Home / server / Questions / 364185
In Process
organicveggie
Asked: 2012-02-28 08:48:46 +0800 CST

LDAP authentication with Graphite

  • 772

I have setup Graphite Web 0.9.9 on CentOS 6.2 x86_64 at EC2 and I'm trying to get LDAP authentication to work against 389 Directory Server. I have configured local_settings.py with:

  • USE_LDAP_AUTH
  • LDAP_URI
  • LDAP_SEARCH_BASE
  • LDAP_BASE_USER
  • LDAP_BASE_PASS
  • LDAP_USER_QUERY

But I still get "Authentication attempt failed" every time I try to log in. Looking at the logs on the LDAP server, it doesn't look like graphite-web is connecting to the LDAP server at all. Unfortunately, I don't see anything useful in the logs on the graphite server - I only see "access.log" and "info.log". "error.log" and "exception.log" are empty.

Any bright ideas on what can I do to further troubleshoot this?

django ldap 389-ds graphite

4 Answers

  1. Did you have the python-ldap package installed on this centos 6 host?

    I got this working after installing it, a minimal centos installation does not include it, and the graphite packages from epel don't mark it a a dependency. You will need to reload httpd after installing it.

    • 1

  2. Access logs should include everything about the connection request. Start with isolating firewall & try a telnet. If you can telnet, Try to run native ldapsearch against ldap server & see if it returns data.

    Access logs will contain all data related to that connection. Paste access logs after sanitizing IP address to investigate the issue. You can also mail to [email protected] for any issues.

    • 0

  3. If you're using LDAP to communicate with an Active Directory server, Try turning off referral chasing.

    I added these lines to local_settings.py.

    import ldap
ldap.set_option(ldap.OPT_REFERRALS, 0) 
# Critcal for preventing timeouts due to AD search referrals not supported by LDAP v3.
# http://code.google.com/p/reviewboard/issues/detail?id=1641
    • 0

  4. Since django 1.11,

    The HttpRequest is now passed to authenticate() which in turn passes it to the authentication backend if it accepts a request argument.

    Then, since django 2.1,

    The authenticate() method of authentication backends requires request as the first positional argument.

    And it seems like graphite, in particular graphite/account/ldapBackend.py was never updated. I added request as first parameter of authenticate in that file and login worked for me:

    --- /usr/lib/python3/dist-packages/graphite/account/ldapBackend.py.old  2021-04-28 18:15:22.691462314 +0200
+++ /usr/lib/python3/dist-packages/graphite/account/ldapBackend.py  2021-04-28 18:19:30.654464317 +0200
@@ -18,7 +18,7 @@


 class LDAPBackend:
-  def authenticate(self, username=None, password=None):
+  def authenticate(self, request, username=None, password=None):
     if settings.LDAP_USER_DN_TEMPLATE is not None:
       settings.LDAP_BASE_USER = settings.LDAP_USER_DN_TEMPLATE % {'username': username}
       settings.LDAP_BASE_PASS = password
    • 0