Issue #113: Authenticating with LDAP in an ActiveDirectory Tree with multiple Domains (conservancy/kallithea)
Ben La Monica
issues-reply at bitbucket.org
Wed Mar 18 22:47:43 EDT 2015
New issue 113: Authenticating with LDAP in an ActiveDirectory Tree with multiple Domains
https://bitbucket.org/conservancy/kallithea/issue/113/authenticating-with-ldap-in-an
Ben La Monica:
When using the ldap_auth module to authenticate users that reside in different domains, but are within the same tree, there is currently not a way to authenticate if the users are contained within different BaseDNs.
Example:
```
| -> Root of Tree - Host='example.com' BaseDN='DC=example,DC=com'
\-----> Domain1 - Host='domain1.example.com' BaseDN='DC=domain1,DC=example,DC=com'
\-----> Domain2 - Host='domain2.example.com' BaseDN='DC=domain2,DC=example,DC=com'
```
Authentication works for a user of domain1 if you specify the host of 'domain1.example.com' and a baseDN of DC=domain1,DC=example,DC=com. However, if a user in domain2 tries to authenticate, it fails. If you instead specify the host of 'example.com' with a BaseDN of 'DC=example,DC=com', none of the users will authenticate because the tree doesn't actually return the DN record for the user, but instead returns references to the domains contained within the tree that need to be queried.
In the code:
```
#!python
lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, filter_)
''' lobjects is:
[(None, ['ldap://domain1.example.com/DC=domain1,DC=example,DC=com']),
(None, ['ldap://domain2.example.com/DC=domain2,DC=example,DC=com'])];
instead of:
[('DN=user1,OU=Accounts,DC=domain1,DC=example,DC=com', ['sAMAccountName' : 'user1'] ...)]
'''
```
A possible solution to this would be to have a checkbox when configuring an LDAP domain to recursively query the trees when root returns only sub-domains. Alternatively, we could just detect this situation and perform the lookups.
More information about the kallithea-general
mailing list