search

hhyo / Archery

SQL 审核查询平台
https://archerydms.com
Apache License 2.0
5.97k stars 1.67k forks source link

1.9.1ldap集成问题(freipa) #2135

Open duiniwukenaihe opened 1 year ago

duiniwukenaihe commented 1 year ago

重现步骤

settings.py 如下: 修改 username: uid: AUTH_LDAP_USER_ATTR_MAP=( dict, {"username": "uid", "display": "displayname", "email": "mail"}, ), LDAP配置如下: ENABLE_LDAP = True if ENABLE_LDAP: import ldap from django_auth_ldap.config import LDAPSearch

AUTHENTICATION_BACKENDS = (
    "django_auth_ldap.backend.LDAPBackend",  # 配置为先使用LDAP认证,如通过认证则不再使用后面的认证方式
    "django.contrib.auth.backends.ModelBackend",  # django系统中手动创建的用户也可使用,优先级靠后。注意这2行的顺序
)

AUTH_LDAP_SERVER_URI = env("AUTH_LDAP_SERVER_URI", default="ldap://xxx.xxxx.xxxx.com")
AUTH_LDAP_USER_DN_TEMPLATE = env("AUTH_LDAP_USER_DN_TEMPLATE", default=None)
if not AUTH_LDAP_USER_DN_TEMPLATE:
    del AUTH_LDAP_USER_DN_TEMPLATE
    AUTH_LDAP_BIND_DN = env(
        "AUTH_LDAP_BIND_DN", default="uid=ldap,cn=users,cn=accounts,dc=xxx,dc=xxxx,dc=com"
    )
    AUTH_LDAP_BIND_PASSWORD = env("AUTH_LDAP_BIND_PASSWORD", default="xxxxx")
    AUTH_LDAP_USER_SEARCH_BASE = env(
        "AUTH_LDAP_USER_SEARCH_BASE", default=""
    )
    AUTH_LDAP_USER_SEARCH_FILTER = env(
        "AUTH_LDAP_USER_SEARCH_FILTER", default="(&(uid=%(user)s)(!(nsaccountlock=*))(objectclass=inetorgperson)(memberOf=cn=yearning,cn=groups,cn=accounts,dc=xxxxx,dc=xxxx,dc=com))"
    )
    AUTH_LDAP_USER_SEARCH = LDAPSearch(
        AUTH_LDAP_USER_SEARCH_BASE, ldap.SCOPE_SUBTREE, AUTH_LDAP_USER_SEARCH_FILTER
    )

重启服务,可以正常登陆ldap用户test01:

管理员用户控制台,用户名格式为01 test: image 退出普通用户,重新登陆: image

预期外的结果

能正常匹配uid字段 ,体验了jumpserver yearning,jenkins等与freeipa集成都可以正常使用,yearning为例: image

日志文本

[2023-04-24 12:09:54,691][MainThread:140461894825792][task_id:django_auth_ldap][backend.py:644][WARNING]- uid=test01,cn=users,cn=accounts,dc=xxxx,dc=xxxx,dc=com does not have a value for the attribute email
[2023-04-24 12:09:54,696][MainThread:140461894825792][task_id:django_auth_ldap][backend.py:364][WARNING]- (1062, "Duplicate entry '01 test' for key 'username'") while authenticating test01
[2023-04-24 12:09:54,696][MainThread:140461894825792][task_id:default][exception_logging_middleware.py:12][ERROR]- Traceback (most recent call last):
  File "/opt/archery/common/auth.py", line 69, in authenticate
    user = Users.objects.get(username=username)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/query.py", line 650, in get
    raise self.model.DoesNotExist(
sql.models.Users.DoesNotExist: Users matching query does not exist.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 89, in _execute
    return self.cursor.execute(sql, params)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/mysql/base.py", line 75, in execute
    return self.cursor.execute(query, args)
  File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 206, in execute
    res = self._query(query)
  File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 319, in _query
    db.query(q)
  File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/connections.py", line 259, in query
    _mysql.connection.query(self, query)
MySQLdb._exceptions.IntegrityError: (1062, "Duplicate entry '01 test' for key 'username'")

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/venv4archery/lib/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/archery/common/auth.py", line 118, in authenticate_entry
    result = new_auth.authenticate()
  File "/opt/archery/common/auth.py", line 71, in authenticate
    authenticated_user = self.challenge(username=username, password=password)
  File "/opt/archery/common/auth.py", line 56, in challenge
    user = authenticate(username=username, password=password)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 142, in authenticate
    user = self.authenticate_ldap_user(ldap_user, password)
  File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 200, in authenticate_ldap_user
    return ldap_user.authenticate(password)
  File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 344, in authenticate
    self._get_or_create_user()
  File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 623, in _get_or_create_user
    self._user.save()
  File "/opt/archery/sql/models.py", line 54, in save
    super(Users, self).save(*args, **kwargs)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/contrib/auth/base_user.py", line 68, in save
    super().save(*args, **kwargs)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 831, in save
    self.save_base(
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 882, in save_base
    updated = self._save_table(
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 1025, in _save_table
    results = self._do_insert(
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 1066, in _do_insert
    return manager._insert(
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/query.py", line 1790, in _insert
    return query.get_compiler(using=using).execute_sql(returning_fields)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/sql/compiler.py", line 1657, in execute_sql
    cursor.execute(sql, params)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 67, in execute
    return self._execute_with_wrappers(
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 80, in _execute_with_wrappers
    return executor(sql, params, many, context)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 89, in _execute
    return self.cursor.execute(sql, params)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/utils.py", line 91, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 89, in _execute
    return self.cursor.execute(sql, params)
  File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/mysql/base.py", line 75, in execute
    return self.cursor.execute(query, args)
  File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 206, in execute
    res = self._query(query)
  File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 319, in _query
    db.query(q)
  File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/connections.py", line 259, in query
    _mysql.connection.query(self, query)
django.db.utils.IntegrityError: (1062, "Duplicate entry '01 test' for key 'username'")

版本

1.9.1

部署方式

Docker

是否还有其他可以辅助定位问题的信息?比如数据库版本等

No response

unknowissue commented 1 year ago

数据库插入ldap信息后,再次验证时,没有搜到到这个记录,通常是因为有中文或者其他的情况,没有纠结过这个问题。

你可以: yum install openldap-clients ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=baidu,dc=com" -D "cn=admin,dc=baidu,dc=com" -w baidu 看看自己有哪些字段能用,使用唯一的字段 比如 sAMAccountName https://stackoverflow.com/questions/508014/active-directory-ldap-query-by-samaccountname-and-domain

参考: https://github.com/hhyo/Archery/issues/1533 https://github.com/hhyo/Archery/issues/1184

sona-yuan commented 1 month ago

v1.11用的英文字段也不行,第二次登录报错,map全是英文和数字。 ![Uploading image.png…]()