[简述你的问题]
在Web界面更改ldap配置后,除了LDAP地址外,其它参数配置不生效,造成用户无法登陆
使用版本
[请提供你使用的Jumpserver版本 1.x.x 注: 0.3.x不再提供支持]
1.4.4
系统是CentOS7.5
Python 3.6.7
问题复现步骤
1.我们早期使用的是自建的openldap服务器,配置参数如下
LDAP地址:ldap://10.xx.xx.xxx:389
绑定DN:uid=ldapusr,cn=users,cn=accounts,dc=company,dc=org123
密码:xxxxx
用户OU:dc=company,dc=org123
用户过滤器:(uid=%(user)s)
LDAP属性映射:{"username": "uid", "name": "cn", "email": "mail"}
2。 配置一直使用正常大半年,经历多次版本升级到1.4.4
后来为了管理方便,准备接入Windows AD,随即修改了LDAP认证参数如下:
LDAP地址:ldap://10.xx.xxx.xxx:389
绑定DN:CN=ldap02,OU=Pub,OU=XXX,DC=company,DC=org456
密码:xxxxx
用户OU:OU=部门3,OU=部门2,OU=部门1,DC=company,DC=org456
用户过滤器:(sAMAccountName=%(user)s)
LDAP属性映射:{"username": "sAMAccountName", "name": "cn", "email": "mail"}
3.Windows AD中的用户名和openldap里面的用户名是一致的,修改完成后,测试连接可以正常返回匹配用户数,执行./jms restart all,发现用户无法登陆,登陆日志
显示原因为“用户名/密码 校验失败”,使用tcpdump命令在网卡上抓包后发现,Jumpserver虽然在和WindowsAD通信,但仍然在使用原来和openldap对接的用户OU和用户过滤器参数,也就是说除了LDAP地址外,其他的参数修改后没有正常生效。
4.尝试重启Jumpserver所在的虚拟机,重新拉起各个组件,未能解决问题
具体表现[截图可能会更好些,最好能截全]
修改LDAP配置时产生的日志:
2018-12-13 15:37:44 [signals_handler DEBUG] Receive django ready signal
2018-12-13 15:37:44 [signals_handler DEBUG] - fresh all settings
2018-12-13 15:37:44 [signals_handler DEBUG] Receive django ready signal
2018-12-13 15:37:44 [signals_handler DEBUG] Receive django ready signal
2018-12-13 15:37:44 [signals_handler DEBUG] - fresh all settings
2018-12-13 15:37:44 [signals_handler DEBUG] - fresh all settings
2018-12-13 15:37:44 [signals_handler DEBUG] Receive django ready signal
2018-12-13 15:37:44 [signals_handler DEBUG] - fresh all settings
2018-12-13 15:42:01 [signals_handler DEBUG] Receive setting item change
2018-12-13 15:42:01 [signals_handler DEBUG] - refresh setting: AUTH_LDAP_SERVER_URI
2018-12-13 15:42:01 [signals_handler DEBUG] Receive setting item change
2018-12-13 15:42:01 [signals_handler DEBUG] - refresh setting: AUTH_LDAP_BIND_DN
2018-12-13 15:42:01 [signals_handler DEBUG] Receive setting item change
2018-12-13 15:42:01 [signals_handler DEBUG] - refresh setting: AUTH_LDAP_BIND_PASSWORD
2018-12-13 15:42:01 [signals_handler DEBUG] Receive setting item change
2018-12-13 15:42:01 [signals_handler DEBUG] - refresh setting: AUTH_LDAP_SEARCH_OU
2018-12-13 15:42:01 [signals_handler DEBUG] Receive setting item change
2018-12-13 15:42:01 [signals_handler DEBUG] - refresh setting: AUTH_LDAP_SEARCH_FILTER
2018-12-13 15:42:01 [signals_handler DEBUG] Receive setting item change
2018-12-13 15:42:01 [signals_handler DEBUG] - refresh setting: AUTH_LDAP_USER_ATTR_MAP
2018-12-13 15:42:01 [signals_handler DEBUG] Receive setting item change
2018-12-13 15:42:01 [signals_handler DEBUG] - refresh setting: AUTH_LDAP
2018-12-13 15:42:01 [signals_handler DEBUG] Enable LDAP auth
用户登录失败时没有日志产生
其他
[注:] 完成后请关闭 issue