First time here? Check out the FAQ!
3

Configure LDAP authentication

I can see a few people seem to have had success setting up askbot to authenticate against active directory but I'm having trouble with it, could anyone clarify how these fields should be used:

LDAP service provider name: I tried "Active Directory"

URL for LPAP service: I tried "ldap://10.23.2.1:389"

Explain how to change pwd: left blank

With these settings I get an Internal Server Error, and nothing inserted into the log.

benstokes's avatar
31
benstokes
asked 2012-01-24 04:11:26 -0600
Evgeny's avatar
13.2k
Evgeny
updated 2012-01-24 08:05:03 -0600
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

6 Answers

1

I've been fighting LDAP for a bit here, and found a couple tricks that helped me out.

First, if your LDAP requires authentication, just add this to your settings.py:

LDAP_LOGIN_DN = 'someldapuser'

LDAP_PASSWORD = 'somepassword'

Fill in the ldap read username/password.

Also, make sure to use the current git repository instead of the PyPi build, as it is out of date. Make sure that your external_keys.py has ldap, for me even when using git to build I had the out of date version. You can tell as the final setting will be indentica.

After that, go ahead and login with your admin user. Go into settings and configure your LDAP settings, then configure it again under external keys... I'm not sure which takes precedence. Finally, go into login providers and uncheck everything. Then recheck "Always display local login form" and "Activate Local Password Login". Don't worry, that's just going to force it to only use LDAP.

From there, you should be ok. I edited the log level in settings.py to be info for the purpose of getting all configs set correctly.

Hope this helps some others!

dreadpirate15's avatar
11
dreadpirate15
answered 2014-05-01 15:35:07 -0600
edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments
1

Koni's answer does not solve the problem because it does local login, not ldap.

I can't find any good explanation of the use of ldap on the site. Does it work or not? (I think not)

enrique's avatar
11
enrique
answered 2012-06-22 05:25:50 -0600
edit flag offensive 0 remove flag delete link

Comments

Which version of LDAP protocol are you using? Askbot is hardcoded to work with v3. LDAP support was contributed by somebody else and we have not tested it thoroughly yet. If you have ability to test and debug - please look at the module askbot.deps.django_authopenid.backends.

Evgeny's avatar Evgeny (2012-06-23 18:20:05 -0600) edit

Looked at the protocol again - it turns out we connect to LDAP without authentication, and if your directory does not allow anonymous lookup of data - it won't work. Also - please do check your log/askbot.log all LDAP errors are logged. Please tell me which one do you have?

Evgeny's avatar Evgeny (2012-06-23 19:20:09 -0600) edit

I can connect with jxplorer using v3. But I can't make it work with askbot. We have authentication as mandatory, so we can't use it anonymously. There are no logs on the log folder. I am going to debug backends to see what happens

enrique's avatar enrique (2012-06-25 10:42:56 -0600) edit

What is the point of using ldap on the login system if you dont use authentication?

enrique's avatar enrique (2012-06-25 10:53:41 -0600) edit

On askbot.deps.django_authopenid.backends.py, on the method "ldap_authenticate", I connect to the ldap server and on the line "res = ldap_session.search_s(askbot_settings.LDAP_BASEDN, ldap.SCOPE_SUBTREE, user_filter, None)" fails throwing an exception "{'desc' : 'Bad search filter'}" It looks like its searching on a field called desc which does not exists. It should be "cn" not "desc"

enrique's avatar enrique (2012-06-25 11:44:15 -0600) edit
add a comment see more comments
1

I got it working here: https://github.com/monkut/askbot-devel

I'm not sure if this will cover all LDAP configurations, but it's working for me now. You'll need to adjust the appropriate login configuration items so that the openauth items do NOT display, and to setup the ldap configuration values in settings/EXTERNAL_KEYS.

