Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Active Directory authentication not working #4401

Closed
nohaj opened this issue Nov 26, 2019 · 2 comments
Closed

Active Directory authentication not working #4401

nohaj opened this issue Nov 26, 2019 · 2 comments

Comments

@nohaj
Copy link

nohaj commented Nov 26, 2019

Hello,

I can't get the LDAP Authentication working against an Active Directory LDAP.

I'm using the docker image redash/redash:8.0.0.b32245 with the following settings :

REDASH_LDAP_BIND_DN: MY_DOMAIN\\My_User
REDASH_LDAP_CUSTOM_USERNAME_PROMPT: 'Please enter domain account:'
REDASH_LDAP_DISPLAY_NAME_KEY: displayName
REDASH_LDAP_EMAIL_KEYvalue: mail
REDASH_LDAP_LOGIN_ENABLED: "true"
REDASH_LDAP_SEARCH_DN: dc=domain,dc=com
REDASH_LDAP_SEARCH_TEMPLATE: (sAMAccountName=%(username)s)
REDASH_LDAP_URL: ad_server.domain.com
REDASH_LDAP_USE_SSL: "false"
REDASH_PASSWORD_LOGIN_ENABLED: "false"

I first tried in SIMPLE mode but always got an error on the binding. I think that there is something wrong in the /app/redash/authentication/ldap_auth.py file :

def auth_ldap_user(username, password):
    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
    if settings.LDAP_BIND_DN is not None:
        conn = Connection(
            server,
            settings.LDAP_BIND_DN,
            password=settings.LDAP_BIND_DN_PASSWORD,
            authentication=settings.LDAP_AUTH_METHOD,
            auto_bind=True
        )

It should be "user=settings.LDAP_BIND_DN," instead of "settings.LDAP_BIND_DN", right ?

After that change, it was still not working tho.

I switch to NTLM (from the ldap3 python documentation) and I tried directly in python :

from redash import settings
from ldap3 import Server, Connection

def auth_ldap_user(username, password):
    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
    if settings.LDAP_BIND_DN is not None:
        conn = Connection(
            server,
            user=settings.LDAP_BIND_DN,
            password=settings.LDAP_BIND_DN_PASSWORD,
            authentication=settings.LDAP_AUTH_METHOD,
            auto_bind=True
        )
    else:
        conn = Connection(server, auto_bind=True)
	conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY])
    if len(conn.entries) == 0:
		return None
    user = conn.entries[0]
    if not conn.rebind(user=user.entry_dn, password=password):
		return None
    return user

auth_ldap_user('myuser','mypassword')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 9, in auth_ldap_user
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 326, in __init__
    self.do_auto_bind()
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 343, in do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 577, in bind
    raise LDAPUnknownAuthenticationMethodError(self.last_error)
ldap3.core.exceptions.LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password

But if i replace the settings.LDAP_BIND_DN variable by its value, it's working fine :

from redash import settings
from ldap3 import Server, Connection

print settings.LDAP_BIND_DN
MYDOMAIN\\My_User

def auth_ldap_user(username, password):
    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
    if settings.LDAP_BIND_DN is not None:
        conn = Connection(
            server,
            user="MYDOMAIN\\My_User",
            password=settings.LDAP_BIND_DN_PASSWORD,
            authentication=settings.LDAP_AUTH_METHOD,
            auto_bind=True
        )
    else:
        conn = Connection(server, auto_bind=True)
	conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY])
    if len(conn.entries) == 0:
		return None
    user = conn.entries[0]
    if not conn.rebind(user=user.entry_dn, password=password):
		return None
    return user

auth_ldap_user('myuser','mypassword')

Also try with SIMPLE mode and the result is the same, it's not working with settings.LDAP_BIND_DN but working the value.

But it's still not working on the website, still get a Internal Server Error :

[2019-11-26 09:56:37,170][PID:14][INFO][metrics] method=GET path=/ldap/login endpoint=ldap_auth_login status=200 content_type=text/html; charset=utf-8 content_length=1754 duration=1.89 query_count=0 query_duration=0.00

[2019-11-26 09:56:38,382] ERROR in app: Exception on /ldap/login [POST]

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 271, in error_router
    return original_handler(e)
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/app/redash/authentication/ldap_auth.py", line 39, in login
    ldap_user = auth_ldap_user(request.form['email'], request.form['password'])
  File "/app/redash/authentication/ldap_auth.py", line 71, in auth_ldap_user
    auto_bind=True
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 326, in __init__
    self.do_auto_bind()
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 343, in do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 577, in bind
    raise LDAPUnknownAuthenticationMethodError(self.last_error)
LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password`

What am i doing wrong ? Is there someone who was successful to bind to an Active Directory ?

Regards,

Johan
@weekly-digest weekly-digest bot mentioned this issue Dec 2, 2019
Closed
@lolaslade
Copy link

I just got Active Directory setup and I had to use this format for REDASH_LDAP_BIND_DN:

"CN=MyServiceAccountUsername,CN=Users,DC=myorg,DC=ca"

@nohaj nohaj closed this as completed Dec 3, 2019
@nohaj
Copy link
Author

nohaj commented Dec 3, 2019

@lolaslade Hello ! Thank you for your message. I did like you and it's working as well with the SIMPLE mode. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lolaslade @nohaj