search

jupyterhub / ldapauthenticator

LDAP Authenticator Plugin for Jupyter
BSD 3-Clause "New" or "Revised" License
206 stars 178 forks source link

LDAP query syntax to search more than one specific OU #111

Closed ponomarevsy closed 1 month ago

ponomarevsy commented 6 years ago

Dear Jupyterhub developers,

Is there a way to LDAP query more than one specific OU from inside the Jupyterhub config file?

Since some user accounts are under Users (~5000 people) and some are under Users-dir (~900 people) we need to find a way to fetch user information for both OUs. Is there a way to do it?

It works for either "OU=Users" or "OU=Users-dir" separately but I am not sure about both at the same time?

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldapserver'
c.LDAPAuthenticator.bind_dn_template = 'CN={username},OU=Users,...'

or

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldapserver'
c.LDAPAuthenticator.bind_dn_template = 'CN={username},OU=Users-dir,...'

Thank you so much in advance!

ponomarevsy commented 6 years ago

I just found this example (https://github.com/jupyterhub/ldapauthenticator):

c.LDAPAuthenticator.bind_dn_template = [
    "uid={username},ou=people,dc=wikimedia,dc=org",
    "uid={username},ou=developers,dc=wikimedia,dc=org",
]

But it produces:

traitlets.traitlets.TraitError: The 'bind_dn_template' trait of a LDAPAuthenticator instance must be a unicode string, but a value of ['uid={username},ou=people,dc=wikimedia,dc=org', 'uid={username},ou=developers,dc=wikimedia,dc=org'] <class 'list'> was specified.

I've also tried this:

c.LDAPAuthenticator.bind_dn_template = str([
    "uid={username},ou=people,dc=wikimedia,dc=org",
    "uid={username},ou=developers,dc=wikimedia,dc=org",
])

The unicode string error disappears but LDAP authentication fails (I've changed my binding string to your example case):

[W 2018-10-17 16:30:05.772 JupyterHub ldapauthenticator:154] Invalid password for user ['uid=username,ou=people,dc=wikimedia,dc=org', 'uid=username,ou=developers,dc=wikimedia,dc=org']

I am using Jupyterhub version 0.7.2. Any ideas/suggestions (I would prefer not to upgrade Jupyterhub, - it was a pain to set it up...)? Thank you!

ponomarevsy commented 6 years ago

And "jupyterhub-ldapauthenticator" version is 1.1. Do you think updating "jupyterhub-ldapauthenticator" would help? Thanks!

minrk commented 5 years ago

I do! It's always a good idea to be sure you are up-to-date with both jupyterhub and the authenticator. It's also best to open issues with ldapauthenticator on the ldapauthenticator repo. I've migrated this one.

ponomarevsy commented 5 years ago

Thanks, Min. Sorry about the wrong repo...

ponomarevsy commented 5 years ago

I fixed the problem by:

1) Upgrading ldapauthenticator to the latest version 2) Using "CN={username}," instead of "uid={username},"

So, the correct LDAP entry looks like this (in my case):

c.LDAPAuthenticator.bind_dn_template = [
    "CN={username},ou=people,dc=wikimedia,dc=org",
    "CN={username},ou=developers,dc=wikimedia,dc=org",
]
ponomarevsy commented 5 years ago

Can I use both local PAM accounts and LDAP accounts? How do I combine the two in a config file? Thank you in advance.