Issue with transform ldapsearch command to flask_ldap3_login settings

Question

I have a problem with transform ldapsearch command to flask_ldap3_login settings.

To check connection to LDAP from Linux server I use this command:

ldapsearch -x -b "ou=intranet,dc=mydreamcorporation,dc=com" -H ldap://ids.mydream-corporation.com -D "myguid=myusername,ou=people,ou=intranet,dc=dreamcorporation,dc=com" -W "uid=myusername" cn uid

Response from LDAP:

extended LDIF
LDAPv3
base <ou=intranet,dc=mydreamcorporation,dc=com> with scope subtree
filter: uid=myusername
requesting: cn uid
MYUSERNAME, people, intranet, mydreamcorporation.com
dn: myguid=myusername,ou=people,ou=intranet,dc=mydreamcorporation,dc=com
cn: my_name
uid: MYUSERNAME
search result
search: 2
result: 0 Success
numResponses: 2
numEntries: 1

My flask_ldap3_login settings:

from flask import Flask, url_for
from flask_ldap3_login import LDAP3LoginManager
from flask_login import LoginManager, login_user, UserMixin, current_user
from flask import render_template_string, redirect
from flask_ldap3_login.forms import LDAPLoginForm

app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret'
app.config['DEBUG'] = True

my_login = "myusername"
my_password = "password"

# Hostname of your LDAP Server
app.config['LDAP_HOST'] = 'ldap://ids.mydream-corporation.com'

# Port number of your LDAP server
app.config['LDAP_PORT'] = 389

# Base DN of your directory
app.config['LDAP_BASE_DN'] = "dc=mydreamcorporation,dc=com"

# Users DN to be prepended to the Base DN
app.config['LDAP_USER_DN'] = "ou=intranet"

# Groups DN to be prepended to the Base DN
app.config['LDAP_GROUP_DN'] = 'ou=people'

# The RDN attribute for your user schema on LDAP 
app.config['LDAP_USER_RDN_ATTR'] = 'dn' 

# The Attribute you want users to authenticate to LDAP with. 
app.config['LDAP_USER_LOGIN_ATTR'] = 'myguid' 

# The Username to bind to LDAP with 
app.config['LDAP_BIND_USER_DN'] = "myguid=myusername,ou=people,ou=intranet,dc=mydreamcorporation,dc=com"

# The Password to bind to LDAP with 
app.config['LDAP_BIND_USER_PASSWORD'] = my_password 

login_manager = LoginManager(app)              # Setup a Flask-Login Manager
ldap_manager = LDAP3LoginManager(app)          # Setup a LDAP3 Login Manager

@app.route('/', methods=['POST','GET'])
def manual_login(my_login=my_login, my_password=my_password):
    result = app.ldap3_login_manager.authenticate(my_login, my_password)
    return str(result.status)

Unfortunately I have as a script result:

AuthenticationResponseStatus.fail

I think the problem is in wrong configuration, but I cannot find where :(

I tried to add:

app.config['LDAP_USER_SEARCH_SCOPE'] = 'SUBTREE'
app.config['LDAP_ALWAYS_SEARCH_BIND'] = 1

but it didn't help and I have a message:

invalid class in objectClass attribute: group

After Gabriel Luci comment I have change my settings to:

app.config['LDAP_BASE_DN'] = "ou=intranet"
app.config['LDAP_USER_DN'] = "myguid=myusername,ou=people,ou=intranet,dc=mydreamcorporation,dc=com"
#app.config['LDAP_GROUP_DN'] = 'ou=people'
app.config['LDAP_USER_RDN_ATTR'] = 'cn' 
app.config['LDAP_USER_LOGIN_ATTR'] = 'uid' 
app.config['LDAP_BIND_USER_DN'] = "myguid=myusername"

And now I have the same

AuthenticationResponseStatus.fail

And in console:

LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - None - bindResponse - None

Answer 1

You tagged active-directory, but I suspect you may not be using AD because you're using uid, which isn't used in AD.

The LDAP_HOST and LDAP_PORT look right.

You have set your LDAP_BASE_DN to the root of your domain, but in your ldapsearch command, you set it to your intranet OU. Why the difference?

The way you set LDAP_USER_DN tells it that all of your user objects are in ou=intranet,dc=mydreamcorporation,dc=com. Is that what you intended?

The way you set LDAP_GROUP_DN tells it that all of the group objects are in ou=people,dc=mydreamcorporation,dc=com. This looks suspicious. I don't think this is what you intended.

You have set LDAP_USER_RDN_ATTR to dn, but if you're using Active Directory, that should be cn according to Microsoft.

You've set LDAP_USER_LOGIN_ATTR to myguid, but this looks suspicious. This should be the attribute that represents the username the user will use to login. In AD, that would be sAMAccountName or userPrincipalName. If you are using some other LDAP server, it will likely be uid.