ldapauthenticator
ldapauthenticator copied to clipboard
Z2JH LDAPStartTLSError on login attempts
Hi and thanks for all your work on the jupyter ecosystem!
Please see equivalent post over in the discourse forum.
Bug description
- Any attempted login results in a
500
and the following error in the logs on thehub
pod:ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: EOF occurred in violation of protocol (_ssl.c:1131)',)
.
Expected behaviour
- Login works with the LDAP server without error.
- Our current setup, using the Z2JH helm chart
v0.9.X
has not had these issues.
Actual behaviour
See above
How to reproduce
- Use the same openldap chart (see below) with the
LDAPAuthenticator
and try to login
Your personal set up
- Z2JH on AWS setup, using the latest version of jupyterhub
- LDAP helm release running the
osixia
openldap image.- Specifically, the
geek-cookbook/openldap
chart see ArtifactHub Page, which may be running too old a version of theosixia
image (1.1.10)
- Specifically, the
- Tooling is up to date
- Use
eksctl
to initialise the EKS and cluster (eksctl version: 0.67.0
) -
kubectl version: 1.22.1
-
helm version: 3.7.0
- Use
-
Configuration
# config.yaml
proxy:
https:
enabled: true
hosts:
- DOMAIN
letsencrypt:
contactEmail: EMAIL
hub:
config:
JupyterHub:
authenticator_class: ldapauthenticator.LDAPAuthenticator
LDAPAuthenticator:
use_ssl: true # true or false here doesn't appear to alter the behaviour
server_address: ldap-proto-openldap.default.svc.cluster.local
bind_dn_template:
- 'mail={username},o=DELETED,ou=DELETED,dc=DELETED,dc=com'
- 'mail={username},o=DELETED,ou=DELETED,dc=DELETED,dc=com'
escape_userdn: true
lookup_dn: false
valid_username_regex: '^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'
defaultUrl: "/lab"
-
Logs
Full Trace
Note that the same error occurs when setup with https
[E 2021-09-29 09:52:51.564 JupyterHub web:1789] Uncaught exception POST /hub/login?next=%2Fhub%2F (::ffff:192.168.34.48)
HTTPServerRequest(protocol='http', host='aac510edbf3624e84a65b2a742db10b8-2112802575.ap-southeast-2.elb.amazonaws.com', method='POST', uri='/hub/login?next=%2Fhub%2F', version='HTTP/1.1', remote_ip='::ffff:192.168.34.48')
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute
result = await result
File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/login.py", line 151, in post
user = await self.login_user(data)
File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 754, in login_user
authenticated = await self.authenticate(data)
File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in get_authenticated_user
authenticated = await maybe_future(self.authenticate(handler, data))
File "/usr/local/lib/python3.8/dist-packages/ldapauthenticator/ldapauthenticator.py", line 382, in authenticate
conn = self.get_connection(userdn, password)
File "/usr/local/lib/python3.8/dist-packages/ldapauthenticator/ldapauthenticator.py", line 314, in get_connection
conn = ldap3.Connection(
File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 363, in __init__
self._do_auto_bind()
File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 391, in _do_auto_bind
if self.start_tls(read_server_info=False):
File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 1314, in start_tls
if self.server.tls.start_tls(self) and self.strategy.sync: # for asynchronous connections _start_tls is run by the strategy
File "/usr/local/lib/python3.8/dist-packages/ldap3/core/tls.py", line 280, in start_tls
return self._start_tls(connection)
File "/usr/local/lib/python3.8/dist-packages/ldap3/core/tls.py", line 289, in _start_tls
raise start_tls_exception_factory(e)(connection.last_error)
ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: EOF occurred in violation of protocol (_ssl.c:1131)',)
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:
@maegul do you solve this problem?
Nope. From poking around, it seemed to me that Jupyter LDAP support isn't the most solid or reliable thing, which isn't a criticism of Jupyter developers, just an observation supported by some developers themselves, that integrating LDAP is non-trivial and stretches their expertise and time a bit too much.
So instead I'm shifting to using the Jupyter NativeAuthenticator, where I've suggested some changes (see this issue I've raised) to enable it so serve as a more effective substitute for LDAP.
The NativeAuthenticator basically runs natively on the JupyterHub server itself, so it should have fewer issues going forward, it's definitely easier to modify yourself, and suits a nice small-medium cluster size and simple workflow well.
@maegul I got it, thanks.