Friday, December 03, 2021

django-ldap-auth authentication lasts several minutes on OpenBSD

Hello
I am not quite sure if the question belongs here but it seems to be
related to the OS where the django-ldap-auth is used as a ldap client.

I have a working django application which uses django-ldap-auth to
authenticate active directory users to django.
The AD DC machine is an Ubuntu 20 machine with samba 4.
The test machine where I initially have all the code and from where I tested this application initially
is a Linux Mint machine.
I enabled some logging in Django to see what happens when I log
in to the application
When I run "python manage.py runserver 0.0.0.0:8080" on my Linux machine
and try to authenticate to the application in my browser on the same machine I am logged in
within a second.
When I run "python manage.py runserver 0.0.0.0:8080" on the OpenBSD test
server and try to authenticate to the application from my browser
(using OpenBSD machine's IP or hostname) it lasts several minutes.
There is no error in the application log. Just a big delay till I am
successfully authenticated.
There is no difference in the log output from manage.py process:

```
[02/Dec/2021 22:41:59] "GET /accounts/login/?next=/sdp/ HTTP/1.1" 200 1987
Initiating TLS
```

Here I have to wait several minutes on OpenBSD
Then it goes further:

```
search_s('dc=domain,dc=ru', 2, 'sAMAccountName=%(user)s') returned 1 objects: cn=Ivan Ivanov,ou=it,dc=domain,dc=ru
cn=Ivan Ivanov,ou=it,dc=domain,dc=ru is a member of cn=sd,ou=groups,dc=domain,dc=ru
Populating Django user i.ivanov
cn=Ivan Ivanov,ou=it,dc=domain,dc=ru is a member of cn=sd,ou=groups,dc=domain,dc=ru
cn=Ivan Ivanov,ou=it,dc=domain,dc=ru is a member of cn=sd,ou=groups,dc=domain,dc=ru
[02/Dec/2021 22:45:50] "POST /accounts/login/ HTTP/1.1" 302 0
```
By the way I have an openldap client installed as a dependency on the same OpenBSD machine and a .ldaprc file in my home directory with some parameters set:

BASE dc=domain,dc=ru
BINDDN cn=bind,ou=IT,dc=domain,dc=ru
URI ldap://dc.domain.ru

SIZELIMIT 12000
TIMELIMIT 15
TLS_CACERT /home/myuser/samba-ca.pem
TLS_REQCERT demand

With this file in my profile I can make ldapsearch like this:

ldapsearch -x -ZZ -W "(sAMAccountName=bind)"

After I enter my ldap password it succeeds without any pause.
Similar parameters are used in django settings.py related to LDAP:
```
import ldap
from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_SERVER_URI = 'ldap://dc.domain.ru'
AUTH_LDAP_BIND_DN = "CN=bind,OU=IT,DC=domain,DC=ru"
AUTH_LDAP_BIND_PASSWORD = "mypasswd"
AUTH_LDAP_AUTHORIZE_ALL_USERS = True
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"dc=domain,dc=ru", ldap.SCOPE_SUBTREE, "sAMAccountName=%(user)s"
)
...
...
AUTH_LDAP_START_TLS = True
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_CACERTFILE: '/home/myuser/samba-ca.pem',
ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_DEMAND,
}
```

What option specific to the OpenBSD may I be missing it my configuration?


--
Maksim Rodin

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)