When LDAP is down, netbox does not allow to login via local super user #6775

New Issue

Closed

opened 2025-12-29 19:45:16 +01:00 by adam · 4 comments

adam commented 2025-12-29 19:45:16 +01:00

Owner

Copy Link

Originally created by @m-ammar on GitHub (Aug 6, 2022).

NetBox version

3.2.7

Python version

3.9

Steps to Reproduce

Steps to reproduce:

1. Deploy netbox-docker using the docker-compose file provided here: docker-compose.yml
2. Provide LDAP env variables in the docker-compose file to setup LDAP.
3. After netbox is up and running, block the connection between Netbox deployment and LDAP server using firewall.
4. Then try to login with the local super user mentioned here: Super User

Expected Behavior

Netbox should allow local users to login even when connection to LDAP fails.

This is probably the issue: https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/api/authentication.py#L28-L38

There is only a check for presence of LDAP and then try to login via LDAP. There should be a fallback to validate local users in case of connections errors to LDAP. Maybe another if condition?

Observed Behavior

The logion fails and netbox is not able to validate the local user until the connection to LDAP is restored.

Originally created by @m-ammar on GitHub (Aug 6, 2022). ### NetBox version 3.2.7 ### Python version 3.9 ### Steps to Reproduce ### Steps to reproduce: 1. Deploy netbox-docker using the docker-compose file provided here: [docker-compose.yml](https://github.com/netbox-community/netbox-docker/blob/release/docker-compose.override.yml.example) 2. Provide LDAP env variables in the docker-compose file to setup LDAP. 3. After netbox is up and running, block the connection between Netbox deployment and LDAP server using firewall. 4. Then try to login with the local super user mentioned here: [Super User](https://github.com/netbox-community/netbox-docker/blob/release/env/netbox.env#L39-L42) ### Expected Behavior Netbox should allow local users to login even when connection to LDAP fails. This is probably the issue: https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/api/authentication.py#L28-L38 There is only a check for presence of LDAP and then try to login via LDAP. There should be a fallback to validate local users in case of connections errors to LDAP. Maybe another if condition? ### Observed Behavior The logion fails and netbox is not able to validate the local user until the connection to LDAP is restored.

adam added the type: bugstatus: under review labels 2025-12-29 19:45:17 +01:00

adam closed this issue 2025-12-29 19:45:17 +01:00

adam commented 2025-12-29 19:45:17 +01:00

Author

Owner

Copy Link

@kkthxbye-code commented on GitHub (Aug 6, 2022):

This is probably the issue: https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/api/authentication.py#L28-L38

That's only for populating users when using the API, so that's not the source of your issue as you specify logging in. Netbox uses djangos AUTHENTICATION_BACKENDS and the normal local auth is always the second entry when using remote auth, so it should handle both auth backends, but maybe django-auth-ldap raises an exception that makes django skip the second auth for some reason.

I don't have time to check right now and wont have for a couple of weeks, but I'll look into it then if no one else has.

@kkthxbye-code commented on GitHub (Aug 6, 2022): > This is probably the issue: https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/api/authentication.py#L28-L38 That's only for populating users when using the API, so that's not the source of your issue as you specify logging in. Netbox uses djangos [AUTHENTICATION_BACKENDS](https://docs.djangoproject.com/en/4.1/ref/settings/#std-setting-AUTHENTICATION_BACKENDS) and the normal local auth is always the second entry when using remote auth, so it should handle both auth backends, but maybe django-auth-ldap raises an exception that makes django skip the second auth for some reason. I don't have time to check right now and wont have for a couple of weeks, but I'll look into it then if no one else has.

adam commented 2025-12-29 19:45:18 +01:00

Author

Owner

Copy Link

@AzyCrw4282 commented on GitHub (Aug 9, 2022):

I actually attempted this yesterday and it worked fine for me. I am working on a task to verify a backdoor access (local/admin) account in the case our LDAP server goes down and the admin account worked fine. I simply blocked the LDAP server's IP on the route level and attempted to login via the admin account and it worked fine. LDAP account didn't work as expected.

Are you sure you are using a right password for the admin account? I reset my password through the Admin UI in Netbox before trying to login.

@AzyCrw4282 commented on GitHub (Aug 9, 2022): I actually attempted this yesterday and it worked fine for me. I am working on a task to verify a backdoor access (local/admin) account in the case our LDAP server goes down and the admin account worked fine. I simply blocked the LDAP server's IP on the route level and attempted to login via the admin account and it worked fine. LDAP account didn't work as expected. Are you sure you are using a right password for the admin account? I reset my password through the Admin UI in Netbox before trying to login.

adam commented 2025-12-29 19:45:18 +01:00

Author

Owner

Copy Link

@t8simon commented on GitHub (Aug 15, 2022):

I just tried it as well. The LDAP requests were blocked by the firewall.
Login in with the local super user was possible, but it took some time (didn't measure, but would say around 60s). Maybe the timeout period could be cut in half there.

@t8simon commented on GitHub (Aug 15, 2022): I just tried it as well. The LDAP requests were blocked by the firewall. Login in with the local super user was possible, but it took some time (didn't measure, but would say around 60s). Maybe the timeout period could be cut in half there.

adam commented 2025-12-29 19:45:18 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Aug 15, 2022):

I'm going to close this out as it does not appear to be reproducible. If anyone can point to a specific change that might need to be made in NetBox, I'm happy to re-open this.

@jeremystretch commented on GitHub (Aug 15, 2022): I'm going to close this out as it does not appear to be reproducible. If anyone can point to a specific change that might need to be made in NetBox, I'm happy to re-open this.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: under review type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#6775