Specific provider - User's cannot login with our local LDAP

zmohamoud · March 25, 2019, 9:06pm

First, i installed LDAP - pip install python-ldap then i added this below configuration in indico.conf. Somehow, i can’t log in indico by authenticating with our Active directory:

# Authentication

LOCAL_IDENTITIES = True
LOCAL_REGISTRATION = True
LOCAL_MODERATION = True

_ldap_config = {
    'uri': 'ldaps:xxxxxx:3269',
    'bind_dn': 'CN=XXXXX,OU=XXX Users,OU=XXXXX,OU=XXXXX,OU=XXXXX,DC=XXXXX,DC=XXXXX,DC=XXXXX',
    'bind_password': 'XXXXX',
    'timeout': 30,
    'useTLS': True,
    'verify_cert': False,
    'starttls': False,
    'page_size': 1000,

    'uid': 'cn',
    'user_base': 'DC=XXXXX,DC=XXXXX,DC=XXXXX',
    'user_filter': '(mail=*)',

    'gid': 'cn',
    'group_base': 'DC=XXXXX,DC=XXXXX,DC=XXXXX',
    'group_filter': '(objectCategory=group)',
    'member_of_attr': 'memberOf',
    'ad_group_style': False,
}

AuthProviders = {
    'ldap': {
        'type': 'ldap',
        'title': 'Our org LDAP',
        'ldap': _ldap_config,
        'default': True
    }
}

IdentityProviders = {
    'ldap': {
        'type': 'ldap',
        'title': 'Our org',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'company',
        },
        'trusted_email': True,
        'default_group_provider': True,
        'synced_fields': {'first_name', 'last_name', 'affiliation'}
    }

kolodzie · March 26, 2019, 5:54am

Did you forget about PROVIDER_MAP setting?

kolodzie · March 26, 2019, 10:48am

Apparently the PROVIDER_MAP shouldn’t be necessary here. Are you sure you LDAP config is correct?

zmohamoud · March 26, 2019, 1:41pm

I’m sure the setting that match our Active Directory but not sure if everything else missing regrading indico authentication with AD is correct. Is there any change that i need to do. I just followed the installation instruction provided by indico

kolodzie · March 26, 2019, 1:49pm

It is quite hard to find the culprit without more details. Don’t you see any error message after clicking Login with ...?

zmohamoud · March 26, 2019, 3:14pm

I’m sorry that i have not provided detail information. I just want to ensure that the config file is correct. However, i found out that that firewall is blocking port 3269 from indico server to our ldap . Indico resides public VPC at AWS and our LDAP is in an internal network. I request port changes and hoping this will solve the issue as long as the config file is correct

The main error it could not find a user which makes since the user is not local users. I will test again once the firewall team opens port 3269 and post result. Thank you