Archery
Archery copied to clipboard
Published
20 hours ago •
hhyo
hhyo
1.9.1ldap集成问题(freipa)
重现步骤
settings.py 如下: 修改 username: uid: AUTH_LDAP_USER_ATTR_MAP=( dict, {"username": "uid", "display": "displayname", "email": "mail"}, ), LDAP配置如下: ENABLE_LDAP = True if ENABLE_LDAP: import ldap from django_auth_ldap.config import LDAPSearch
AUTHENTICATION_BACKENDS = (
"django_auth_ldap.backend.LDAPBackend", # 配置为先使用LDAP认证,如通过认证则不再使用后面的认证方式
"django.contrib.auth.backends.ModelBackend", # django系统中手动创建的用户也可使用,优先级靠后。注意这2行的顺序
)
AUTH_LDAP_SERVER_URI = env("AUTH_LDAP_SERVER_URI", default="ldap://xxx.xxxx.xxxx.com")
AUTH_LDAP_USER_DN_TEMPLATE = env("AUTH_LDAP_USER_DN_TEMPLATE", default=None)
if not AUTH_LDAP_USER_DN_TEMPLATE:
del AUTH_LDAP_USER_DN_TEMPLATE
AUTH_LDAP_BIND_DN = env(
"AUTH_LDAP_BIND_DN", default="uid=ldap,cn=users,cn=accounts,dc=xxx,dc=xxxx,dc=com"
)
AUTH_LDAP_BIND_PASSWORD = env("AUTH_LDAP_BIND_PASSWORD", default="xxxxx")
AUTH_LDAP_USER_SEARCH_BASE = env(
"AUTH_LDAP_USER_SEARCH_BASE", default=""
)
AUTH_LDAP_USER_SEARCH_FILTER = env(
"AUTH_LDAP_USER_SEARCH_FILTER", default="(&(uid=%(user)s)(!(nsaccountlock=*))(objectclass=inetorgperson)(memberOf=cn=yearning,cn=groups,cn=accounts,dc=xxxxx,dc=xxxx,dc=com))"
)
AUTH_LDAP_USER_SEARCH = LDAPSearch(
AUTH_LDAP_USER_SEARCH_BASE, ldap.SCOPE_SUBTREE, AUTH_LDAP_USER_SEARCH_FILTER
)
重启服务,可以正常登陆ldap用户test01:
管理员用户控制台,用户名格式为01 test:
退出普通用户,重新登陆:
预期外的结果
能正常匹配uid字段 ,体验了jumpserver yearning,jenkins等与freeipa集成都可以正常使用,yearning为例:
日志文本
[2023-04-24 12:09:54,691][MainThread:140461894825792][task_id:django_auth_ldap][backend.py:644][WARNING]- uid=test01,cn=users,cn=accounts,dc=xxxx,dc=xxxx,dc=com does not have a value for the attribute email
[2023-04-24 12:09:54,696][MainThread:140461894825792][task_id:django_auth_ldap][backend.py:364][WARNING]- (1062, "Duplicate entry '01 test' for key 'username'") while authenticating test01
[2023-04-24 12:09:54,696][MainThread:140461894825792][task_id:default][exception_logging_middleware.py:12][ERROR]- Traceback (most recent call last):
File "/opt/archery/common/auth.py", line 69, in authenticate
user = Users.objects.get(username=username)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/query.py", line 650, in get
raise self.model.DoesNotExist(
sql.models.Users.DoesNotExist: Users matching query does not exist.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/mysql/base.py", line 75, in execute
return self.cursor.execute(query, args)
File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 206, in execute
res = self._query(query)
File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 319, in _query
db.query(q)
File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/connections.py", line 259, in query
_mysql.connection.query(self, query)
MySQLdb._exceptions.IntegrityError: (1062, "Duplicate entry '01 test' for key 'username'")
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/opt/venv4archery/lib/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/opt/archery/common/auth.py", line 118, in authenticate_entry
result = new_auth.authenticate()
File "/opt/archery/common/auth.py", line 71, in authenticate
authenticated_user = self.challenge(username=username, password=password)
File "/opt/archery/common/auth.py", line 56, in challenge
user = authenticate(username=username, password=password)
File "/opt/venv4archery/lib/python3.9/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
return func(*func_args, **func_kwargs)
File "/opt/venv4archery/lib/python3.9/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
user = backend.authenticate(request, **credentials)
File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 142, in authenticate
user = self.authenticate_ldap_user(ldap_user, password)
File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 200, in authenticate_ldap_user
return ldap_user.authenticate(password)
File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 344, in authenticate
self._get_or_create_user()
File "/opt/venv4archery/lib/python3.9/site-packages/django_auth_ldap/backend.py", line 623, in _get_or_create_user
self._user.save()
File "/opt/archery/sql/models.py", line 54, in save
super(Users, self).save(*args, **kwargs)
File "/opt/venv4archery/lib/python3.9/site-packages/django/contrib/auth/base_user.py", line 68, in save
super().save(*args, **kwargs)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 831, in save
self.save_base(
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 882, in save_base
updated = self._save_table(
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 1025, in _save_table
results = self._do_insert(
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/base.py", line 1066, in _do_insert
return manager._insert(
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/query.py", line 1790, in _insert
return query.get_compiler(using=using).execute_sql(returning_fields)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/models/sql/compiler.py", line 1657, in execute_sql
cursor.execute(sql, params)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 67, in execute
return self._execute_with_wrappers(
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 80, in _execute_with_wrappers
return executor(sql, params, many, context)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/utils.py", line 91, in __exit__
raise dj_exc_value.with_traceback(traceback) from exc_value
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
File "/opt/venv4archery/lib/python3.9/site-packages/django/db/backends/mysql/base.py", line 75, in execute
return self.cursor.execute(query, args)
File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 206, in execute
res = self._query(query)
File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/cursors.py", line 319, in _query
db.query(q)
File "/opt/venv4archery/lib/python3.9/site-packages/MySQLdb/connections.py", line 259, in query
_mysql.connection.query(self, query)
django.db.utils.IntegrityError: (1062, "Duplicate entry '01 test' for key 'username'")
版本
1.9.1
部署方式
Docker
是否还有其他可以辅助定位问题的信息?比如数据库版本等
No response
数据库插入ldap信息后,再次验证时,没有搜到到这个记录,通常是因为有中文或者其他的情况,没有纠结过这个问题。
你可以: yum install openldap-clients ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=baidu,dc=com" -D "cn=admin,dc=baidu,dc=com" -w baidu 看看自己有哪些字段能用,使用唯一的字段 比如 sAMAccountName https://stackoverflow.com/questions/508014/active-directory-ldap-query-by-samaccountname-and-domain
参考: https://github.com/hhyo/Archery/issues/1533 https://github.com/hhyo/Archery/issues/1184
