Welcome to the Splat alpha!

the auth_ldap_uid_mask is more like a filter than a pattern to build a DN from an Username. So with AD the mask 
should be sAMAccountName=%s. Then, AD by default doesn't allow anonymous search. You need to patch accounts/backends.py to do a 'bind' before the first 'search'. For the initial bind, you could use the 'ANON' 
credentials and avoid to change GUI/settings/etc.

    def authenticate(self, username, password):
        try:
            import ldap
            ldapo = ldap.initialize(settings.LDAP_URI)
            ldapo.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
            if settings.LDAP_TLS:
                ldapo.start_tls_s()
            
            if settings.LDAP_ANON_BIND_UID:
                ldapo.bind_s(settings.LDAP_ANON_BIND_UID,
                                    settings.LDAP_ANON_BIND_PASSWD)

            search = ldapo.search_s(settings.LDAP_BASE_DN, ldap.SCOPE_SUBTREE,
                                    settings.LDAP_UID_MASK % username)
            
            ldapo.bind_s(search[0][0], password)

• Tags:

  +	Component-Accounts

Here's a patch against the SVN trunk to fix the "need to bind before searching" problem.

• Files:

  +

  ldap-bind-before-search.patch Index: backends.py =================================================================== --- backends.py (revision 1707) +++ backends.py (working copy) @@ -71,6 +71,10 @@ ldapo.set_option(ldap.OPT_PROTOCOL_VERSION, 3) if settings.LDAP_TLS: ldapo.start_tls_s() + if settings.LDAP_ANON_BIND_UID: + ldapo.simple_bind_s(settings.LDAP_ANON_BIND_UID, + settings.LDAP_ANON_BIND_PASSWD) + search = ldapo.search_s(settings.LDAP_BASE_DN, ldap.SCOPE_ONELEVEL, settings.LDAP_UID_MASK % username) ldapo.bind_s(search[0][0], password)

I'm not the original poser, but this patch fixes the issue in my environment.  Thanks! 

/poser/poster/

oops.

• Duplicates:

  +	907 - LDAP auth can't bind to AD because it uses anonymous bind

Does this work in RC2? We've had a lot of LDAP/AD fixes in.

• Status:

  +	NeedInfo

I'm using RC2 with the LDAP authentication backend against an AD server and it works
for me.  The AD setup here specifically disallows anonymous searching so it probably
tests the path described in this bug report.

I set the Anonymous User Mask to "MYDOMAIN\bind_username" (no quotes) and set the
Anonymous User Password to the password for the bind_username account.

Calling this field Anonymous User Mask in the config screen seems a bit misleading. 
Is that config field used for something else as well?  The help text under the config
field says "The user mask string for anonymous users. If specified, this should be in
the same format as User Mask." even though the format for the two fields is
completely different.

Does Any one know, how to integrate reveiwboard authentication wtih AD ?? Please let 
me know the path and configuration. Your help is appresiated.

Thanks

Assuming fixed.

• Status:

  -	NeedInfo
  +	Fixed

I'm really responding to Comment #10.

I've been having a difficult time troubleshooting my LDAP configuration here. I've
set up LDAP authentication for several products (Deki Wiki, JIRA, Hudson, Subversion)
but for the life of me, cannot get this to to work. This coupled with the fact that I
can't tell when the settings actually change (I hit Save, and it refreshes, and the
old settings are still there in the web page.)

If anyone has had luck with doing LDAP authentication against an AD, I'd really like
to see your scrubbed settings. Also, any help on which log files to look at for this
would be greatly appreciated.

Thanks,
-Dan.

Here's what works for me in our Win2k3 AD environment.  Replace the values in
brackets with values for your environment -

On admin/settings/general, under LDAP Authentication Settings:


* LDAP Server: ldap://<server FQDN>
* LDAP Base DN: ou=Recipients,ou=<domain name> Users,dc=<domain part>,dc=<domain
part>,dc=<domain part>
* Email Domain:  (blank)
* Email LDAP attribute: mail
* Use TLS: unchecked
* User Mask: (sAMAccountName=%s)
* Anonymous User Mask: cn=<service account name>,cn=<service account's user
container>,dc=<domain part>,dc=<domain part>,dc=<domain part>
* Anonymous User Password:  <service account password>

Notes: 

In our environment, normal user accounts are held in the Recipient container, which
is in turn held in the <domain name> User container.  If your structure differs,
adjust the OU entries accordingly.

The service account is required because we have anonymous binds disabled.  Our
service accounts live in a different container than our normal users, so again,
adjust the entries as necessary.


Hope that helps.

Re: Anonymous user format - comment 9, as well as my own comment 13 -

I've seen cases where the anonymous user needs to be specified as stated in #9, e.g.
MYDOMAIN\username.  But in other cases that won't work and it needs to be specified
as I did in #13, as an LDAP string.  

Honestly I have no idea why the difference, but if one doesn't work, you might as
well try the other.

Comment 13.  Thanks much for the info.  This is exactly what I need.  The problem is 
in

Anynymous User Mask - which follows the field User Mask give user impression that it 
would be te same form (uid=%s except we change the %s to the anonymous user).  The 
instruction also tell you so -- 'this should be in the same format as User Mask).

Actually, it should be the whole LDAP query for anonymous query as per comment 13.

it also works for me. 

it also works for me. But i want to authenticate only particy=ular group members instead of all members in my domain. If any body know how to configure LDAP with Group.