ldapauthenticator icon indicating copy to clipboard operation
ldapauthenticator copied to clipboard

Published 20 hours ago verified publisher icon jupyterhub

LDAP query syntax to search more than one specific OU

Open ponomarevsy opened this issue 6 years ago • 6 comments

Dear Jupyterhub developers,

Is there a way to LDAP query more than one specific OU from inside the Jupyterhub config file?

Since some user accounts are under Users (~5000 people) and some are under Users-dir (~900 people) we need to find a way to fetch user information for both OUs. Is there a way to do it?

It works for either "OU=Users" or "OU=Users-dir" separately but I am not sure about both at the same time?

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldapserver'
c.LDAPAuthenticator.bind_dn_template = 'CN={username},OU=Users,...'

or

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldapserver'
c.LDAPAuthenticator.bind_dn_template = 'CN={username},OU=Users-dir,...'

Thank you so much in advance!

ponomarevsy avatar Oct 17 '18 15:10 ponomarevsy

I just found this example (https://github.com/jupyterhub/ldapauthenticator):

c.LDAPAuthenticator.bind_dn_template = [
    "uid={username},ou=people,dc=wikimedia,dc=org",
    "uid={username},ou=developers,dc=wikimedia,dc=org",
]

But it produces:

traitlets.traitlets.TraitError: The 'bind_dn_template' trait of a LDAPAuthenticator instance must be a unicode string, but a value of ['uid={username},ou=people,dc=wikimedia,dc=org', 'uid={username},ou=developers,dc=wikimedia,dc=org'] <class 'list'> was specified.

I've also tried this:

c.LDAPAuthenticator.bind_dn_template = str([
    "uid={username},ou=people,dc=wikimedia,dc=org",
    "uid={username},ou=developers,dc=wikimedia,dc=org",
])

The unicode string error disappears but LDAP authentication fails (I've changed my binding string to your example case):

[W 2018-10-17 16:30:05.772 JupyterHub ldapauthenticator:154] Invalid password for user ['uid=username,ou=people,dc=wikimedia,dc=org', 'uid=username,ou=developers,dc=wikimedia,dc=org']

I am using Jupyterhub version 0.7.2. Any ideas/suggestions (I would prefer not to upgrade Jupyterhub, - it was a pain to set it up...)? Thank you!

ponomarevsy avatar Oct 17 '18 20:10 ponomarevsy

And "jupyterhub-ldapauthenticator" version is 1.1. Do you think updating "jupyterhub-ldapauthenticator" would help? Thanks!

ponomarevsy avatar Oct 17 '18 21:10 ponomarevsy

I do! It's always a good idea to be sure you are up-to-date with both jupyterhub and the authenticator. It's also best to open issues with ldapauthenticator on the ldapauthenticator repo. I've migrated this one.

minrk avatar Nov 23 '18 14:11 minrk

Thanks, Min. Sorry about the wrong repo...

ponomarevsy avatar Nov 23 '18 15:11 ponomarevsy

I fixed the problem by:

  1. Upgrading ldapauthenticator to the latest version
  2. Using "CN={username}," instead of "uid={username},"

So, the correct LDAP entry looks like this (in my case):

c.LDAPAuthenticator.bind_dn_template = [
    "CN={username},ou=people,dc=wikimedia,dc=org",
    "CN={username},ou=developers,dc=wikimedia,dc=org",
]

ponomarevsy avatar Nov 26 '18 16:11 ponomarevsy

Can I use both local PAM accounts and LDAP accounts? How do I combine the two in a config file? Thank you in advance.

ponomarevsy avatar Nov 28 '18 22:11 ponomarevsy