Active Directory auth failing #884
Replies: 4 comments 5 replies
-
Based on the "failed to map the username to a DN" message, it seems like the search just isn't finding a match. You might want to try a "deeper" base-DN in the "AUTH_LDAP_USER_SEARCH_BASEDN" value. (OU=?,OU=_,etc...,DC=redacted,DC=com) If you're unsure of the path, I think that "Get-ADuser -Identity rightname" (powershell) would give you the full distinguished name, which you could just trim the CN section off of. (I'm not an AD admin, so I could be barking up the wrong tree.) |
Beta Was this translation helpful? Give feedback.
-
From those logs you can't really see whats going on. You could try to set OPT_DEBUG_LEVEL from python-ldap to get more information. Or you could switch to LDAP (without the 'S') and look at the connection with Wireshark (or similar tools). |
Beta Was this translation helpful? Give feedback.
-
So in your case there is no auth bind DN set, i.e. NetBox binds itself anonymously to the AD. See Djando docs for AUTH_LDAP_BIND_DN:
The DN found for the user is used for user authentication. But only for authentication. Not later. Here is an excerpt from the Django docs about the parameter: AUTH_LDAP_BIND_AS_AUTHENTICATING_USER
This means, however, only so much, as that no re bind with the found user happens. But a functional bind must still exist to gather the user DN. Anonymous or with a DN shouldn't matter if anonymous binding to the AD is allowed. Judging by your log excerpts, the first bind already fails. It almost says it: netbox-docker-netbox-1 | DEBUG Binding as So at this point there is no bind, you are still unbound. Then NetBox tries a LDAP search in the given Root DN netbox-docker-netbox-1 | DEBUG Invoking search_s('DC=REDACTED,DC=com', 2, '(sAMAccountName=wrongname)') After that you will get a clear error message: netbox-docker-netbox-1 | ERROR search_s('DC=REDACTED,DC=com', 2, '(sAMAccountName=wrongname)') raised OPERATIONS_ERROR({'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090A5C,
comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'}) So the above
At least here it can be said clearly that the error occurs before the search. I think you can't avoid either binding anonymously or specifying a bind user. You need a valid DN for authentication at the latest for user LDAP authentication. Django doesn't know against which DN you want to authenticate the user. Theoretically, there is AUTH_LDAP_USER_DN_TEMPLATE for this, but judging by the NetBox docs, this is no longer required for Windows servers newer than 2012. |
Beta Was this translation helpful? Give feedback.
-
I had this exact same issue. Same symptoms and all. I would authenticate with my AD account and receive the same message about cannot map username to a DN, but a different message with a fake account name. We were upgrading our Netbox install, but I wanted to do a greenfield install since we were doing a large upgrade. I found that the ldap_config.py file was to blame. I took the file from our previous install and replaced the one in the new install, and magically the LDAP auth worked and mapped my username to a DN. |
Beta Was this translation helpful? Give feedback.
-
I've been having some weird auth issues for a couple of days now after updating to 2.3.0.
I have all of my users as AD auth'd, except for the admin account and one other account.
System info
Domain Controllers are all Windows Server 2019, Forest Functional Level at 2016.
Configs
Error message
wrongname
is an account that doesn't exist. Notice the extra log lines.rightname
is an account that does exist. Those extra lines are not there, telling me that the LDAP bind is working and it can find the account via sAMAccountName, but something else is wrong.Beta Was this translation helpful? Give feedback.
All reactions