From ef41ba3117aeaf8de59ba5977d9b824e99f7e74c Mon Sep 17 00:00:00 2001 From: BaiJiangJie Date: Fri, 25 Oct 2019 17:09:22 +0800 Subject: [PATCH] =?UTF-8?q?[Update]=20LDAP=20=E8=AE=A4=E8=AF=81=E6=B7=BB?= =?UTF-8?q?=E5=8A=A0=E9=85=8D=E7=BD=AE=E9=A1=B9=20OPT=5FREFERRALS=EF=BC=88?= =?UTF-8?q?=E8=A7=A3=E5=86=B3=E9=97=AE=E9=A2=98:=20In=20order=20to=20perfo?= =?UTF-8?q?rm=20this=20operation=20a=20successful=20bind=20must=20be=20com?= =?UTF-8?q?pleted=20on=20the=20connection)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/jumpserver/conf.py | 1 + apps/jumpserver/settings.py | 1 + config_example.yml | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 29dfeabbe..58ca170c6 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -380,6 +380,7 @@ defaults = { 'AUTH_LDAP_SYNC_INTERVAL': None, 'AUTH_LDAP_SYNC_CRONTAB': None, 'AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS': False, + 'AUTH_LDAP_OPTIONS_OPT_REFERRALS': -1, 'HTTP_BIND_HOST': '0.0.0.0', 'HTTP_LISTEN_PORT': 8080, 'WS_LISTEN_PORT': 8070, diff --git a/apps/jumpserver/settings.py b/apps/jumpserver/settings.py index 6088358f1..f6b81e877 100644 --- a/apps/jumpserver/settings.py +++ b/apps/jumpserver/settings.py @@ -440,6 +440,7 @@ AUTH_LDAP_START_TLS = False AUTH_LDAP_USER_ATTR_MAP = {"username": "cn", "name": "sn", "email": "mail"} AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, + ldap.OPT_REFERRALS: CONFIG.AUTH_LDAP_OPTIONS_OPT_REFERRALS } LDAP_CERT_FILE = os.path.join(PROJECT_DIR, "data", "certs", "ldap_ca.pem") if os.path.isfile(LDAP_CERT_FILE): diff --git a/config_example.yml b/config_example.yml index 786de3257..4cfcdafed 100644 --- a/config_example.yml +++ b/config_example.yml @@ -83,6 +83,10 @@ REDIS_PORT: 6379 # # LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证 # AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False +# +# LDAP 认证时如果出现以下信息将参数设置为 0 (详情参见:https://www.python-ldap.org/en/latest/faq.html) +# In order to perform this operation a successful bind must be completed on the connection +# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1 # OTP settings