Sentry LDAP Plugin ignored with latest Version

[sattlerio]

Hi,

with the latest version I am facing the problem that sentry does not recognized this plugin as Auth Backend. The Module does not show up in the auth backends, neither does the login over it work. With the same config it worked for older sentry versions.

Here is my config:

#########
#  LDAP #
#########
AUTH_LDAP_SERVER_URI = 'ldap://XXXXX
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'ou=users,dc=ldap,dc=XXXXXX,dc=io',
    ldap.SCOPE_SUBTREE,
    '(mail=%(user)s)',
)

AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'cn',
    'email': 'displayName'
}
AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'XXXXX'

AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
AUTH_LDAP_SENTRY_USERNAME_FIELD = 'cn'
SENTRY_MANAGED_USER_FIELDS = ('email', 'first_name', 'last_name', 'password', )

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    '',
    ldap.SCOPE_SUBTREE,
    '(objectClass=groupOfUniqueNames)'
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'My Organization Name'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_USERNAME_FIELD = '(|(cn=%(user))(uid=%(user)))'

import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel('DEBUG')

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

[TomaszJanusz]

Same problem. For even more interesting, plugin is listed in Packages section.

[tekkeitserktok]

I can't login with LDAP, any updates on this ? Thank you !

[aleksihakli]

I just tested Sentry 9.0 installation in a development environment with getsentry-ldap-auth 2.7 and similar looking settings (specifically AUTHENTICATION_BACKENDS setting is identical to yours) and have working LDAP authentication.

My LDAP plugin settings are as follows for Microsoft AD:

from sentry.conf.server import *

# LDAP support
# https://github.com/Banno/getsentry-ldap-auth
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

# Disable this in production; this is just for testing purposes in a staging environment
AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_ALLOW}
AUTH_LDAP_SERVER_URI = env('SENTRY_AUTH_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('SENTRY_AUTH_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('SENTRY_AUTH_LDAP_BIND_PASSWORD')

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'OU=Users,DC=ad,DC=example,DC=com',
    ldap.SCOPE_SUBTREE,
    '(sAMAccountName=%(user)s)',
)

AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
    'name': 'displayName',
}

AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'OU=Groups,DC=ad,DC=example,DC=com',
    ldap.SCOPE_SUBTREE,
    '(objectClass=group)'
)

AUTH_LDAP_DENY_GROUP = None
AUTH_LDAP_MIRROR_GROUPS = False  # does not work with Sentry
AUTH_LDAP_FIND_GROUP_PERMS = False

AUTH_LDAP_CACHE_GROUPS = False
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'Sentry'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = False
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = 'example.com'

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel('DEBUG')

[kepi]

Same problem here. @aleksihakli do you see ldap plugin in auth backends when it is working?

[aleksihakli]

Yeah, with the configuration I posted above I can see the LDAP backend ('sentry_ldap_auth.backend.SentryLdapBackend') as the last entry in AUTHENTICATION_BACKENDS tuple at URL /manage/status/environment/ and it works OK.

A funny note in Sentry 9+ is that you need to add a local password for your user for accessing that configuration URL; LDAP bind password doesn't actually work for the /manage/status/environment/ for whatever reason.

[AmyLewis]

I tested Sentry 9.0 + sentry_ldap_auth 2.7 with the Sentry config below, and the LDAP plugin in auth backends is working.

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

SENTRY_MANAGED_USER_FIELDS = ("email", "password")

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = env('SENTRY_LDAP_ORG')
AUTH_LDAP_SENTRY_ORGANIZATION_MEMBER_TYPE = "member"
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = "example.com"

AUTH_LDAP_SERVER_URI = env('SENTRY_AUTH_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('SENTRY_AUTH_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('SENTRY_AUTH_LDAP_BIND_PASSWORD')

AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",
                                   ldap.SCOPE_SUBTREE,
                                   "(uid=%(user)s)")
AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'displayName',
    'email': 'mail'
}

AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_DEBUG_LEVEL: 0,
    ldap.OPT_REFERRALS: 0,
}

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

Here are some suggestions for you to debug:

• Add some log and run sentry, to see how it works and where it fails.
• Query the auth_user table to see if user were added to database

Sentry will check if user in any organization, If you received No Organization Aceess, make sure your organizations contains the value of AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION.

[sergeohl]

@AmyLewis how do you do

Add some log and run sentry, to see how it works and where it fails.

I'm not familiar with sentry I tried to add that but I don't have any log in file or console :( import logging logger = logging.getLogger('django_auth_ldap') logger.addHandler(logging.StreamHandler()) logger.addHandler(logging.FileHandler(r"/tmp/ldap.log")) logger.setLevel('DEBUG')

[janceChun]

The following code is work for me ！！！😁😁

1. set the dockfile

FROM sentry:9.0-onbuild
RUN apt-get update && apt-get install -y libsasl2-dev python-dev libldap2-dev libssl-dev
RUN pip install sentry-ldap-auth

2.set the sentry.conf.py

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType

AUTH_LDAP_SERVER_URI = 'ldap://xxxxx:xxxx'
AUTH_LDAP_BIND_DN = 'xxxxx'
AUTH_LDAP_BIND_PASSWORD = 'xxxxx'

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'xxxx',
    ldap.SCOPE_SUBTREE,
    '(mail=%(user)s)',
)

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    '',
    ldap.SCOPE_SUBTREE,
    '(objectClass=groupOfUniqueNames)'
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'cn',
    'email': 'mail'
}

AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'Sentry'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False

SENTRY_MANAGED_USER_FIELDS = ('email', 'first_name', 'last_name', 'password', )

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

# optional, for debugging
import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.addHandler(logging.FileHandler('/tmp/ldap2.log'))
logger.setLevel('DEBUG')

LOGGING['overridable'] = ['sentry', 'django_auth_ldap']
LOGGING['loggers']['django_auth_ldap'] = {
    'handlers': ['console'],
    'level': 'DEBUG'
}

reference：https://yyhh.org/blog/2017/12/ldap-authentication-premise-sentry-server-using-freeipa

[sgyy1994]

The upstairs is great.

[sotona-]

Hi. I'm trying to add LDAP auth to sentry with this https://github.com/Banno/getsentry-ldap-auth/issues/32#issuecomment-405823382 config and have some trouble. When i'm trying to login backend successfully makes bind to LDAP server and successfully finds a user. After that backend makes second bind to server without username and password. And unsuccessfully tries to make three search requests. If I set AUTH_LDAP_BIND_AS_AUTHENTICATING_USER to True, backend tries to bind w/o credentials in first time.

[suuzee]

@aleksihakli I want to ask an unrelated question, how to view the log of ldap? Thank you!

[aleksihakli]

Configure the LDAP plugin logging correctly using the Django and Django LDAP plugin documentation.

[jeffersonluismartins]

@janceChun can you post your struture configuration? In your configuration, the django LDAP returns INVALID_CREDENTIALS when I try to connect with my user. I changed all configures that I found on the internet and your configuration, at least, it's almost there. Can you post your struture configuration (CN=XX,OU=XX, or ldap.example.com, etc), please? Thank you

[lorn]

I build a Sentry docker image that receives the configuration to LDAP using env_var feel free to test and ask help: https://github.com/locaweb/docker-sentry-ldap/ or https://hub.docker.com/r/locaweb/docker-sentry-ldap

[sgohl]

Anybody got this working with sentry 10 ? especially Active Directory?