Integrating SAL with AD and UPN

[ygini]

Hi

As said previously I try to integrate SAL login to AD and use UPN instead of SAM to login.

We've a PCI DSS compatible setup with two accounts per IT people (standard one for regular service and personal admin one for IT specific task on server, network devices, etc.).

This mean login with following format:

• [email protected]
• [email protected]
• [email protected]
• [email protected]

We use the ext tag to specify that the user in not an employee but a contractor.

Due to the length of all username we can't use SAM account name. It will end up to username impossible to memorize. So we must use UPN for all services.

SAL use Django LDAP backend and get related limitations related to username length. I've managed to find a solution who should work, looking for login with UPN and mapping username to SAM.

AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=Members,DC=corp,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(userPrincipalName=%(user)s)")

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
    "username": sAMAccountName
}

The first time I log on, it work. I get authenticated and my username in the DB is the SAM one. So perfect.

But at the second login I get an error saying that the username already exist. Here the sal.log content:

[30/May/2016 08:26:01] ERROR [django.request:256] Internal Server Error: /login
Traceback (most recent call last):
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/core/handlers/base.py", line 132, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/views/decorators/debug.py", line 76, in sensitive_post_parameters_wrapper
    return view(request, *args, **kwargs)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/utils/decorators.py", line 110, in _wrapped_view
    response = view_func(request, *args, **kwargs)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/contrib/auth/views.py", line 44, in login
    if form.is_valid():
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 184, in is_valid
    return self.is_bound and not self.errors
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 176, in errors
    self.full_clean()
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 393, in full_clean
    self._clean_form()
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 417, in _clean_form
    cleaned_data = self.clean()
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/contrib/auth/forms.py", line 157, in clean
    password=password)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/contrib/auth/__init__.py", line 74, in authenticate
    user = backend.authenticate(**credentials)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 167, in authenticate
    user = ldap_user.authenticate(password)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 339, in authenticate
    self._get_or_create_user()
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 575, in _get_or_create_user
    self._user.save()
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 734, in save
    force_update=force_update, update_fields=update_fields)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 762, in save_base
    updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 827, in _save_table
    forced_update)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 877, in _do_update
    return filtered._update(values) > 0
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/query.py", line 580, in _update
    return query.get_compiler(self.db).execute_sql(CURSOR)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/sql/compiler.py", line 1062, in execute_sql
    cursor = super(SQLUpdateCompiler, self).execute_sql(result_type)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/sql/compiler.py", line 840, in execute_sql
    cursor.execute(sql, params)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/backends/utils.py", line 64, in execute
    return self.cursor.execute(sql, params)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/utils.py", line 97, in __exit__
    six.reraise(dj_exc_type, dj_exc_value, traceback)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/backends/utils.py", line 64, in execute
    return self.cursor.execute(sql, params)
  File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/backends/mysql/base.py", line 124, in execute
    return self.cursor.execute(query, args)
  File "/usr/lib64/python2.7/site-packages/MySQLdb/cursors.py", line 174, in execute
    self.errorhandler(self, exc, value)
  File "/usr/lib64/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
    raise errorclass, errorvalue
IntegrityError: (1062, "Duplicate entry 'yoann.gini-ext-adm' for key 'username'")