.smtpauth.BaruwaSMTPAuthPlugin object at 0x7f77a7639d90>, <baruwa.lib.auth.radiusauth.BaruwaRadiusAuthPlugin object at 0x7f77a787c750>]
2014-10-28 10:16:49,104 authenticator plugins matched for classification "browser": [<repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin object at 0x7f77a7870610>, <BaruwaLDAPAuthPlugin 140151888480976>, <baruwa.lib.auth.pop3auth.BaruwaPOPAuthPlugin object at 0x7f77a7639e90>, <baruwa.lib.auth.imapauth.BaruwaIMAPAuthPlugin object at 0x7f77a75efcd0>, <baruwa.lib.auth.smtpauth.BaruwaSMTPAuthPlugin object at 0x7f77a7639d90>, <baruwa.lib.auth.radiusauth.BaruwaRadiusAuthPlugin object at 0x7f77a787c750>]
2014-10-28 10:16:49,194 static downstream application replaced with The resource was found at
2014-10-28 10:16:49,196 no challenge required
2014-10-28 10:16:49,196 -- repoze.who request ended (/login) --
2014-10-28 10:16:49,229 -- repoze.who request started (/accounts/loggedin) --
2014-10-28 10:16:49,229 request classification: browser
2014-10-28 10:16:49,229 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,229 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,230 no identities found, not authenticating
2014-10-28 10:16:49,250 no challenge required
2014-10-28 10:16:49,250 -- repoze.who request ended (/accounts/loggedin) --
2014-10-28 10:16:49,284 -- repoze.who request started (/accounts/login) --
2014-10-28 10:16:49,284 request classification: browser
2014-10-28 10:16:49,284 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,284 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,285 no identities found, not authenticating
2014-10-28 10:16:49,318 no challenge required
2014-10-28 10:16:49,318 -- repoze.who request ended (/accounts/login) --
2014-10-28 10:16:49,383 -- repoze.who request started (/jsi18n.js) --
2014-10-28 10:16:49,386 request classification: browser
2014-10-28 10:16:49,386 identifier plugins registered [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,387 identifier plugins matched for classification "browser": [<FriendlyFormPlugin 140151888479312>, <AuthTktCookiePlugin 140151886005904>]
2014-10-28 10:16:49,388 no identities found, not authenticating
2014-10-28 10:16:49,407 no challenge required
2014-10-28 10:16:49,407 -- repoze.who request ended (/jsi18n.js) --


Any help or suggestions would be greatly appreciated.


Thanks

Andy.

_______________________________________________
http://pledgie.com/campaigns/12056


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: LDAP/AD authentication again.

Andrew Colin Kissa
Administrator
In reply to this post by Andy Thomson
Hi Andy,

On 28 Oct 2014, at 1:35 AM, Andy Thomson <[hidden email]> wrote:

> I have successfully bound to the AD
> When I attempt to log in, I get "The username or password you entered is incorrect", and the output to what-who.log is included below.  To me, the "no identities found, not authenticating" message suggests that the FriendlyFormPlugin is not processing the information correctly, although logging in with the locally defined administrator account works fine.

From what i read, you have multiple domain controllers which means your setup uses
referrals, the community edition will not be able to bind to such a directory that uses
referrals.

This is not due to an issue in baruwa but in python-repoze-plugin-ldap. There are other
options you can use with AD, for example Radius, IMAP, SMTP and POP3


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: LDAP/AD authentication again.

Andy Thomson
Hi Andrew,

Thanks for the quick response.  The directory I am currently attempting to authenticate to only has one DC, and I do not believe there are any referrals (after reading the thread from Raymond earlier), so I don't think that is the issue.  That said, if LDAP binding cannot work with multiple DCs, I can see this causing problems for us in the future, so I will look at using one of the other options you suggested.

Thanks again.
Andy.


--
Andy Thomson
Snr Tech Consultant
Qirx
0431 121 868

----- Original Message -----
From: "Andrew Colin Kissa" <[hidden email]>
To: "Baruwa users list" <[hidden email]>
Sent: Tuesday, 28 October, 2014 5:22:53 PM
Subject: Re: [Baruwa] LDAP/AD authentication again.

Hi Andy,

On 28 Oct 2014, at 1:35 AM, Andy Thomson <[hidden email]> wrote:

> I have successfully bound to the AD
> When I attempt to log in, I get "The username or password you entered is incorrect", and the output to what-who.log is included below.  To me, the "no identities found, not authenticating" message suggests that the FriendlyFormPlugin is not processing the information correctly, although logging in with the locally defined administrator account works fine.

From what i read, you have multiple domain controllers which means your setup uses
referrals, the community edition will not be able to bind to such a directory that uses
referrals.

This is not due to an issue in baruwa but in python-repoze-plugin-ldap. There are other
options you can use with AD, for example Radius, IMAP, SMTP and POP3


_______________________________________________
http://pledgie.com/campaigns/12056

_______________________________________________
http://pledgie.com/campaigns/12056