search

Banno / getsentry-ldap-auth

A Sentry extension to add an LDAP server as an authention source.
Apache License 2.0
163 stars 53 forks source link

getsentry-ldap-auth not works with django-auth-ldap 1.2.14+ #25

Closed strangeman closed 6 years ago

strangeman commented 6 years ago

How to reproduce:

Expected result

Actual result

Logs

First, successful login:

05:01:30 [DEBUG] django_auth_ldap: search_s('ou=users,dc=orgz', 2, '(uid=%(user)s)') returned 1 objects: uid=a.markelov,ou=users,dc=orgz
05:01:30 [DEBUG] django_auth_ldap: search_s('ou=users,dc=orgz', 2, '(uid=%(user)s)') returned 1 objects: uid=a.markelov,ou=users,dc=orgz
05:01:30 [DEBUG] django_auth_ldap: Populating Django user a.markelov
05:01:30 [DEBUG] django_auth_ldap: Populating Django user a.markelov
05:01:30 [INFO] sentry.auth: user.auth.success (username=u'a.markelov' ip_address=u'178.218.107.255')

Second, unsucsessful login:

172.18.0.1 - - [06/Oct/2017:05:01:35 +0000] "GET /auth/login/ HTTP/1.0" 200 10783 "https://sentry.unitedtraders.work" "Go-http-client/1.1"
05:01:41 [DEBUG] django_auth_ldap: search_s('uid=a.markelov,ou=users,dc=orgz', 0, '(objectClass=*)') returned 0 objects: 
05:01:41 [DEBUG] django_auth_ldap: search_s('uid=a.markelov,ou=users,dc=orgz', 0, '(objectClass=*)') returned 0 objects: 
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 350, in authenticate
    self._get_or_create_user()
  File "/usr/local/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 577, in _get_or_create_user
    self._user, created = self.backend.get_or_create_user(username, self)
  File "/usr/local/lib/python2.7/site-packages/sentry_ldap_auth/backend.py", line 38, in get_or_create_user
    if 'mail' in ldap_user.attrs:
TypeError: argument of type 'NoneType' is not iterable
05:01:41 [ERROR] django_auth_ldap: Caught Exception while authenticating a.markelov
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 350, in authenticate
    self._get_or_create_user()
  File "/usr/local/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 577, in _get_or_create_user
    self._user, created = self.backend.get_or_create_user(username, self)
  File "/usr/local/lib/python2.7/site-packages/sentry_ldap_auth/backend.py", line 38, in get_or_create_user
    if 'mail' in ldap_user.attrs:
TypeError: argument of type 'NoneType' is not iterable
05:01:41 [ERROR] django_auth_ldap: Caught Exception while authenticating a.markelov

This behavior exists with django-auth-ldap 1.2.14, 1.2.15, 1.2.16. I think this is related to Under search/bind mode, the user's DN will now be cached for performance (https://bitbucket.org/psagers/django-auth-ldap/src/569b6ca46ce8a27af2b6d712caea09b2ed6c894e/CHANGES?at=default&fileviewer=file-view-default#CHANGES-41).

As a workaround, I suggest to pin django-auth-ldap requirement.

rakshazi commented 6 years ago

Hello, any update on this?

barronhagerman commented 6 years ago

Sorry, I have not had a chance to dig into this. However, I have a container running Sentry Server 8.20.0 with django-auth-ldap 1.2.16, and I am unable to reproduce the problem.

strangeman commented 6 years ago

@rakshazi as another workaround you may restrict an django-auth-ldap version in sentry's requirements.txt:

cat /opt/sentry/build/requirements.txt 
# Add plugins here
sentry-ldap-auth
django-auth-ldap <=1.2.13,>=1.2.5

@barronhagerman maybe it related to the LDAP server implementation, I still able to reproduce the problem with Sentry Server 8.20.0 and django-auth-ldap 1.2.16. We use Crowd SSO with LDAP bindings for it.

rakshazi commented 6 years ago

Here is my solution for this problem: https://github.com/getsentry/sentry/issues/6609#issuecomment-346674096

rdrey commented 6 years ago

Yeah, still an issue. Edit: solved with a version pin like @rakshazi

barronhagerman commented 6 years ago

I have pinned the version of django-auth-ldap to 1.2.* because there is a problem installing sentry-ldap-auth with django-auth-ldap 1.3. However, everything seems to work fine for me with django-auth-ldap 1.2.16.