LDAP config - no way to set AUTH_LDAP_USER_DN_TEMPLATE for direct bind mode
Steps to reproduce
Trying to configure LDAP auth with direct binding, following docs here: https://docs.funkwhale.audio/admin/ldap.html.
These are my config env vars:
LDAP_ENABLED=True
LDAP_SERVER_URI=ldaps://synology.local:636
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER=True
LDAP_ROOT_DN=cn=users,dc=synology,dc=local
What happens?
Error is logged that Funkwhale is trying to perform an anonymous bind.
2022-12-20 23:46:38,507 django_auth_ldap WARNING Caught LDAPError while authenticating blah: INAPPROPRIATE_AUTH({'msgtype': 97, 'msgid': 1, 'result': 48, 'desc': 'Inappropriate authentication', 'ctrls': [], 'info': 'anonymous bind disallowed'})
What is expected?
Funkwhale binds to LDAP using credentials of the user that is trying to login, successfully authenticates and logs the user in.
Context
After reading https://django-auth-ldap.readthedocs.io/en/latest/authentication.html#direct-bind and https://django-auth-ldap.readthedocs.io/en/latest/reference.html#auth-ldap-bind-dn I got it to work by adding the following lines to /app/config/settings/common.py
and setting AUTH_LDAP_USER_DN_TEMPLATE=uid=%(user)s,cn=users,dc=synology,dc=local
:
AUTH_LDAP_USER_DN_TEMPLATE = env(
"AUTH_LDAP_USER_DN_TEMPLATE", default=None
)
(similar to https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/config/settings/common.py#L697)
My understanding is that without AUTH_LDAP_USER_DN_TEMPLATE
, django falls back to searching for the user in LDAP_ROOT_DN
and to do that it needs creds - LDAP_BIND_DN
and LDAP_BIND_PASSWORD
. And if those are empty it tries an anonymous bind.
Also, seems like with direct binds LDAP_ROOT_DN
becomes unnecessary as it's only needed when searching for a user's DN.
Funkwhale version(s) affected: 1.2.9