How to limit Django Auth system to specific LDAP group with django_auth_ldap

Question

I am using OpenLDAP and I would like to connect it to Django using django_auth_ldap. Whatever option I am trying to follow, it never works properly and I can't find the correct solution.

Here are the versions of the various softwares used:

• OpenLDAP 20423 (LDAPv3)
• Django 1.4.1 or 1.4.3 (I tried with both)
• django_auth_ldap 1.1.3

My LDAP directory has a user called noc.noc that I am using to do the test.

I updated my settings.py file with the following lines:

import ldap, logging
from django_auth_ldap.config import LDAPSearch, PosixGroupType

.
.
.

logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG) 

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

AUTH_LDAP_SERVER_URI = "ldap://ldap.XXX.XX"
AUTH_LDAP_BIND_DN = "cn=<LDAPUSER>,dc=XXX,dc=XX"
AUTH_LDAP_BIND_PASSWORD = "<LDAPPASSWORD>"

AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=XXX,dc=XX",
    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr='cn')
AUTH_LDAP_REQUIRE_GROUP = "cn=<USERGROUP>,ou=Groups,dc=XXX,dc=XX"

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Groups,dc=XXX,dc=XX",
    ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)"
)

AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
}

And I have the following log message when I try to connect with the noc.noc user on my Django interface:

search_s('dc=XXX,dc=XX', 2, '(uid=%(user)s)') returned 1 objects: 
cn=noc.noc,ou=users,dc=XXX,dc=XX
cn=noc.noc,ou=users,dc=XXX,dc=XX is not a member of cn=<USERGROUP>,ou=groups,dc=XXX,dc=XX
Authentication failed for noc.noc

If I remove the line:

AUTH_LDAP_REQUIRE_GROUP = "cn=<USERGROUP>,ou=Groups,dc=XXX,dc=XX"

The connection to the interface works, but it also work with any user in the LDAP database, which is not what I am looking for.

I also checked that the user is well in the ldap database and in the correct group with the following command:

ldapsearch -h 'ldap.XXX.XX' -D 'cn=<LDAPUSER>,dc=XXX,dc=XX' -w '<LDAPPASSWORD>' -b 'cn=<USERGROUP>,ou=Groups,dc=XXX,dc=XX'

And the result is:

# extended LDIF
#
# LDAPv3
# base <cn=<USERGROUP>,ou=Groups,dc=XXX,dc=XX> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# <USERGROUP>, Groups, XXX.XX
dn: cn=<USERGROUP>,ou=Groups,dc=XXX,dc=XX
cn: <USERGROUP>
gidNumber: 501
memberUid: cn=user1,ou=Users,dc=XXX,dc=XX
memberUid: cn=noc.noc,ou=Users,dc=XXX,dc=XX
objectClass: posixGroup

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I tried other parameters in settings.py and look for similar problem on the web but no solution I read solved my problem.

Thanks a lot for your help.

Answer 1

Django-auth-ldap is using the CN to identify a group member instead of the DN. For this reason, the solution is to replace:

cn=noc.noc,ou=Users,dc=XXX,dc=XX

in the memberUid field of the group in LDAP by:

noc.noc

This solves the issue.

Another solution would be to modify the sources of django-auth-ldap. To do so you have to edit the file config.py (found in /usr/local/lib/python2.6/dist-packages/django-auth-ldap on my installation) and find the function called:

def user_groups(self, ldap_user, group_search):

of the class:

class PosixGroupType(LDAPGroupType):

then replace the line:

user_uid = ldap_user.attrs['uid'][0]

by:

user_uid = ldap_user.dn

This should also do the trick.