Jupyterhub LDAP integration with group search basedn not working

[runderko]

Bug description

Unable to restrict access to users that are a member of specific groups in LDAP authenticated through Jupyterhub

Expected behaviour

Restricted access to members of the group specified in basedn

Actual behaviour

ldap users other than group members are able to access

How to reproduce

I am able to reproduce the issue at my end with the below steps.

1. Installed and configured Active directory setup - Windows server 2016
2. Created a new OU for the AD Domain and added users / groups to the OU.

For eg: Created a OU (bigdata) under DC [COMPUTE.INTERNAL] and added the below users and groups.

a. BigdataAdmin => Group1 b. Developer => Group2 c. hadoopadmin => User member of BigdataAdmin group d. ldapuser => User member of Developer group.

3. Enabled Jupyterhub configuration to restrict access only to the members of BigdataAdmin group.

---

c.Authenticator.admin_users = {'jovyan'} c.JupyterHub.log_level = 'DEBUG' c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator' c.LDAPAuthenticator.use_ssl = False c.LDAPAuthenticator.server_address = '172.31.34.231' c.LDAPAuthenticator.bind_dn_template = 'CN=hadoopadmin,OU=bigdata,DC=COMPUTE,DC=INTERNAL' c.LDAPAuthenticator.allowed_groups = ["cn=BigdataAdmin,ou=bigdata,dc=EU-WEST-1,dc=COMPUTE,dc=INTERNAL"] c.LDAPAuthenticator.whitelist = {'hadoopadmin'} c.LDAPAuthenticator.group_search_base = 'ou=bigdata,dc=COMPUTE,dc=INTERNAL' ##c.LDAPAuthenticator.group_search_filter = '(&(objectClass=BigdataAdmin)(memberOf={group}))' c.LDAPAuthenticator.user_membership_attribute = 'memberOf'

5. Create local users (to map to the AD users) in the docker container like below.

For eg:

addgroup --gid 60002 ldapuser useradd -g ldapuser -u 60002 ldapuser

sudo docker container exec jupyterhub bash -c "mkdir /home/ldapuser" sudo docker container exec jupyterhub bash -c "chown -R 60002 /home/ldapuser" sudo docker container exec jupyterhub bash -c "sudo chgrp -R 60002 /home/ldapuser"

6. Access the Jupyterhub web ui using hadoopadmin / ldapuser. Though the access is configured for hadoopadmin only, ldapuser is also able to login to the Jupyter web ui.

..... Also tried to setup configuration - LDAPAuthenticator.allowed_groups, as documented in this blogs https://github.com/jupyterhub/ldapauthenticator I am unsuccessful to configure restricting access to specific LDAP groups. Is this a bug with LDAP group integration in Jupyterhub. Please suggest ....

Your personal set up

• OS: linux

• Version: 5.25 ~ 5.29

• Configuration:

[euanmacinnes]

I have the same problem. I found that it was due to the allowed_groups testing the "memberOf" attribute, as the LDAP server only has the memberUid option, and the attempted search of LDAP3 on memberOf raises an exception now. This either needs a try.. except in the LDAP administrator, or the ability to specify which of the three group searches to try.