django-auth-ldap members groups not woking

Question

i managed to get ldap authentification working, but the users groups aren't. when a user is autheticated the username, firstname, email ..etc are copied to the session, but the boolean values (gotten from the groups the user belongs to) aren't.

this is my settings.py :

AUTHENTICATION_BACKENDS = [
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
]


import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, GroupOfUniqueNamesType

AUTH_LDAP_SERVER_URI = "ldap://openldap"
AUTH_LDAP_BIND_DN = "cn=admin,dc=openldap"
AUTH_LDAP_BIND_PASSWORD = "admin"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=django,dc=openldap",
    ldap.SCOPE_SUBTREE, "(cn=%(user)s)")

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_CACHE_TIMEOUT = 0
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 0
AUTH_LDAP_PROFILE_ATTR_MAP = {"home_directory": "homeDirectory"}
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_ALWAYS_UPDATE_USER = True

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=openldap",
    ldap.SCOPE_SUBTREE, "(objectClass=*)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr='cn')

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    'is_active': 'cn=active,ou=groups,dc=openldap',
    'is_staff': 'cn=staff,ou=groups,dc=openldap',
    'is_superuser': 'cn=superuser,ou=groups,dc=openldap',
}

# # Simple group restrictions
# AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=groups,dc=openldap',
# AUTH_LDAP_DENY_GROUP = 'cn=disabled,ou=groups,dc=openldap',


### ERROR LOGGING

import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)

this is my ldap scheme :

root is part of active, staff and superuser.
user1 is part of active.
this is what i get when i authenticate a user from a view: i get the error -> is not a memeber of

openldap        | 5b444c1f conn=1015 fd=13 ACCEPT from IP=172.23.0.4:47230 (IP=0.0.0.0:389)
openldap        | 5b444c1f conn=1015 op=0 BIND dn="cn=admin,dc=openldap" method=128
openldap        | 5b444c1f conn=1015 op=0 BIND dn="cn=admin,dc=openldap" mech=SIMPLE ssf=0
openldap        | 5b444c1f conn=1015 op=0 RESULT tag=97 err=0 text=
openldap        | 5b444c1f conn=1015 op=1 SRCH base="ou=django,dc=openldap" scope=2 deref=0 filter="(cn=root)"
openldap        | 5b444c1f <= mdb_equality_candidates: (cn) not indexed
openldap        | 5b444c1f conn=1015 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
django          | search_s('ou=django,dc=openldap', 2, '(cn=%(user)s)') returned 1 objects: cn=root,ou=django,dc=openldap
openldap        | 5b444c1f conn=1015 op=2 BIND anonymous mech=implicit ssf=0
openldap        | 5b444c1f conn=1015 op=2 BIND dn="cn=root,ou=django,dc=openldap" method=128
openldap        | 5b444c1f conn=1015 op=2 BIND dn="cn=root,ou=django,dc=openldap" mech=SIMPLE ssf=0
openldap        | 5b444c1f conn=1015 op=2 RESULT tag=97 err=0 text=
django          | Populating Django user root
openldap        | 5b444c1f conn=1015 op=3 BIND anonymous mech=implicit ssf=0
openldap        | 5b444c1f conn=1015 op=3 BIND dn="cn=admin,dc=openldap" method=128
openldap        | 5b444c1f conn=1015 op=3 BIND dn="cn=admin,dc=openldap" mech=SIMPLE ssf=0
openldap        | 5b444c1f conn=1015 op=3 RESULT tag=97 err=0 text=
openldap        | 5b444c1f conn=1015 op=4 CMP dn="cn=active,ou=groups,dc=openldap" attr="member"
openldap        | 5b444c1f conn=1015 op=4 RESULT tag=111 err=16 text=
django          | cn=root,ou=django,dc=openldap is not a member of cn=active,ou=groups,dc=openldap
openldap        | 5b444c1f conn=1015 op=5 CMP dn="cn=staff,ou=groups,dc=openldap" attr="member"
openldap        | 5b444c1f conn=1015 op=5 RESULT tag=111 err=16 text=
openldap        | 5b444c1f conn=1015 op=6 CMP dn="cn=superuser,ou=groups,dc=openldap" attr="member"
openldap        | 5b444c1f conn=1015 op=6 RESULT tag=111 err=16 text=
django          | cn=root,ou=django,dc=openldap is not a member of cn=staff,ou=groups,dc=openldap
django          | cn=root,ou=django,dc=openldap is not a member of cn=superuser,ou=groups,dc=openldap
openldap        | 5b444c1f conn=1015 op=7 SRCH base="dc=openldap" scope=2 deref=0 filter="(&(objectClass=*)(member=cn=root,ou=django,dc=openldap))"
openldap        | 5b444c1f <= mdb_equality_candidates: (member) not indexed
openldap        | 5b444c1f conn=1015 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
django          | search_s('dc=openldap', 2, '(&(objectClass=*)(member=cn=root,ou=django,dc=openldap))') returned 0 objects:

PS: the user is autheticated without a problem but when i print user.is_staff, user.is_active and user.is_superuser i get False for all of them.

Answer 1

I know I'm a few years late to reply but I stumbled on your question when I was trying to solve my own issues getting django-auth-ldap working with my AD server.

From your logs, I can see a few messages like this:

django          | cn=root,ou=django,dc=openldap is not a member of cn=superuser,ou=groups,dc=openldap

What solved the problem for me was the following quote from here:

If your filter is too specific, groups in the middle will be overlooked, leading to a incomplete group list.

Dont make your filter too specific. It doesnt matter too much anyway, since the groups will only be returned if the user belongs to them, even indirectly.

While specifically NOT applicable to your case, and possibly inverse of your scenario: I think that is the crux of your problem. django-auth-ldap can't find your groups. I think you are starting way at the root which is the DC. Try changing your AUTH_LDAP_GROUP_SEARCH to be a bit more specific like the following to see if that helps:

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "OU=groups,DC=openldap",
    ldap.SCOPE_SUBTREE,
    "(objectClass=group)",
)

I'm not an expert at LDAP / AD by any means so YMMV.