Members of nested groups aren't allowed if only the parent group is listed under `allowed_groups`

Aethylred commented 4 years ago

Bug description

Using a directory service like FreeIPA that allows nested groups, if a nested group is added to c.LDAPAuthenticator.allowed_groups the indirect members (i.e. members of child groups) are not granted access to Jupyter services.

Expected behaviour

We expected indirect group members to be allowed access to jupyterhub services

Actual behaviour

Access is denied.

How to reproduce

Create two groups in the LDAP directory A and B
Add a user to group B
Add group B as a member group of group A
Set group A as an allowed group using c.LDAPAuthenticator.allowed_groups in jupyterhub_config.py
Restart jupyterhub
Attempt to login as the user added to group B

Your personal set up

OS: CentOS7
Version: 2.2.6

Configuration: Diff from default config

# diff /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py.default
98,114d97
< c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
<
< # LDAPAuthenticator settings
< c.LDAPAuthenticator.server_address = 'ipa01.example.org'
< c.LDAPAuthenticator.lookup_dn = False
< c.LDAPAuthenticator.user_attribute = 'uid'
< c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'uid'
< c.LDAPAuthenticator.user_search_base = 'cn=users,cn=accounts,dc=example,dc=org'
< c.LDAPAuthenticator.bind_dn_template = [ 'uid={username},cn=users,cn=accounts,,dc=example,dc=org' ]
< c.LDAPAuthenticator.allowed_groups = [
<     'cn=jupyter-users,cn=groups,cn=accounts,dc=example,dc=org'
< ]
<
123c106
<
---
> #c.JupyterHub.base_url = '/'
189d171
< c.JupyterHub.cookie_secret_file = '/opt/jupyterhub/etc/jupyterhub/jupyterhub_cookie_secret'
200d181
< c.JupyterHub.db_url = 'postgresql+psycopg2://jupyter:XXXXX@pgsql.example.org:5432/jupyter'
390d370
< c.JupyterHub.named_server_limit_per_user = 5
404,405d383
< c.ConfigurableHTTPProxy.pid_file = '/localhome/jupyter/jupyter-proxy.pid'
<
493d470
< c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'
692,699d668
< # Open lab in home directory
< #c.Spawner.default_url = '/lab/tree/home/{username}'
< # Opens notebook in home directory
< #c.Spawner.default_url = '/tree/home/{username}'
< # Opens lab at /
< #c.Spawner.default_url = '/lab'
< # No links
< c.Spawner.default_url = '/lab/workspaces/lab/tree/home/{username}'
795d763
< c.Spawner.notebook_dir = '/'

welcome[bot] commented 4 years ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

dhirschfeld commented 4 years ago

I think this is a dup of https://github.com/jupyterhub/ldapauthenticator/issues/148.

Aethylred commented 4 years ago

It does, looks like they'er covering nested groups in Active Directory, but may not cover the case for FreeIPA/Redhat Identity Manager/389 Directory Server

Aethylred commented 4 years ago

It may also be part of #94

mk-raven commented 1 month ago

Hello! Any update of this issue? We have the same problem, because have a lot of users and nested groups its nice solution

jupyterhub / ldapauthenticator