ldapauthenticator icon indicating copy to clipboard operation
ldapauthenticator copied to clipboard

Published 20 hours ago verified publisher icon jupyterhub

Z2JH LDAPStartTLSError on login attempts

Open maegul opened this issue 2 years ago • 4 comments

Hi and thanks for all your work on the jupyter ecosystem!

Please see equivalent post over in the discourse forum.

Bug description

  • Any attempted login results in a 500 and the following error in the logs on the hub pod: ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: EOF occurred in violation of protocol (_ssl.c:1131)',).

Expected behaviour

  • Login works with the LDAP server without error.
  • Our current setup, using the Z2JH helm chart v0.9.X has not had these issues.

Actual behaviour

See above

How to reproduce

  1. Use the same openldap chart (see below) with the LDAPAuthenticator and try to login

Your personal set up

  • Z2JH on AWS setup, using the latest version of jupyterhub
  • LDAP helm release running the osixia openldap image.
    • Specifically, the geek-cookbook/openldap chart see ArtifactHub Page, which may be running too old a version of the osixia image (1.1.10)
  • Tooling is up to date
    • Use eksctl to initialise the EKS and cluster (eksctl version: 0.67.0)
    • kubectl version: 1.22.1
    • helm version: 3.7.0
  • Configuration 
# config.yaml
proxy:
  https:
    enabled: true
    hosts:
      - DOMAIN
    letsencrypt:
      contactEmail: EMAIL
hub:
  config:
    JupyterHub:
      authenticator_class: ldapauthenticator.LDAPAuthenticator
    LDAPAuthenticator:
      use_ssl: true  # true or false here doesn't appear to alter the behaviour
      server_address: ldap-proto-openldap.default.svc.cluster.local
      bind_dn_template:
        - 'mail={username},o=DELETED,ou=DELETED,dc=DELETED,dc=com'
        - 'mail={username},o=DELETED,ou=DELETED,dc=DELETED,dc=com'
      escape_userdn: true
      lookup_dn: false
      valid_username_regex: '^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'
  defaultUrl: "/lab"
  • Logs

Full Trace

Note that the same error occurs when setup with https

[E 2021-09-29 09:52:51.564 JupyterHub web:1789] Uncaught exception POST /hub/login?next=%2Fhub%2F (::ffff:192.168.34.48)
    HTTPServerRequest(protocol='http', host='aac510edbf3624e84a65b2a742db10b8-2112802575.ap-southeast-2.elb.amazonaws.com', method='POST', uri='/hub/login?next=%2Fhub%2F', version='HTTP/1.1', remote_ip='::ffff:192.168.34.48')
    Traceback (most recent call last):
      File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute
        result = await result
      File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/login.py", line 151, in post
        user = await self.login_user(data)
      File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 754, in login_user
        authenticated = await self.authenticate(data)
      File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/usr/local/lib/python3.8/dist-packages/ldapauthenticator/ldapauthenticator.py", line 382, in authenticate
        conn = self.get_connection(userdn, password)
      File "/usr/local/lib/python3.8/dist-packages/ldapauthenticator/ldapauthenticator.py", line 314, in get_connection
        conn = ldap3.Connection(
      File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 363, in __init__
        self._do_auto_bind()
      File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 391, in _do_auto_bind
        if self.start_tls(read_server_info=False):
      File "/usr/local/lib/python3.8/dist-packages/ldap3/core/connection.py", line 1314, in start_tls
        if self.server.tls.start_tls(self) and self.strategy.sync:  # for asynchronous connections _start_tls is run by the strategy
      File "/usr/local/lib/python3.8/dist-packages/ldap3/core/tls.py", line 280, in start_tls
        return self._start_tls(connection)
      File "/usr/local/lib/python3.8/dist-packages/ldap3/core/tls.py", line 289, in _start_tls
        raise start_tls_exception_factory(e)(connection.last_error)
    ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: EOF occurred in violation of protocol (_ssl.c:1131)',)

maegul avatar Oct 05 '21 04:10 maegul

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

welcome[bot] avatar Oct 05 '21 04:10 welcome[bot]

@maegul do you solve this problem?

ygean avatar Jan 19 '22 03:01 ygean

Nope. From poking around, it seemed to me that Jupyter LDAP support isn't the most solid or reliable thing, which isn't a criticism of Jupyter developers, just an observation supported by some developers themselves, that integrating LDAP is non-trivial and stretches their expertise and time a bit too much.

So instead I'm shifting to using the Jupyter NativeAuthenticator, where I've suggested some changes (see this issue I've raised) to enable it so serve as a more effective substitute for LDAP.

The NativeAuthenticator basically runs natively on the JupyterHub server itself, so it should have fewer issues going forward, it's definitely easier to modify yourself, and suits a nice small-medium cluster size and simple workflow well.

maegul avatar Jan 19 '22 04:01 maegul

@maegul I got it, thanks.

ygean avatar Jan 20 '22 07:01 ygean