Unable to retrieve LDAP groups
Hi,
I am trying to setup psono with LDAP authentication. We are using openLDAP with the memberOf overlay.
I am getting the following error:
~ # python3 ./psono/manage.py testldap jmai@mycompany.de 123
Success: LDAP server configuration found.
Success: AUTHENTICATION_METHODS configured correctly.
Testing mycompany.de:
- Success: Required parameter LDAP_DOMAIN present
- Success: Required parameter LDAP_URL present
- Success: LDAP_URL format seems to be correct
- Success: Your LDAP port is an integer.
- Success: Your LDAP port is in the correct range.
- Success: Host resolved
- Success: Host and port exist and firewall seems to allow connections.
- Success: Binding to LDAP with the provided LDAP_BIND_DN and LDAP_BIND_PASS successful.
- Success: More than 10 user(s) found. LDAP_SEARCH_USER_DN and LDAP_OBJECT_CLASS_USER seem correct.
- Success: User has attribute uid. LDAP_ATTR_USERNAME so far correct.
- Success: LDAP_ATTR_GUID seems to be correct for users.
- Error: LDAP_ATTR_GROUPS not found in user. Please check that "memberOf" is correct.LDAP config in settings.yml
LDAP : [
{
'LDAP_URL': 'ldap://ldap.mycompany.de:389',
'LDAP_DOMAIN': 'mycompany.de',
'LDAP_BIND_DN': 'uid=psono,ou=apps,dc=mycompany,dc=de',
'LDAP_BIND_PASS': 'mypassword',
'LDAP_SEARCH_USER_DN': 'ou=people,dc=mycompany,dc=de',
'LDAP_SEARCH_GROUP_DN': 'ou=groups,dc=mycompany,dc=de',
'LDAP_OBJECT_CLASS_USER': 'inetOrgPerson',
'LDAP_OBJECT_CLASS_GROUP': 'groupOfNames',
'LDAP_ATTR_USERNAME': 'uid',
'LDAP_ATTR_EMAIL': 'mail',
'LDAP_ATTR_GUID': 'entryUUID',
'LDAP_REQUIRED_GROUP': ['cn=staff,ou=groups,dc=mycompany,dc=de'],
'LDAP_ATTR_GROUPS': 'memberOf',
'LDAP_MEMBER_OF_OVERLAY': True,
'LDAP_ATTR_GROUP_MEMBER_ATTRIBUTE': 'uid',
'LDAP_ATTR_MEMBERS': 'cn'
},
]Attribute memberOf of user:
root@ldap:~# ldapsearch -Z uid=jmai memberof
# jmai, people, mycompany.de
dn: uid=jmai,ou=people,dc=mycompany,dc=de
memberOf: cn=staff,ou=groups,dc=mycompany,dc=deLDAP Group
root@ldap:~# ldapsearch -Z "cn=staff"
# staff, groups, mycompany.de
dn: cn=staff,ou=groups,dc=mycompany,dc=de
objectClass: groupOfNames
objectClass: mailGroup
description: Gruppe Interne Mitarbeiter
cn: staff
mail: xxxx@mycompany.de
member: uid=jmai,ou=people,dc=mycompany,dc=deLDAP User:
root@ldap:~# ldapsearch -Z uid=jmai
# jmai, people, mycompany.de
dn: uid=jmai,ou=people,dc=mycompany,dc=de
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: mailUser
uid: jmai
uidNumber: 1327
gidNumber: 1000
homeDirectory: /home/jmai
loginShell: /bin/bash
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaSID: S-1-5-21-3560154674-1641127617-223657098-1092
accountStatus: active
mailMessageStore: mycompany.de/jmai/
mailQuota: 10000000000
enabledService: mail
enabledService: smtp
enabledService: smtpsecured
enabledService: imapsecured
enabledService: deliver
enabledService: forward
enabledService: managesieve
enabledService: sievesecured
enabledService: shadowaddress
shadowAddress: jmai@mycompany.de
mailHost: smtp:[mailbox.mycompany.de]
telephoneNumber: XXXXXXXXXXXXXXXX
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [U]
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1620042045
sambaPwdMustChange: 1927626045
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXX=
shadowLastChange: 18750
shadowMax: 3560
mobile: XXXXXXXXXXXXXXXXXXX
mail: jan.mai@mycompany.de
sn: Mai
displayName: Jan Mai
gecos: Jan Mai
givenName: Jan
cn: Jan MaiHelp would be appreciated.