Direct bind with multiple OUs

django-auth-ldap / django-auth-ldap

Django authentication backend that authenticates against an LDAP service.

https://django-auth-ldap.readthedocs.io/

BSD 2-Clause "Simplified" License

339 stars 96 forks source link

Direct bind with multiple OUs #81

Open PaszaVonPomiot opened 6 years ago

PaszaVonPomiot commented 6 years ago

Hi,

I would like to use direct bind with users being in two different OUs. This works for one OU: AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com" How do I do direct bind with this example?:

"uid=%(user)s,ou=usersA,dc=example,dc=com"
"uid=%(user)s,ou=usersB,dc=example,dc=com"

Providing list of strings gives an error. Do I need to use multiple LDAP configs for this to work?

Thanks!

jdufresne commented 6 years ago

Instead of using AUTH_LDAP_USER_DN_TEMPLATE, you could use AUTH_LDAP_USER_SEARCH

https://django-auth-ldap.readthedocs.io/en/latest/reference.html#auth-ldap-user-search

For example:

AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=example,dc=com', ldap.SCOPE_SUBTREE, '(uid=%(user)s)')

Would that solve your use case?

PaszaVonPomiot commented 6 years ago

I have tried that already and this solution does not allow me to make direct bind as it requires succesful bind before doing search_s('dc=ok,dc=it,dc=net', 2, '(uid=user12)').

The error it throws in django logs is:

OPERATIONS_ERROR({'desc': 'Operations error', 'info': '000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839'},)

jdufresne commented 6 years ago

I see. You don't have access to a utility account to do the search.

You could create two LDAP configurations as you've suggested.

The other option would be to add a feature to allow AUTH_LDAP_USER_DN_TEMPLATE to be a list of templates, not just a single value. Are you interested in adding such a feature?

PaszaVonPomiot commented 6 years ago

I would definitely be interested in such feature. Unfortunately I won't able to contribute with PR myself as I'm beginner Python programmer.

francoisfreitag commented 2 years ago

Maybe the Python LDAP FAQ for the following question would help here?

My script bound to MS Active Directory but a a search operation results in the exception ldap.OPERATIONS_ERROR with the diagnostic message text “In order to perform this operation a successful bind must be completed on the connection.” Alternatively, a Samba 4 AD returns the diagnostic message “Operation unavailable without authentication”. What’s happening here?