Caught LDAPError while authenticating: INSUFFICIENT_ACCESS

[arnaudvre]

Hey, so as far as I can tell (of course) I've got LDAP configured correctly, I know ldap is working as it's used to authenticate elsewhere without issues. It seems that django is complaining about a lack of privileges that the read-only account has but it's not telling anything more specific. I don't think it's complaining about a lack of access the user I'm trying to login with has because it's part of the netbox_admins group in ldap.

The django-ldap-debug.log:

Binding as cn=xxx,ou=users,dc=xxx,dc=xxx,dc=xxx,dc=com
Binding as cn=xxx,dc=xxx,dc=xxx,dc=xxx,dc=com
Caught LDAPError while authenticating: INSUFFICIENT_ACCESS({'msgtype': 111, 'msgid': 3, 'result': 50, 'desc': 'Insufficient access', 'ctrls': []})

The relevant section of ldap_config.py:

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=netbox_users,ou=groups,dc=xxx,dc=xxx,dc=xxx,dc=com",
    "is_staff": "cn=netbox_staff,ou=groups,dc=xxx,dc=xxx,dc=xxx,dc=com",
    "is_superuser": "cn=netbox_admins,ou=groups,dc=xxx,dc=xxx,dc=xxx,dc=com"
}

Let me know if you need the full dap_config.py

Thanks!

[arnaudvre]

I've tried adding the ldap read-only service account to the "is_active" ldap group which is the same group I'm using for AUTH_LDAP_REQUIRE_GROUP. Does the service account need to be in the same OU as the normal users by any chance?

[ahmzaa]

Looks like you may be missing the ou for the netbox_bind user if it exists in one in your ldap. I assume it would also be ou=users

Binding as cn=xxx,dc=xxx,dc=xxx,dc=xxx,dc=com

try adding ou to

AUTH_LDAP_BIND_DN

Although I may be wrong as its not complaining about user not found or password wrong.

[arnaudvre]

You're correct, the ldap read-only service account is not in the ou with all the other users and service accounts, it's at the root of the dit. As mentioned, this does not cause any problem elsewhere where the same service account is used as part of authenticating users.