Binding to Active Directory using django-auth-ldap

Question

I'm trying to create user login authentication in my django app via Active Directory using django-auth-ldap. The problem is that I cannot bind to the AD using username (which is sAMAccountName LDAP equivalent). Part of my settings.py below:

import ldap
from django_auth_ldap.config import LDAPSearch

AUTHENTICATION_BACKENDS = [
    'django_auth_ldap.backend.LDAPBackend',
]

AUTH_LDAP_START_TLS = False
AUTH_LDAP_ALWAYS_UPDATE_USER = False
AUTH_LDAP_SERVER_URI = 'ldap://ip_address:389'
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
AUTH_LDAP_USER_SEARCH = LDAPSearch('DC=example,DC=com', ldap.SCOPE_SUBTREE, '(sAMAccountName=%(user)s)')
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0,
}

Console log:

ERROR search_s('DC=example,DC=com', 2, '(sAMAccountName=user)') raised OPERATIONS_ERROR({'desc': 'Operations error', 'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece'})
DEBUG search_s('DC=example,DC=com', 2, '(sAMAccountName=%(user)s)') returned 0 objects:
DEBUG Authentication failed for user: failed to map the username to a DN.

Any idea why this is not working?

Answer 1

Anonymous read access is not enabled by default. To perform the search operation, populate AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD with a valid account. I generally create dedicated "system" accounts (i.e. not a real person's account because your authentication starts failing every time the user changes their password).