Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#15385 closed (invalid)

Bug in django-auth-ldap bindings and groups on restricted LDAP configuration

Reported by: hile Owned by: nobody
Component: contrib.auth Version: 1.2
Severity: Keywords: LDAP BIND ERROR
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


There is a bug in django-auth-ldap with LDAP groups access, if the LDAP server restricts access to data for normal user accounts.

How this bug can be triggered:

  • The LDAP server is configured to bind with BINDDN as specific user
  • LDAP users can authenticate but their credentials are configured not to allow browsing LDAP data freely, including reading of LDAP group data with user credentials
  • Any of the groups restrictions are enabled in django LDAP settings

How the problem can be seen:

  • Any user authentication with LDAP permissions fail
  • The log shows 'user is not member of LDAP group', even when they are

Reason for the bug:

  • Django LDAP authentication correctly binds with BINDDN to LDAP database in the beginning
  • However, to check user LDAP password, call self._authenticate_user_dn(password) replaces this binding with user credentials
  • The Django LDAP module does not replace the binding with (possibly restricted) user credentials with the BINDDN credentials after successful authentication with user credentials
  • The groups are checked and used after user has logged in, and the above error causes the groups to be inaccessible from LDAP in such configuration, and the authentication fails

Fixing the bug:

  • My suggestion would be to add self._bind() to end of _authenticate_user_dn() in this will restore the BINDDN binding permissions, and if user password was incorrect, we already raised self.AuthenticationFailed() before this call, so it would not change authentication testing

Note, this bug does not happen in most common LDAP setups, because it's quite common to allow any user authenticated to LDAP to read all data in LDAP. It only happens, if the normal user does not have such permissions.

Change History (2)

comment:1 Changed 8 years ago by Jannis Leidel

Resolution: invalid
Status: newclosed

django-auth-ldap is a 3rd party app, not part of Django, closing as invalid.

comment:2 Changed 7 years ago by Jacob

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top