New issue 221: Connection issue with ldap https://bitbucket.org/conservancy/kallithea/issues/221/connection-issue-with-ldap
Alexandre Tarantini: When trying to connect to Microsoft ADAM 2008, Kallithea reject the connection. We don't have this issue on Microsoft LDAP 2008. **Logs** : 2016-05-30 16:06:20.007 DEBUG [kallithea.lib.auth_modules.auth_ldap] Checking for ldap authentication 2016-05-30 16:06:20.008 DEBUG [kallithea.lib.auth_modules.auth_ldap] Trying simple_bind with password and given DN: CN=\*\*\*,OU=\*\*\*,O=\*\*\* 2016-05-30 16:06:20.403 DEBUG [kallithea.lib.auth_modules.auth_ldap] Authenticating 'OU=\*\*\*,O=\*\*\*' filter (&(name=\*\*\*)) at ldap://\*\*\*:\*\*\* 2016-05-30 16:06:20.512 DEBUG [kallithea.lib.auth_modules.auth_ldap] Trying simple bind with CN=\*\*\*,OU=\*\*\*,O=\*\*\* 2016-05-30 16:06:20.835 DEBUG [kallithea.lib.auth_modules.auth_ldap] LDAP says no such user '***' (***) 2016-05-30 16:06:20.836 ERROR [kallithea.lib.auth_modules.auth_ldap] Traceback (most recent call last): File "/python/lib/python2.7/site-packages/kallithea/lib/auth_modules/auth_ldap.py", line 332, in auth log.debug('Got ldap DN response %s', user_dn) File "/python/lib/python2.7/site-packages/kallithea/lib/auth_modules/auth_ldap.py", line 168, in authenticate_ldap except ldap.SERVER_DOWN: LdapUsernameError According to the source code, password check for user and BIND account is done but the server.search_ext_s() raise an exception with the user account on the ADAM : **lib/auth_modules/auth_ldap.py** ``` #!python 144 for (dn, _attrs) in lobjects: 145 if dn is None: 146 continue 147 148 try: 149 log.debug('Trying simple bind with %s', dn) 150 server.simple_bind_s(dn, safe_str(password)) 151 attrs = server.search_ext_s(dn, ldap.SCOPE_BASE, 152 '(objectClass=*)')[0][1] 153 break 154 155 except ldap.INVALID_CREDENTIALS: 156 log.debug("LDAP rejected password for user '%s' (%s): %s", 157 uid, username, dn) 158 159 else: 160 log.debug("No matching LDAP objects for authentication " 161 "of '%s' (%s)", uid, username) 162 raise LdapPasswordError() 163 164 except ldap.NO_SUCH_OBJECT: 165 log.debug("LDAP says no such user '%s' (%s)", uid, username) 166 raise LdapUsernameError() 167 except ldap.SERVER_DOWN: 168 raise LdapConnectionError("LDAP can't access authentication server") ``` If the ADAM user account don't have the permission to browse the ADAM, the authentication doesn't work. The actual code don't take care about this possibility of permission. Workaround : ``` #!bash --- auth_ldap.py.orig 2016-05-31 09:21:54.409693248 +0200 +++ auth_ldap.py 2016-05-31 09:20:04.728703007 +0200 @@ -148,8 +148,7 @@ try: log.debug('Trying simple bind with %s', dn) server.simple_bind_s(dn, safe_str(password)) - attrs = server.search_ext_s(dn, ldap.SCOPE_BASE, - '(objectClass=*)')[0][1] + attrs = _attrs break except ldap.INVALID_CREDENTIALS: ``` Patch tested and working for us on the Microsoft ADAM 2008 and Microsoft LDAP 2008. _______________________________________________ kallithea-general mailing list [email protected] http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
