Closed pavel-z1 closed 10 months ago
I think there may be a blank email field in your LDAP entity.
Please note that an LDAP field is like an array and you can set multiple mail fields for an entity. If there is a null in it, the phenomenon you describe will occur.
If you confirm that this is indeed the cause and you cannot correct the data, you can try to add if mail:
before line 75:
Hi @PMExtra
ldapsearch return LDAP attibutes in this format for tested user:
mail: testuser@emaildomain.com
givenName: Test
sn: User
uid: testuser
cn: Test User
displayName: Test User
initials: TU
gecos: Test User
krbPrincipalName: testuser@IPA.DOMAIN.LOCAL
User contains only one email. It doesn't look like the LDAP mail attribute is in array format.
What can be done in this case to map LDAP mail attribute to sentry user?
Please try to do this and feedback me the outputs:
docker exec -it sentry-web-1 sentry shell
from django_auth_ldap.backend import LDAPBackend, _LDAPUser
user=_LDAPUser(LDAPBackend(), username='testuser')
print(user.attrs.get('mail'))
Strange results
Ldapsearch from cli:
ldapsearch -H ldap://$HOSTNAME -D 'uid=svc-sentry,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local' -W -b 'cn=users,cn=accounts,dc=ipa,dc=domain,dc=local' '(&(uid=tesstuser)(objectClass=posixAccount))' | grep mail
Enter LDAP Password:
mail: testuser@emaildomain.com
Sentry shell:
# docker exec -it sentry_onpremise-web-1 sentry shell
Python 3.8.18 (default, Nov 21 2023, 19:25:34)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from django_auth_ldap.backend import LDAPBackend, _LDAPUser
>>> user=_LDAPUser(LDAPBackend(), username='testuser')
>>> print(user.attrs.get('mail'))
10:13:09 [DEBUG] django_auth_ldap: Binding as
10:13:09 [DEBUG] django_auth_ldap: Invoking search_s('cn=users,cn=accounts,dc=ipa,dc=domain,dc=local', 2, '(&(uid=testuser)(objectClass=posixAccount))')
10:13:09 [DEBUG] django_auth_ldap: search_s('cn=users,cn=accounts,dc=ipa,dc=domain,dc=local', 2, '(&(uid=%(user)s)(objectClass=posixAccount))') returned 1 objects: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local
10:13:09 [DEBUG] django_auth_ldap: Invoking search_s('uid=testuser,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local', 0, '(objectClass=*)')
10:13:09 [DEBUG] django_auth_ldap: search_s('uid=testuser,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local', 0, '(objectClass=*)') returned 1 objects: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local
None
>>> print(user.attrs.get('givenName'))
['Test']
>>> print(user.attrs.get('krbPrincipalName'))
None
>>> print(user.attrs.get('displayName'))
['Test User']
>>>
You have not bound any identity, so you have no permission to access the attributes.
Please check AUTH_LDAP_BIND_DN
and AUTH_LDAP_BIND_PASSWORD
Thank you @PMExtra
Typo AUTH_LDAP_BIND_DB
instead of correct AUTH_LDAP_BIND_DN
was the source of issue.
Map attribute of LDAP user account is not mapping
sentry on-premise(docker) 23.11.1 (also tested on 23.6.2) sentry-auth-ldap 23.6.1 FreeIPA as LDAP
During first ldap user authentication receive error:
LDAP user has external email address that stored in the
mail
attribute. ldapsearch return this mail attribute. But during Sentry auth mail attribute is not map to the new Sentry user.my sentry.conf.py:
Full log: