Recommended Active Directory config is not correct: invalidCredentials

[MakarovDi]

The recommended configuration for Active Directory integration:

c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'ldap_search_user_technical_account'
c.LDAPAuthenticator.lookup_dn_search_password = 'secret'
c.LDAPAuthenticator.user_search_base = 'ou=people,dc=wikimedia,dc=org'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'cn'
c.LDAPAuthenticator.escape_userdn = False
c.LDAPAuthenticator.bind_dn_template = '{username}'

This config will result in

LDAPBindError: automatic bind not successful - invalidCredentials

The problem is the last row of the config:

c.LDAPAuthenticator.bind_dn_template = '{username}'

Because of this row the resolved dn will never be used (link to the code):

...
        if self.lookup_dn:
            username, resolved_dn = self.resolve_username(username)
            if not username:
                return None
            if str(self.lookup_dn_user_dn_attribute).upper() == "CN":
                # Only escape commas if the lookup attribute is CN
                username = re.subn(r"([^\\]),", r"\1\,", username)[0]
            if not bind_dn_template:                     # <------- bind_dn_template =  '{username}'
                bind_dn_template = [resolved_dn]         # <------- resolved_dn will never be used!

        is_bound = False
        for dn in bind_dn_template:
            if not dn:
...

So the working configuration is:

c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'ldap_search_user_technical_account'
c.LDAPAuthenticator.lookup_dn_search_password = 'secret'
c.LDAPAuthenticator.user_search_base = 'ou=people,dc=wikimedia,dc=org'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'cn'
c.LDAPAuthenticator.escape_userdn = False

Related issues

Issues #101, #144, #125 are probably related.

[welcome[bot]]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

[cprivitere]

Can confirm, following the above advice fixed our issues with being told the users were not in any of the allowed groups no matter what groups we put in there. So the config as presented on the readme seems to enable auth to work, but not group lookups. The config suggested above enables both.

[mluds]

Removing c.LDAPAuthenticator.bind_dn_template = '{username}' also fixed AD authentication for me.

[felipempda]

It worked for me as well. Also use_lookup_dn_username = false was important to make Unix usernames consistent with login (instead of LDAP's CN) as pointed out on documentation.