LDAP:'Populating Django user' 导致错误 'INSUFFICIENT_ACCESS'
LDAP: 'Populating Django user' causes error 'INSUFFICIENT_ACCESS'
我正在尝试根据 LDAP 服务器对 Django 应用程序进行身份验证,但收到一些奇怪的行为。请记住,我对 LDAP 知之甚少,所以如果我误用了一些 LDAP 术语,请原谅。另请注意,在整个问题中,my_domain 是我公司的域名,user_id 是身份验证用户的 uid。
这是我的 settings.py 配置文件的相关部分:
AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend'
]
AUTH_LDAP_SERVER_URI = 'ldaps://ipa.my_domain.com:636'
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,cn=accounts,dc=my_domain,dc=com"
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com",
"is_staff": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com",
"is_superuser": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com"
}
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("cn=groups,cn=accounts,dc=my_domain,dc=com",
ldap.SCOPE_SUBTREE, "(objectClass=member)"
)
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: False,
ldap.OPT_REFERRALS: False,
}
AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"}
当我尝试登录我的应用程序时,收到此错误:
Populating Django user user_id
search_s('uid=user_id,cn=users,cn=accounts,dc=my_domain,dc=com', 0, '(objectClass=*)') returned 1 objects: uid=user_id,cn=users,cn=accounts,dc=my_domain,dc=com
Caught LDAPError while authenticating user_id: INSUFFICIENT_ACCESS({'desc': 'Insufficient access'},)
但是,当我将此标志从 True 翻转为 false 时:
AUTH_LDAP_ALWAYS_UPDATE_USER = False
认证成功。现在这是奇怪的部分:即使身份验证成功,我的属性也没有映射到我的 Django 用户对象(在 AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"} 中指定的那些)。当我手动检查 request.user.ldap_user.attrs 时,所有属性都在那里。
那么问题来了,'Populating Django user'到底是什么意思呢?是什么导致了 'INSUFFICIENT_ACCESS' 错误?为什么翻转那个标志可以修复(隐藏?)问题?
谢谢。
通过将此行添加到我的 settings.py 文件,我能够解决所有问题:
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
我一直打算以身份验证用户身份进行绑定。我没有要绑定的服务帐户,如果以我公司的 LDAP 设置作为匿名用户绑定,某些信息将不可用。显然发生的事情是在身份验证之后,re-bind 发生在 AUTH_LDAP_BIND_DN 上,当然我没有指定,使用匿名绑定。不允许匿名绑定访问组信息和其他详细信息,导致 INSUFFICIENT_ACCESS 错误。
By default, all LDAP operations are performed with the AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD credentials, not with the user’s. Otherwise, the LDAP connection would be bound as the authenticating user during login requests and as the default credentials during other requests, so you might see inconsistent LDAP attributes depending on the nature of the Django view. If you’re willing to accept the inconsistency in order to retrieve attributes while bound as the authenticating user, see AUTH_LDAP_BIND_AS_AUTHENTICATING_USER.
文档中有关 AUTH_LDAP_BIND_AS_AUTHENTICATING_USER 的更多详细信息:
Default: False
If True, authentication will leave the LDAP connection bound as the
authenticating user, rather than forcing it to re-bind with the
default credentials after authentication succeeds. This may be
desirable if you do not have global credentials that are able to
access the user’s attributes. django-auth-ldap never stores the user’s
password, so this only applies to requests where the user is
authenticated. Thus, the downside to this setting is that LDAP results
may vary based on whether the user was authenticated earlier in the
Django view, which could be surprising to code not directly concerned
with authentication.
我正在尝试根据 LDAP 服务器对 Django 应用程序进行身份验证,但收到一些奇怪的行为。请记住,我对 LDAP 知之甚少,所以如果我误用了一些 LDAP 术语,请原谅。另请注意,在整个问题中,my_domain 是我公司的域名,user_id 是身份验证用户的 uid。
这是我的 settings.py 配置文件的相关部分:
AUTHENTICATION_BACKENDS = [
'django_auth_ldap.backend.LDAPBackend'
]
AUTH_LDAP_SERVER_URI = 'ldaps://ipa.my_domain.com:636'
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,cn=accounts,dc=my_domain,dc=com"
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com",
"is_staff": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com",
"is_superuser": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com"
}
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("cn=groups,cn=accounts,dc=my_domain,dc=com",
ldap.SCOPE_SUBTREE, "(objectClass=member)"
)
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: False,
ldap.OPT_REFERRALS: False,
}
AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"}
当我尝试登录我的应用程序时,收到此错误:
Populating Django user user_id search_s('uid=user_id,cn=users,cn=accounts,dc=my_domain,dc=com', 0, '(objectClass=*)') returned 1 objects: uid=user_id,cn=users,cn=accounts,dc=my_domain,dc=com Caught LDAPError while authenticating user_id: INSUFFICIENT_ACCESS({'desc': 'Insufficient access'},)
但是,当我将此标志从 True 翻转为 false 时:
AUTH_LDAP_ALWAYS_UPDATE_USER = False
认证成功。现在这是奇怪的部分:即使身份验证成功,我的属性也没有映射到我的 Django 用户对象(在 AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"} 中指定的那些)。当我手动检查 request.user.ldap_user.attrs 时,所有属性都在那里。
那么问题来了,'Populating Django user'到底是什么意思呢?是什么导致了 'INSUFFICIENT_ACCESS' 错误?为什么翻转那个标志可以修复(隐藏?)问题?
谢谢。
通过将此行添加到我的 settings.py 文件,我能够解决所有问题:
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
我一直打算以身份验证用户身份进行绑定。我没有要绑定的服务帐户,如果以我公司的 LDAP 设置作为匿名用户绑定,某些信息将不可用。显然发生的事情是在身份验证之后,re-bind 发生在 AUTH_LDAP_BIND_DN 上,当然我没有指定,使用匿名绑定。不允许匿名绑定访问组信息和其他详细信息,导致 INSUFFICIENT_ACCESS 错误。
By default, all LDAP operations are performed with the AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD credentials, not with the user’s. Otherwise, the LDAP connection would be bound as the authenticating user during login requests and as the default credentials during other requests, so you might see inconsistent LDAP attributes depending on the nature of the Django view. If you’re willing to accept the inconsistency in order to retrieve attributes while bound as the authenticating user, see AUTH_LDAP_BIND_AS_AUTHENTICATING_USER.
文档中有关 AUTH_LDAP_BIND_AS_AUTHENTICATING_USER 的更多详细信息:
Default: False
If True, authentication will leave the LDAP connection bound as the authenticating user, rather than forcing it to re-bind with the default credentials after authentication succeeds. This may be desirable if you do not have global credentials that are able to access the user’s attributes. django-auth-ldap never stores the user’s password, so this only applies to requests where the user is authenticated. Thus, the downside to this setting is that LDAP results may vary based on whether the user was authenticated earlier in the Django view, which could be surprising to code not directly concerned with authentication.