Peter Herndon wrote: > On Feb 22, 2010, at 3:13 PM, andreas schmid wrote: > > >> Peter Herndon wrote: >> >>> On Mon, Feb 22, 2010 at 9:40 AM, andreas schmid <a.schmi...@gmail.com> >>> wrote: >>> >>> >>> >>>> im experiencing strange problems now. the user is able to authenticate >>>> against ldap only if in the active directory the displayName == username >>>> why this? i dont get any error or traceback, the user only isnt able to >>>> get logged in >>>> >>>> >>>> >>> If users were able to authenticate, and are now not able to >>> authenticate, what changed? >>> >> i was thinkin the authentication over ldap group was working because i >> testet it only whith a testuser which had sAMAccountName == displayName >> but now im figuring that if thats not equal it desnt work as expected. >> the app is still in development and i didnt work on it for a few days. >> > > Hmm. When I get to work tomorrow, I'll take a look and see if the > displayName is the same as the sAMAccountName in our AD. If they are > consistently the same, that might be a sign that some part of this operation > is looking at the displayName. > > It occurs to me, Andreas, I'd be very interested to know if someone who has a > displayName *different* from the sAMAccountName can log in initially, but not > a second time; or, can that person not log in at all? Is it consistent? If > you change someone's displayName, do they instantly stop being able to log in? > > > i got a few steps forward in the understanding of the problem. if i try to bind with simple_bind_s or bind_s with a user which has sAMAccountName != displayName im getting a Invalid Credentials back and of course the user is not authenticated. if i change the bind in the authentication backend to simple_bind i get the object back but the user is not created or authenticated but the output is the same as with a "sAMAccountName == displayName"-User binded with a simple_bind_s or bind_s. > >> i started to log a bit today and will go on tomorrow and post what i >> will get or the solution if i will find it. >> > > Do let me know. I'm wondering if the problem is with the bind setting on line > 81 of backends.py. Where I work, our AD is configured to accept > "hernd...@example" for the bind, where the "@example" is your NT4_DOMAIN > setting. If your AD is not configured to accept that kind of identifier, > that might cause an issue. We may need to mix things up a bit, and try a > search-for-user-and-then-bind approach similar to the one in the eDirectory > backend starting at line 157. It also occurs to me that the "n...@domain" > pattern might be looking at displayName -- I'm no expert on Active Directory. > To that end, you may want to insert a logging statement of the exception > that's caught at line 134, between 134 and 135. > > i changed this part not to use the NT4_DOMAIN like i wrote above. > ---Peter > >
-- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
