Active Directory authentication not working

Hello,

I can’t get the LDAP Authentication working against an Active Directory LDAP.

I’m using the docker image redash/redash:8.0.0.b32245 with the following settings :

REDASH_LDAP_BIND_DN: MY_DOMAIN\\My_User
REDASH_LDAP_CUSTOM_USERNAME_PROMPT: 'Please enter domain account:'
REDASH_LDAP_DISPLAY_NAME_KEY: displayName
REDASH_LDAP_EMAIL_KEYvalue: mail
REDASH_LDAP_LOGIN_ENABLED: "true"
REDASH_LDAP_SEARCH_DN: dc=domain,dc=com
REDASH_LDAP_SEARCH_TEMPLATE: (sAMAccountName=%(username)s)
REDASH_LDAP_URL: ad_server.domain.com
REDASH_LDAP_USE_SSL: "false"
REDASH_PASSWORD_LOGIN_ENABLED: "false"

I first tried in SIMPLE mode but always got an error on the binding. I think that there is something wrong in the /app/redash/authentication/ldap_auth.py file :

def auth_ldap_user(username, password):
    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
    if settings.LDAP_BIND_DN is not None:
        conn = Connection(
            server,
            settings.LDAP_BIND_DN,
            password=settings.LDAP_BIND_DN_PASSWORD,
            authentication=settings.LDAP_AUTH_METHOD,
            auto_bind=True
        )

It should be “user=settings.LDAP_BIND_DN,” instead of “settings.LDAP_BIND_DN”, right ?

After that change, it was still not working tho.

I switch to NTLM (from the ldap3 python documentation) and I tried directly in python :

from redash import settings
from ldap3 import Server, Connection

def auth_ldap_user(username, password):
    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
    if settings.LDAP_BIND_DN is not None:
        conn = Connection(
            server,
            user=settings.LDAP_BIND_DN,
            password=settings.LDAP_BIND_DN_PASSWORD,
            authentication=settings.LDAP_AUTH_METHOD,
            auto_bind=True
        )
    else:
        conn = Connection(server, auto_bind=True)
	conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY])
    if len(conn.entries) == 0:
		return None
    user = conn.entries[0]
    if not conn.rebind(user=user.entry_dn, password=password):
		return None
    return user

auth_ldap_user('myuser','mypassword')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 9, in auth_ldap_user
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 326, in __init__
    self.do_auto_bind()
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 343, in do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 577, in bind
    raise LDAPUnknownAuthenticationMethodError(self.last_error)
ldap3.core.exceptions.LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password

But if i replace the settings.LDAP_BIND_DN variable by its value, it’s working fine :

from redash import settings
from ldap3 import Server, Connection

print settings.LDAP_BIND_DN
MYDOMAIN\\My_User

def auth_ldap_user(username, password):
    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
    if settings.LDAP_BIND_DN is not None:
        conn = Connection(
            server,
            user="MYDOMAIN\\My_User",
            password=settings.LDAP_BIND_DN_PASSWORD,
            authentication=settings.LDAP_AUTH_METHOD,
            auto_bind=True
        )
    else:
        conn = Connection(server, auto_bind=True)
	conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY])
    if len(conn.entries) == 0:
		return None
    user = conn.entries[0]
    if not conn.rebind(user=user.entry_dn, password=password):
		return None
    return user

auth_ldap_user('myuser','mypassword')

Also try with SIMPLE mode and the result is the same, it’s not working with settings.LDAP_BIND_DN but working the value.

But it’s still not working on the website, still get a Internal Server Error :

[2019-11-26 09:56:37,170][PID:14][INFO][metrics] method=GET path=/ldap/login endpoint=ldap_auth_login status=200 content_type=text/html; charset=utf-8 content_length=1754 duration=1.89 query_count=0 query_duration=0.00

[2019-11-26 09:56:38,382] ERROR in app: Exception on /ldap/login [POST]

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 271, in error_router
    return original_handler(e)
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/app/redash/authentication/ldap_auth.py", line 39, in login
    ldap_user = auth_ldap_user(request.form['email'], request.form['password'])
  File "/app/redash/authentication/ldap_auth.py", line 71, in auth_ldap_user
    auto_bind=True
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 326, in __init__
    self.do_auto_bind()
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 343, in do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/lib/python2.7/site-packages/ldap3/core/connection.py", line 577, in bind
    raise LDAPUnknownAuthenticationMethodError(self.last_error)
LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password`

What am i doing wrong ? Is there someone who was successful to bind to an Active Directory ?

Regards,

Johan