Menu

#45 LDAP filter for login

open
nobody
New Functionality (24)
5
2012-09-12
2012-02-10
Shelley Waltz
No

My LDAP uses "dn=cn=lastname_firstname,dc=xxx,dc=edu" as the binddn for simple binds. I wish users to simply use their uid+userPassword
for login rather than their cn. Other applications using LDAP as authentication are able to do so. There does not appear to be a way to make this
happen in the current configuration settings. I can successfully login using the cn+userPassword on the login screen, but not using the uid+userPassword.

Discussion

  • Shelley Waltz

    Shelley Waltz - 2012-02-15

    Adding some clarification to the issue ...

    auth_type ldap
    directory_type ldap
    ldaphost ldap://ldap.sdm.dm.edu
    ldap_binddn dc=sdm.dm,dc=edu
    ldap_bind_user
    ldap_bind_pass
    ldap_is_active_directory No
    ldap_domain_name
    ldap_user_name_attr uid
    ldap_last_name_attr sn
    ldap_first_name_attr givenName
    ldap_displayname_attr cn
    ldap_email_attr mail

    Here is the issue. If I use
    ldap_user_name_attr uid
    on the login page(not local), as a valid ldap user with uid=me and the userPassword,
    the bind tries(I have level=logging.DEBUG statement in the LDAPDirectory.py)
    ldap://ldap.sdm.dm.edu - SimpleLDAPObject.simple_bind (('uid=me,dc=sdm.dm,dc=edu', 'mypassword', None, None),{})
    => LDAPError - INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}

    My bindn uses cn, not uid. I can change
    ldap_username_attr cn
    and then on the login enter the full cn for my uid, but what I wish is to have the user be able
    to use their uid and have the simple bind work. It does for many othe applications for which I use
    LDAP as the authentication. I can hack the code to make this work for my case, but it would be
    better if this were configurable or the search used just the ldap_binddn for the search.

     

  • Shelley Waltz

    Shelley Waltz - 2012-02-15

    simplebind should use a ldap_basedn which is defined in the config

     

  • Shelley Waltz

    Shelley Waltz - 2012-02-16

    I am able to use uid/password if I make the following change to the
    filelocker2.4.5/core/directory/LDAPDirectory.py authenticate def

    def authenticate(self, userId, password):
    result = None
    l = ldap.initialize(self.directoryHost,trace_level=9,trace_file=sys.stdout)
    try:
        if userId is "" or password is "":
            logging.info("Username or password cannot be blank.  Anonymous logins are not permitted")
            raise ldap.INVALID_CREDENTIALS
        if self.isActiveDirectory.lower()=="yes":
            result = l.simple_bind_s(userId+"@"+self.domainName , password)
        else:

    Search for dn using baseDN, then authenticate

    Replace the line below with the following 5 lines beginning with >>

    result = l.simple_bind_s(self.userIdAttr+"="+userId+","+ self.directoryBindDn , password)

              filterstr = "(%s=%s)" % (self.userIdAttr, userId)
          result = l.search_s(self.directoryBindDn,ldap.SCOPE_SUBTREE,filterstr)
          for dn,entry in result:
              dn = str(dn)
          result = l.simple_bind_s(dn, password)
        return True #If no errors were raised while binding, we'll consider it a success
    except ldap.INVALID_CREDENTIALS:
        return False
    except Exception, e:
        logging.error("Error in authenticating user \"%s\": %s" % (str(userId), str(e)))
        return False
     

Log in to post a comment.