LDAP：'填充Django用戶'導致錯誤'INSUFFICIENT_ACCESS'

Question

我正試圖對LDAP服務器驗證Django應用程序，並且正在接收一些奇怪的行爲。請記住，我對LDAP不太瞭解，所以如果我濫用了某些LDAP術語，請原諒。另請注意，在此問題中，my_domain是我公司的域名，user_id是認證用戶的用戶名。

這裏是我的settings.py配置文件的相關部分：

AUTHENTICATION_BACKENDS = [ 
    'django_auth_ldap.backend.LDAPBackend' 
] 
AUTH_LDAP_SERVER_URI = 'ldaps://ipa.my_domain.com:636' 

AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,cn=accounts,dc=my_domain,dc=com" 

AUTH_LDAP_USER_FLAGS_BY_GROUP = { 
    "is_active": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com", 
    "is_staff": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com", 
    "is_superuser": "cn=all,cn=groups,cn=accounts,dc=my_domain,dc=com" 
} 

AUTH_LDAP_ALWAYS_UPDATE_USER = True 
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() 

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("cn=groups,cn=accounts,dc=my_domain,dc=com", 
    ldap.SCOPE_SUBTREE, "(objectClass=member)" 
) 

AUTH_LDAP_GLOBAL_OPTIONS = { 
    ldap.OPT_X_TLS_REQUIRE_CERT: False, 
    ldap.OPT_REFERRALS: False, 
} 

AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"} 

當我嘗試登錄到我的申請，我收到此錯誤：

Populating Django user user_id search_s('uid=user_id,cn=users,cn=accounts,dc=my_domain,dc=com', 0, '(objectClass=*)') returned 1 objects: uid=user_id,cn=users,cn=accounts,dc=my_domain,dc=com Caught LDAPError while authenticating user_id: INSUFFICIENT_ACCESS({'desc': 'Insufficient access'},)

然而，當我將此標誌從True切換爲False：

AUTH_LDAP_ALWAYS_UPDATE_USER = False 

身份驗證成功。現在這裏是奇怪的部分：即使身份驗證成功，我的屬性也不會映射到我的Django用戶對象（在AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"}中指定的對象）。當我手動檢查request.user.ldap_user.attrs時，所有屬性都在那裏。

現在問題來了，'填充Django用戶'究竟是什麼意思？什麼導致'INSUFFICIENT_ACCESS'錯誤，爲什麼翻轉那個標誌修復（隱藏？）這個問題？

謝謝。

Answer 1

我能夠加入這一行到我的settings.py文件來解決所有的問題：

AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True 

這是我打算綁定爲驗證用戶的整個時間。我沒有服務帳戶進行綁定，如果作爲匿名用戶與我公司的LDAP設置綁定，則某些信息不可用。很明顯，發生了什麼事是在身份驗證之後發生的，重新綁定發生在AUTH_LDAP_BIND_DN上，當然我沒有指定，使用匿名綁定。該匿名綁定不允許訪問組信息和其他詳細信息，導致INSUFFICIENT_ACCESS錯誤。

從從文檔documentation

By default, all LDAP operations are performed with the AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD credentials, not with the user’s. Otherwise, the LDAP connection would be bound as the authenticating user during login requests and as the default credentials during other requests, so you might see inconsistent LDAP attributes depending on the nature of the Django view. If you’re willing to accept the inconsistency in order to retrieve attributes while bound as the authenticating user, see AUTH_LDAP_BIND_AS_AUTHENTICATING_USER.

Addition詳細瞭解AUTH_LDAP_BIND_AS_AUTHENTICATING_USER：

Default: False

If True, authentication will leave the LDAP connection bound as the authenticating user, rather than forcing it to re-bind with the default credentials after authentication succeeds. This may be desirable if you do not have global credentials that are able to access the user’s attributes. django-auth-ldap never stores the user’s password, so this only applies to requests where the user is authenticated. Thus, the downside to this setting is that LDAP results may vary based on whether the user was authenticated earlier in the Django view, which could be surprising to code not directly concerned with authentication.