etianen / django-python3-ldap

Django LDAP user authentication backend for Python 3.
BSD 3-Clause "New" or "Revised" License
413 stars 120 forks source link

TIMEOUTs not working #264

Open gumish opened 1 year ago

gumish commented 1 year ago

Hello, at first thank you for great package! I am a newbie in Django+LDAP but I have managed to run it in quite short time :)

But I have a question about the case if the LDAP server is not reachable, so it can't be connected. LDAP_AUTH_URL = ['ldaps://nonsense.com']

Is there a fallback that it will stop trying to connect the server and authenticate you via User model data?

I thought that these settings could help but nothing happened:

LDAP_AUTH_CONNECT_TIMEOUT = 2
LDAP_AUTH_RECEIVE_TIMEOUT = 2

I have also tried to add ModelBackend but also without success:

AUTHENTICATION_BACKENDS = (
    'django_python3_ldap.auth.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',)

Also nothing about unreachable server appears in console (with logging settings from help):

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'console': {
            'class': 'logging.StreamHandler',
        },
    },
    'loggers': {
        'django_python3_ldap': {
            'handlers': ['console'],
            'level': 'INFO',
        },
    },
}
etianen commented 1 year ago

Adding multiple AUTHENTICATION_BACKENDS is the way to make it fall back to the model backend.

However, the model backend requires that the user account has a valid password set.

What makes you think the fallback the model backend is not working?

gumish commented 1 year ago

As you can see I used multiple AUTHENTICATION_BACKENDS.

But if I use a non-existing LDAP_AUTH_URL address like ['ldaps://nonsense.com'], then during login, I only see a rotating spinner in the browser, and nothing happens.

I would expect that because of LDAP_AUTH_CONNECT_TIMEOUT = 2 after 2 seconds it switch to 'django.contrib.auth.backends.ModelBackend' and log me in.

etianen commented 1 year ago

Can I have the logs please? It would be good to know where it's getting stuck.

Those settings are passed to the underlying ldap library.

On Wed, 20 Sep 2023 at 05:50, gumish @.***> wrote:

As you can see I used multiple AUTHENTICATION_BACKENDS.

But if I use a non-existing LDAP_AUTH_URL address like ['ldaps:// nonsense.com'], then during login, I only see a rotating spinner in the browser, and nothing happens.

I would expect that because of LDAP_AUTH_CONNECT_TIMEOUT = 2 after 2 seconds it switch to 'django.contrib.auth.backends.ModelBackend' and log me in.

— Reply to this email directly, view it on GitHub https://github.com/etianen/django-python3-ldap/issues/264#issuecomment-1726960398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABEKCHVAQAWYWG4B7EDE2DX3JYHPANCNFSM6AAAAAA33HJAL4 . You are receiving this because you commented.Message ID: @.***>

gumish commented 1 year ago

I am not sure if this will be useful: DEBUG = True, logging level DEBUG

LDAP_AUTH_URL = ['ldaps://existing_server.com'] - existing running ldap server

D:\03__Web\CONTI\echm2>_virtenv\Scripts\python manage.py runserver 0.0.0.0:8080 
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
September 20, 2023 - 11:36:38
Django version 4.1.1, using settings 'echm.settings'
Starting development server at http://0.0.0.0:8080/
Quit the server with CTRL-BREAK.
[20/Sep/2023 11:37:35] "GET /accounts/login/?next=/ HTTP/1.1" 200 9734
[20/Sep/2023 11:37:44] "POST /accounts/login/ HTTP/1.1" 302 0
[20/Sep/2023 11:37:44] "GET / HTTP/1.1" 200 68206

>> successfully logged in


LDAP_AUTH_URL changed to ['ldaps://nonsense.com'] - non-existing server

D:\03__Web\CONTI\echm2\echm\settings.py changed, reloading.
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
September 20, 2023 - 11:38:12
Django version 4.1.1, using settings 'echm.settings'
Starting development server at http://0.0.0.0:8080/
Quit the server with CTRL-BREAK.
[20/Sep/2023 11:38:16] "GET /accounts/logout/?next=/ HTTP/1.1" 302 0
[20/Sep/2023 11:38:16] "GET / HTTP/1.1" 200 65959
[20/Sep/2023 11:38:18] "GET /accounts/login/?next=/ HTTP/1.1" 200 9734

>> no response, browser is endlessly waiting for it

etianen commented 1 year ago

I think you're going to have to delve into the ldap3 source code to figure out what's going on here. Those settings are being passed to ldap3, and it seems to not be interpreting them as one would expect.

I'm wondering if it's one of:

gumish commented 1 year ago

Yes, I agree. I have noticed that you only pass setting variables to ldap3. I am not very experienced with github issuing, so I wrote here first if you are sure that this works correctly to you.

danilogbotelho commented 1 year ago

As you can see I used multiple AUTHENTICATION_BACKENDS.

But if I use a non-existing LDAP_AUTH_URL address like ['ldaps://nonsense.com'], then during login, I only see a rotating spinner in the browser, and nothing happens.

I would expect that because of LDAP_AUTH_CONNECT_TIMEOUT = 2 after 2 seconds it switch to 'django.contrib.auth.backends.ModelBackend' and log me in.

Placing ModelBackend first in AUTHENTICATION_BACKENDS allows me to login when my LDAP server is unreachable. If LDAPBackend comes first and the server is unreachable then Django hangs.

parad0x96 commented 11 months ago

Same issue here these parameters seems to be ignored

LDAP_AUTH_CONNECT_TIMEOUT = 5
LDAP_AUTH_RECEIVE_TIMEOUT = 5