ldapauthenticator icon indicating copy to clipboard operation
ldapauthenticator copied to clipboard

Published 20 hours ago verified publisher icon jupyterhub

TLJH + ldapauthenticator against Active Directory

Open jasmeralia opened this issue 5 years ago • 1 comments

I previously got some help on https://github.com/jupyterhub/ldapauthenticator/issues/130 that solved the problem I was facing at the time. However, when I went to deploy out to our internal development environment (versus the VM setup I had on my local system), I hit a snag.

My TLJH config is as so:

auth:
  type: ldapauthenticator.LDAPAuthenticator
  LDAPAuthenticator:
    server_address: 10.50.194.10
    lookup_dn: true
    lookup_dn_search_filter: ({login_attr}={login})
    lookup_dn_search_user: CN=Service Account LDAP Auth,OU=Service Accounts,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
    lookup_dn_search_password: REDACTED
    lookup_dn_user_dn_attribute: CN
    bind_dn_template: CN={username},OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
    user_search_base: OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
    user_attribute: sAMAccountName
    use_lookup_dn_username: true
    escape_userdn: false
    server_port: 389
users:
  admin:
  - nclemons
  - rmallick
  - sshah
  - tkidd

This fails to authenticate users like myself when I try to log in with the following error message:

Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.889 JupyterHub ldapauthenticator:299] TYPE= 'False'
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.889 JupyterHub ldapauthenticator:223] Looking up user with search_base=OU=DAPPUsers,DC=dapp,DC=moxie,DC=local, search_filter='(sAMAccountName=nclemons)', attributes=sAMAccountName
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.941 JupyterHub ldapauthenticator:278] Attempting to bind nclemons with CN=Nathan Clemons,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.942 JupyterHub ldapauthenticator:333] Status of user bind nclemons with CN=Nathan Clemons,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local : False
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]:     LDAPBindError: automatic bind not successful - invalidCredentials
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [W 2019-08-08 20:52:20.942 JupyterHub ldapauthenticator:379] Invalid password for user nclemons

This is because the full path for my user account is actually CN=Nathan Clemons,OU=MCS,OU=Users,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local instead of CN=Nathan Clemons,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local. But I can't set the template to the MCS OU because some of the non-admin users will be in another OU (ENG in this case). I verified this in my VM setup by creating an OU underneath what I was setting the base and template to, and it failed after I moved my test account into that new OU.

I am suspecting that the problem is not with my user_search_base, but instead is with my bind_dn_template, since it does appear that it's successfully finding my account since it's managed to look up my full name from the username. Is there another macro that I can use in the bind_dn_template to pass the full OU path to the retrieved user account?

jasmeralia avatar Aug 08 '19 21:08 jasmeralia

The bind_dn_template can be a list of templates to try - if one works the the user is authenticated. So just pass a template for each of the possible variations of allowed users

dhirschfeld avatar Aug 08 '19 23:08 dhirschfeld