Interfacing with Active Directory LDAP

Administrators
1

Hi,

I’m trying to configure our Active Directory as the authn/authz backend for Indico. I followed the instructions in the documentation (https://docs.getindico.io/en/stable/config/auth/) and started from CERN example at the end of the page. Unfortunately, in our AD, userCategory is not group or user but something like CN=Person,CN=Schema,CN=Configuration,DC=in2p3,DC=fr that I didn’t succeed to match with a filter… Do you see any reason why we don’t have group/user as in the CERN example and as it seems to be documented in some MS docs (https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax).

I considered using objectclass rather than objectcategory but unfortunately computers also have objectClass: user in addition to objectClass: computer

Michel

2

We are using also our ad with ldap for the verififcation of users. Hopes that helps you…

# AUTHENTICATION
_ldap_config = {
    'uri': 'ldaps://XXXXXXXXXXXXXX:636',
    'bind_dn': 'CN=USERxXXX,CN=Users,DC=ad,DC=XXXXXXXX,DC=de',
    'bind_password': 'XXXXXXX',
    'timeout': 30,
    'useTLS': True,
    'verify_cert': False,
    'starttls': False,
    'page_size': 1000,

    'uid': 'cn',
    'user_base': 'OU=XXXXXXX,DC=ad,DC=XXXXXXXXX,DC=de',
    'user_filter': '(mail=*)',

    'gid': 'cn',
    'group_base': 'OU=XXXXX,DC=ad,DC=XXXXXXXXXXX,DC=de',
    'group_filter': '(objectCategory=group)',
    'member_of_attr': 'memberOf',
    'ad_group_style': True,
}

AuthProviders = {
    'ldap': {
        'type': 'ldap',
        'title': 'XXXX LDAP',
        'ldap': _ldap_config,
        'default': True
    }
}

IdentityProviders = {
    'ldap': {
        'type': 'ldap',
        'title': 'XXXXX LDAP',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'company',
        },
        'trusted_email': True,
        'default_group_provider': True,
        'synced_fields': {'first_name', 'last_name', 'affiliation'}
    }
3

Thanks. Not sure what I did wrong but objectcategory=user (or group) works just fine with ldapsearch… The failure to validate the user credentials or find the user should be elsewhere… Sorry for the noise!

Michel

4

In fact, works like a charm following the CERN example, both for users and groups! In our case, just had to use sAMAccountName rather than cn due to the way we map userids.

Thanks for the good documentation!

Michel