I fixed the DN for the service account:
AUTH_LDAP_BIND_DN = "UID=netbox,CN=users,DC=kenset,DC=priv"
I've tried at least a 100 different things so far and nothing is getting me
there.
from django_auth_ldap.config import LDAPSearch, PosixGroupType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv",
ldap.SCOPE_SUBTREE, (objectClass=posixGroup)")
AUTH_LDAP_GROUP_TYPE = PosixGroupType()
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "cn",
"last_name": "sn"
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff": f"cn={AUTH_LDAP_USER_STAFF},cn=groups,dc={dc1},dc={dc2}",
"is_superuser":
f"cn={AUTH_LDAP_USER_SUPERUSER},cn=groups,dc={dc1},dc={dc2}"
}
There must be a better way to troubleshoot this than shooting in the dark.
posixGroup is set on each group but I'm not sure if that's the best way to
search for the groups since it's still not working. I've opened up a ticket
with Synology in the meantime.
On Sunday, October 8, 2017 at 10:34:31 PM UTC-4, Ken Jenney wrote:
>
> I've got LDAPSearch configured to work with my Synology Directory Server.
> Users can authenticate fine but when I try to map a user to a group I get
> INVALID_CREDENTIALS:
>
> import ldap
>
>
> # Server URI
> AUTH_LDAP_SERVER_URI = "ldaps://synology.kensnet.priv"
>
>
> # Set the DN and password for the NetBox service account.
> AUTH_LDAP_BIND_DN = "CN=netbox,CN=users,DC=kensnet,DC=priv"
> AUTH_LDAP_BIND_PASSWORD = bindpassword
>
>
> LDAP_IGNORE_CERT_ERRORS = True
>
>
> from django_auth_ldap.config import LDAPSearch, PosixGroupType,
> GroupOfNamesType
>
>
> AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=users,dc=kensnet,dc=priv",
> ldap.SCOPE_SUBTREE,
> "(sAMAccountName=%(user)s)")
>
>
> # If a user's DN is producible from their username, we don't need to
> search.
> AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,dc=kensnet,dc=priv"
>
>
> ### EVERYTHING WORKS UP UNTIL HERE
>
>
> #### Groups
>
>
> # # This search ought to return all groups to which the user belongs.
> django_auth_ldap uses this to determine group
> # # heirarchy.
> AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=kensnet,dc=priv", ldap.
> SCOPE_SUBTREE,
> "(objectClass=organizationalRole")
> AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
>
>
> # # Define a group required to login.
> AUTH_LDAP_REQUIRE_GROUP = "cn=users,cn=groups,dc=kensnet,dc=priv"
>
>
> # Define special user types using groups. Exercise great caution when
> assigning superuser status.
> AUTH_LDAP_USER_FLAGS_BY_GROUP = {
> "is_staff": "cn=staff,cn=groups,dc=kensnet,dc=priv",
> "is_superuser": "cn=administrators,cn=groups,dc=kensnet,dc=priv"
> }
>
>
> How can I troubleshoot the group search/mapping to figure out what the
> issue is?
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/7c28114a-d7b5-46c7-9fc2-9d1693172425%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
