Issue #221: Connection issue with ldap (conservancy/kallithea)
Alexandre Tarantini
issues-reply at bitbucket.org
Tue May 31 09:05:48 UTC 2016
New issue 221: Connection issue with ldap
https://bitbucket.org/conservancy/kallithea/issues/221/connection-issue-with-ldap
Alexandre Tarantini:
When trying to connect to Microsoft ADAM 2008, Kallithea reject the connection. We don't have this issue on Microsoft LDAP 2008.
**Logs** :
2016-05-30 16:06:20.007 DEBUG [kallithea.lib.auth_modules.auth_ldap] Checking for ldap authentication
2016-05-30 16:06:20.008 DEBUG [kallithea.lib.auth_modules.auth_ldap] Trying simple_bind with password and given DN: CN=\*\*\*,OU=\*\*\*,O=\*\*\*
2016-05-30 16:06:20.403 DEBUG [kallithea.lib.auth_modules.auth_ldap] Authenticating 'OU=\*\*\*,O=\*\*\*' filter (&(name=\*\*\*)) at ldap://\*\*\*:\*\*\*
2016-05-30 16:06:20.512 DEBUG [kallithea.lib.auth_modules.auth_ldap] Trying simple bind with CN=\*\*\*,OU=\*\*\*,O=\*\*\*
2016-05-30 16:06:20.835 DEBUG [kallithea.lib.auth_modules.auth_ldap] LDAP says no such user '***' (***)
2016-05-30 16:06:20.836 ERROR [kallithea.lib.auth_modules.auth_ldap] Traceback (most recent call last):
File "/python/lib/python2.7/site-packages/kallithea/lib/auth_modules/auth_ldap.py", line 332, in auth
log.debug('Got ldap DN response %s', user_dn)
File "/python/lib/python2.7/site-packages/kallithea/lib/auth_modules/auth_ldap.py", line 168, in authenticate_ldap
except ldap.SERVER_DOWN:
LdapUsernameError
According to the source code, password check for user and BIND account is done but the server.search_ext_s() raise an exception with the user account on the ADAM :
**lib/auth_modules/auth_ldap.py**
```
#!python
144 for (dn, _attrs) in lobjects:
145 if dn is None:
146 continue
147
148 try:
149 log.debug('Trying simple bind with %s', dn)
150 server.simple_bind_s(dn, safe_str(password))
151 attrs = server.search_ext_s(dn, ldap.SCOPE_BASE,
152 '(objectClass=*)')[0][1]
153 break
154
155 except ldap.INVALID_CREDENTIALS:
156 log.debug("LDAP rejected password for user '%s' (%s): %s",
157 uid, username, dn)
158
159 else:
160 log.debug("No matching LDAP objects for authentication "
161 "of '%s' (%s)", uid, username)
162 raise LdapPasswordError()
163
164 except ldap.NO_SUCH_OBJECT:
165 log.debug("LDAP says no such user '%s' (%s)", uid, username)
166 raise LdapUsernameError()
167 except ldap.SERVER_DOWN:
168 raise LdapConnectionError("LDAP can't access authentication server")
```
If the ADAM user account don't have the permission to browse the ADAM, the authentication doesn't work.
The actual code don't take care about this possibility of permission.
Workaround :
```
#!bash
--- auth_ldap.py.orig 2016-05-31 09:21:54.409693248 +0200
+++ auth_ldap.py 2016-05-31 09:20:04.728703007 +0200
@@ -148,8 +148,7 @@
try:
log.debug('Trying simple bind with %s', dn)
server.simple_bind_s(dn, safe_str(password))
- attrs = server.search_ext_s(dn, ldap.SCOPE_BASE,
- '(objectClass=*)')[0][1]
+ attrs = _attrs
break
except ldap.INVALID_CREDENTIALS:
```
Patch tested and working for us on the Microsoft ADAM 2008 and Microsoft LDAP 2008.
More information about the kallithea-general
mailing list