#15385 closed (invalid)
Bug in django-auth-ldap bindings and groups on restricted LDAP configuration
Reported by: | hile | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.2 |
Severity: | Keywords: | LDAP BIND ERROR | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
There is a bug in django-auth-ldap with LDAP groups access, if the LDAP server restricts access to data for normal user accounts.
How this bug can be triggered:
- The LDAP server is configured to bind with BINDDN as specific user
- LDAP users can authenticate but their credentials are configured not to allow browsing LDAP data freely, including reading of LDAP group data with user credentials
- Any of the groups restrictions are enabled in django LDAP settings
How the problem can be seen:
- Any user authentication with LDAP permissions fail
- The log shows 'user is not member of LDAP group', even when they are
Reason for the bug:
- Django LDAP authentication correctly binds with BINDDN to LDAP database in the beginning
- However, to check user LDAP password, call self._authenticate_user_dn(password) replaces this binding with user credentials
- The Django LDAP module does not replace the binding with (possibly restricted) user credentials with the BINDDN credentials after successful authentication with user credentials
- The groups are checked and used after user has logged in, and the above error causes the groups to be inaccessible from LDAP in such configuration, and the authentication fails
Fixing the bug:
- My suggestion would be to add self._bind() to end of _authenticate_user_dn() in backend.py: this will restore the BINDDN binding permissions, and if user password was incorrect, we already raised self.AuthenticationFailed() before this call, so it would not change authentication testing
Note, this bug does not happen in most common LDAP setups, because it's quite common to allow any user authenticated to LDAP to read all data in LDAP. It only happens, if the normal user does not have such permissions.
Note:
See TracTickets
for help on using tickets.
django-auth-ldap is a 3rd party app, not part of Django, closing as invalid.