controller
controller copied to clipboard
Published
20 hours ago •
deis
deis
LDAP authentication requires a valid group filter and group basedn
Hello,
I recently upgraded from 2.13.0 to 2.15.0. After upgrading, deis login (which is configured to use LDAP) started to fail with Error: Internal Server Error. This stack trace appeared in the logs of deis-controller:
ERROR:root:Uncaught Exception
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 265, in _ldap_call
result = func(*args,**kwargs)
ldap.FILTER_ERROR: {'desc': 'Bad search filter'}
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/rest_framework/views.py", line 486, in dispatch
response = handler(request, *args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/rest_framework/authtoken/views.py", line 17, in post
serializer.is_valid(raise_exception=True)
File "/usr/local/lib/python3.5/dist-packages/rest_framework/serializers.py", line 237, in is_valid
self._validated_data = self.run_validation(self.initial_data)
File "/usr/local/lib/python3.5/dist-packages/rest_framework/serializers.py", line 435, in run_validation
value = self.validate(value)
File "/usr/local/lib/python3.5/dist-packages/rest_framework/authtoken/serializers.py", line 16, in validate
user = authenticate(username=username, password=password)
File "/usr/local/lib/python3.5/dist-packages/django/contrib/auth/__init__.py", line 100, in authenticate
user = backend.authenticate(*args, **credentials)
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 171, in authenticate
user = ldap_user.authenticate(password)
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 346, in authenticate
self._get_or_create_user()
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 574, in _get_or_create_user
self._mirror_groups()
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 704, in _mirror_groups
target_group_names = frozenset(self._get_groups().get_group_names())
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 827, in get_group_names
group_infos = self._get_group_infos()
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/backend.py", line 875, in _get_group_infos
self._group_search)
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/config.py", line 467, in user_groups
groups = search.execute(ldap_user.connection)
File "/usr/local/lib/python3.5/dist-packages/django_auth_ldap/config.py", line 168, in execute
self.attrlist)
File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 770, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 763, in search_ext_s
msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 759, in search_ext
timeout,sizelimit,
File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line 273, in _ldap_call
e.args[0]['info'] = strerror(e.args[0]['errno'])
KeyError: 'errno'
10.68.167.81 "POST /v2/auth/login/ HTTP/1.1" 500 25 "Deis Client v2.15.0"
I was able to determine that the issue had to do with LDAP_GROUP_BASEDN and LDAP_GROUP_FILTER being empty (as per the default settings). This had worked on 2.13.0 but broke on 2.15.0. Setting the above to a valid basedn and filter solved the issue but is unnecessary since we do not use groups.
