Active Directory authentication about django-cas-server HOT 6 CLOSED

Hi,
The ldap authentication was only tested against openldap. https://msdn.microsoft.com/fr-fr/library/ms680851(v=vs.85).aspx seems to say that the password attribute is write only in Active Directory, so only the bind method should work (like in the Vauxia's fork, introduce in version 0.8.0).
I don't really known the differences between openldap and AD, I'll try to setup a AD server to test shortly

from django-cas-server.

EDITED

Hi,
I've tested the "bind" option for CAS_LDAP_PASSWORD_CHECK and it looks very promising, but I have two issues with it.

1. If I put non-existing username I'm always getting exception:

'NoneType' object has no attribute 'getitem'
Exception Location: ...venv/local/lib/python2.7/site-packages/cas_server/auth.py in test_password, line 328

For existing username and incorrect password everything works as expected
("The credentials you provided cannot be determined to be authentic." is being returned)

2. If I put correct credentials I'm getting error:

'utf8' codec can't decode byte 0x82 in position 1: invalid start byte

For this issue I found workaround. If this line:
https://github.com/nitmir/django-cas-server/blob/master/cas_server/models.py#L60
is changed to:
self._attributs = utils.json_encode(str( value ))
user authenticates.

Greetings!

from django-cas-server.

Can you provide full traceback ?

Doing str(value) is a no go as, instead of storing a json object, you will then only store a json string.
If you could provide a dump of some kind of the value causing the exception it would also be usefull.

Are you using python2 or python3 ?

from django-cas-server.

The exception raised then putting non existing usernames is fixed in 443c87f (dev branch)

The second one is odd. From a openldap server, ldap3 only return unicode objects and utils.json_encode works on unicode. It looks like objecst return from your active directory server are not unicode:

In [1]: import ldap3

In [2]: from django.conf import settings

In [3]: from cas_server import auth

In [4]: conn = auth.LdapAuthUser.get_conn()

In [5]: conn.search(settings.CAS_LDAP_BASE_DN, "(uid=passoir)", attributes=ldap3.ALL_ATTRIBUTES)
Out[5]: True

In [6]: e = conn.entries[0]

In [7]: e.entry_attributes_as_dict
Out[7]: 
{u'gecos': [u'Toto Passoir,,,'],
 u'gidNumber': [100],
 u'homeDirectory': [u'/home/p/passoir'],
 u'objectClass': [u'adherent',
  u'cransAccount',
  u'posixAccount',
  u'shadowAccount'],
 u'uid': [u'passoir'],
 u'uidNumber': [4539]}

Here you can see all keys and returned string values are unicodes

In [15]: utils.json_encode(u"é")
Out[15]: '"\\u00e9"'

In [16]: In [14]: utils.json_encode(u"é".encode("utf-8"))
Out[16]: '"\\u00e9"'

In [17]: In [14]: utils.json_encode(u"é".encode("latin9"))
---------------------------------------------------------------------------
UnicodeDecodeError                        Traceback (most recent call last)
<ipython-input-17-ed2eed8c9008> in <module>()
----> 1 utils.json_encode(u"é".encode("latin9"))

/home/s/samir/Programme/django-cas-server/test_venv/cas/cas_server/utils.pyc in json_encode(obj)
     48     """Encode a python object to json"""
     49     try:
---> 50         return json_encode.encoder.encode(obj)
     51     except AttributeError:
     52         json_encode.encoder = DjangoJSONEncoder(default=six.text_type)

/usr/lib/python2.7/json/encoder.pyc in encode(self, o)
    199                     o = o.decode(_encoding)
    200             if self.ensure_ascii:
--> 201                 return encode_basestring_ascii(o)
    202             else:
    203                 return encode_basestring(o)

UnicodeDecodeError: 'utf8' codec can't decode byte 0xe9 in position 0: unexpected end of data

utf-8 works as it is assumed as the default encoding by some backends but we shouldn't be passing non unicode (byte strings) to utils.json_encode in the first place.

From the ldap3 doc:

The LDAP protocol stores strings in a Directory String type that should always be in utf-8. So when the ldap3 library communicate with the server it always encodes/decodes Directory strings with the utf-8 encoding.

from django-cas-server.

Hi,
first of all thank you for your help and support.

About my second issue:

I usually use Python 2.7 and using this version when recreating your shell code gives UnicodeDecodeError
However, when I changed Python version to 3.5 there was no error in shell and also Django CAS Server started properly authorizing existing users.

By the way - I use ldap3 version 1.4.0 (due to 2.x family stores custom exceptions in other place - I had conflicts in cas-server/auth.py). Is this correct approach and compatible version? I'm asking, because when I was testing code in shell, I had exception: ldap3.core.exceptions.LDAPAttributeError: attribute 'entry_attributes_as_dict' not found.

By the way #2 - maybe can be helpful - in version 2.2.2 of ldap3 was added RESPONSE_DN_ENCODING in config for flaky servers that return non utf-8 (more info at http://ldap3.readthedocs.io/encoding.html)

About my first issue:

The exception raised then putting non existing usernames is fixed in 443c87f (dev branch)

When (more or less) this fix is expected to be put in prod branch?

Greetings!

from django-cas-server.

Normally, ldap3 2.x branche support is fixed in 1dba4fe

from django-cas-server.