Trouble getting LDAP to work

[gonadsnstrife]

Hi there. Seems LDAP is a frequent issue that comes up. I've searched a good amount and have seen some promising results related to what I'm seeing but haven't seen any solutions posted by those same users who created the discussions in the first place.

Currently I have Netbox up and running, superuser can log in, etc. Followed the Netbox Labs guide for all steps up to and including the LDAP config portion and it seems that user logins aren't even getting through to auth/LDAP. I have the logfile created but not seeing anything logged in it despite reloading services, so I can't really even see if LDAP is even working.

Any help/tips would be appreciated.

• Netbox version 4.2.5
• Python version 3.12.9
• django_ldap_auth is installed
• have run upgrade.sh
• have created LDAP logfile per the guide, set the perms to 777 for testing, not being written to
• logging code added to configuration.py

Remote auth code from configuration.py:

REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

ldap_config.py sanitized and pasted below:

import ldap
from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType

# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://ldapserver.com:3269"

# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0
}

# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=srv_netboxldap,OU=Applications,OU=Miscellaneous Accounts,DC=domain,DC=com"
AUTH_LDAP_BIND_PASSWORD = "##########"

# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = False

# Include this setting if you want to validate the LDAP server certificates against a CA certificate directory on your server
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, LDAP_CA_CERT_DIR)
LDAP_CA_CERT_DIR = '/etc/ssl/certs'

# Include this setting if you want to validate the LDAP server certificates against your own CA.
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT_FILE)
#LDAP_CA_CERT_FILE = '/path/to/example-CA.crt'

# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "OU=User Accounts,DC=domain,DC=com",
    ldap.SCOPE_SUBTREE,
    "(|(userPrincipalName=%(user)s)(sAMAccountName=%(user)s))"
)

# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = None

# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
    "username": "sAMAccountName",
    "email": "mail",
    "first_name": "givenName",
    "last_name": "sn",
}

AUTH_LDAP_USER_QUERY_FIELD = "username"

# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "DC=domain,DC=com",
    ldap.SCOPE_SUBTREE,
    "(objectClass=group)"
)
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()

# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=NETBOX_USERS,CN=Users,DC=domain,DC=com"

# Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = [ "NETBOX_USERS", "NETBOX_STAFF" ]

# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "CN=NETBOX_USERS,CN=Users,DC=domain,DC=com",
    "is_staff": "CN=NETBOX_STAFF,CN=Users,DC=domain,DC=com",
    "is_superuser": "CN=NETBOX_SUPERUSER,CN=Users,DC=domain,DC=com"
}

# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTH_LDAP_ALWAYS_UPDATE_USER = True

[xtomiff]

If you're using a UNIX Based LDAP (like Univention Coroprate Server or UCS) try this:

AUTH_LDAP_GROUP_TYPE = PosixGroupType()

Obviously you'll need to import the Grouptype at the beginning of the file:

from django_auth_ldap.config import LDAPSearch, PosixGroupType

[gonadsnstrife]

We are using Active Directory, I should've said that before.

Maybe stupid questions but...the ldap search should be searching AD for the specified user and the groups it belongs to, yes? The AD user specified(logging in) should match the login requirements? As in, the user doesn't need to be created in netbox first before trying to log in?

I was able to get logging working though.

I've tried changing the ldap_config.py around with certain options, but all result in the same failed to map username to a DN. I definitely am using the right creds and have tried both username and username@domain.com and neither are working.

Caught LDAPError looking up user: INVALID_CREDENTIALS({'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C09044A, comment: AcceptSecurityContext error, data 773, v3839'})
Authentication failed for user@domain.com: failed to map the username to a DN.

[xtomiff]

Ah!

We needed to configure a netbox user first with the same username as in the LDAP.

Then it worked for us ...

[gonadsnstrife]

I have created a user inside netbox with the same details as my domain user and am still getting the same error as above, except now I'm able to sign in because of that user account; auth lookup/mapping to DN is still failing.

Some lines are commented out for testing purposes, but here is an updated version of the ldap_config.py:

import ldap, logging, logging.handlers
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType #NestedGroupOfNamesType

# Server URI
AUTH_LDAP_SERVER_URI = "ldap://server.domain.com"


# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0
}

# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=srv_netboxldap,OU=Applications,OU=Miscellaneous Accounts,DC=domain,DC=com"
AUTH_LDAP_BIND_PASSWORD = "############"

# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True

# Include this setting if you want to validate the LDAP server certificates against a CA certificate directory on your server
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, LDAP_CA_CERT_DIR)
LDAP_CA_CERT_DIR = '/etc/ssl/certs'

# Include this setting if you want to validate the LDAP server certificates against your own CA.
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT_FILE)
#LDAP_CA_CERT_FILE = '/path/to/example-CA.crt'

# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "OU=User Accounts,DC=domain,DC=com",
    #"DC=domain,DC=com",
    ldap.SCOPE_SUBTREE,
    #"(sAMAccountName=%(user))"
    "(|(userPrincipalName=%(user)s)(sAMAccountName=%(user)s))"
)

# If a user's DN is producible from their username, we don't need to search.
#AUTH_LDAP_USER_DN_TEMPLATE = None

# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
    "username": "sAMAccountName",
    "email": "mail",
    "first_name": "givenName",
    "last_name": "sn",
}

AUTH_LDAP_USER_QUERY_FIELD = "username"

# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "CN=Users,DC=domain,DC=com",
    ldap.SCOPE_SUBTREE,
    #"(objectClass=group)"
    "(objectCategory=group)"
)
#AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType(name_attr="CN")

# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=NETBOX_USERS,CN=Users,DC=domain,DC=com"

# Mirror LDAP group assignments.
#AUTH_LDAP_MIRROR_GROUPS = [ "NETBOX_USERS", "NETBOX_STAFF" ]
AUTH_LDAP_MIRROR_GROUPS = True

# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "CN=NETBOX_USERS,CN=Users,DC=domain,DC=com",
    "is_staff": "CN=NETBOX_STAFF,CN=Users,DC=domain,DC=com",
    "is_superuser": "CN=NETBOX_SUPERUSER,CN=Users,DC=domain,DC=com"
}

# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Auth backends
AUTHENTICATION_BACKENDS = (
    "django_auth_ldap.backend.LDAPBackend",
    "django.contrib.auth.backends.ModelBackend",
)

# Configuration for logging
logfile = "/opt/netbox/local/logs/django-ldap-debug.log"
my_logger = logging.getLogger('django_auth_ldap')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.RotatingFileHandler(
logfile, maxBytes=1024 * 500, backupCount=5)
my_logger.addHandler(handler)

[gonadsnstrife]

Turns out the above config does work. The service account was, by default upon creation, not set to not expire in conjunction with the password being set to expire at next logon in AD. Once those two options were changed and replication occurred, LDAP queries began working. Another user -not me- created this service account and I had assumed they had done it correctly this whole time.

Furthermore, when another person I was testing with tried logging in without a pre-created netbox user account, they were immediately let in the first time, as the LDAP query results matched with the netbox access requirements/group memberships that the user was already configured with in AD. Based off of that and upon login, netbox automagically created a user account and adjusted permissions/roles accordingly from the group memberships required as in ldap_auth.py, which is great; working as intended I think.

This is solved for now, thanks for your time.