Only three files need to be updated:

  • deps.django_authopenid.views
  • deps.django_authopenid.backends
  • conf.external_keys
monkut's avatar
21
monkut
answered 2012-01-25 02:39:32 -0600, updated 2012-01-25 02:40:50 -0600
edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments
1

I am using the 3 files from above, but I get: NameError at /account/signin/ global name 'ldap_provider_name' is not defined

Did install pip install python-ldap

Any ideas?

koni's avatar
11
koni
answered 2012-01-27 04:10:35 -0600
edit flag offensive 0 remove flag delete link

Comments

1

Found the problem! Error in line 329: change to: login_provider_name = provider_name,

koni's avatar koni (2012-01-27 04:25:19 -0600) edit
add a comment see more comments
0

I am sorry, LDAP authentication is broken. Marking as bug.

Evgeny's avatar
13.2k
Evgeny
answered 2012-01-24 08:04:53 -0600
edit flag offensive 0 remove flag delete link

Comments

Thanks for the update.

benstokes's avatar benstokes (2012-01-24 08:39:40 -0600) edit

I'm trying to getting it working here, what area of code needs work?

monkut's avatar monkut (2012-01-24 23:09:40 -0600) edit

any update here? is ldap authentication still broken?

anarcat's avatar anarcat (2012-09-24 16:09:09 -0600) edit

There is an updated version in the repository which works for us.

Evgeny's avatar Evgeny (2012-09-24 16:10:23 -0600) edit

@Evgeny: can you please suggest me which latest version of askbot supports LDAP and is bug free?

shubhamt's avatar shubhamt (2019-09-16 05:00:11 -0600) edit
add a comment see more comments
0

Hi, I'm having trouble with LDAP auth. I'm geting this error:

/usr/local/lib/python2.7/dist-packages/askbot-0.7.43-py2.7.egg/askbot/deps/django_authopenid/forms.py TIME: 2012-07-09 14:25:17,267 MSG: forms.py:clean:77 unknown provider name

Erick Almeida's avatar
73
Erick Almeida
answered 2012-07-09 14:43:36 -0600
edit flag offensive 0 remove flag delete link

Comments

Ldap in that release is broken, will be fixed in the next.

Evgeny's avatar Evgeny (2012-07-09 20:51:28 -0600) edit

There are a roadmap or schedule for next release? I get a git repo. If exist a fix I can apply and instal...

Erick Almeida's avatar Erick Almeida (2012-07-10 06:32:52 -0600) edit

I'll make a final fix today and make an update on git today - will let you know. The release may take some extra time, a few days.

Evgeny's avatar Evgeny (2012-07-10 09:56:02 -0600) edit

Erick, try branch "tag-editor" on the github, LDAP works for me there.

Evgeny's avatar Evgeny (2012-07-10 19:47:11 -0600) edit

Evgeny, I install this branch. After on LDAP logon method I canot login in the system. The form for "local" register disapear.

Erick Almeida's avatar Erick Almeida (2012-07-12 15:10:43 -0600) edit

Leave local login 'on' and the form will not go away, but will be used for LDAP. I am still working on LDAP option - right now there is a problem - if user changes screen name he/she can't use LDAP any more.

Evgeny's avatar Evgeny (2012-07-12 15:13:37 -0600) edit

In my case I don't change screen name. But I cleanning a database to a clean test.

Erick Almeida's avatar Erick Almeida (2012-07-12 15:21:57 -0600) edit

If I try login with LDAP username (that not exists in askbot database) I get this message in askbot.log: MSG: forms.py:clean:77 unknown provider name local

Erick Almeida's avatar Erick Almeida (2012-07-12 15:26:27 -0600) edit

I have updated LDAP flow on branch 'tag-editor' again. Works for me. I've tested against this server http://blog.stuartlewis.com/2008/07/07/test-ldap-service/ (really glad that this guy has set it up).

Evgeny's avatar Evgeny (2012-07-12 21:55:28 -0600) edit

Evgeny, hi. I try this blog but don't work. There any any log for authentication failures?

Erick Almeida's avatar Erick Almeida (2012-07-13 07:46:28 -0600) edit
add a comment see more comments