benhosmer
commented
8 years ago It appears not, but I'm working on a PR to implement this.
Closed benhosmer closed 8 years ago
benhosmer
commented
8 years ago It appears not, but I'm working on a PR to implement this.
yuvipanda
commented
8 years ago Hello!
I think the better way to do this would be to use nss_ldap + pam_ldap to make all users on ldap 'automagically' have local accounts on the machine. That's what we do at wikimedia. http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html is a decent guide. This has the following advantages over creating local accounts here:
Can you think of any advantages that putting account creation in ldapauthenticator would have, over using this setup?
Thanks!
benhosmer
commented
8 years ago @yuvipanda You definitely bring up some good points, however I see a few disadvantages as well:
I modeled this implementation for ldapauthenticator after the oauthenticator.
yuvipanda
commented
8 years ago Can you explain what you mean by possibility of conflict with sudospawner?
Securitywise, I'd be very tempted to just say 'no' in this context - nss_ldap and pam_ldap have seen far more audits and deployment scenarios than ldapauthenticator+jupyterhub ever will, so any security consciousness install should be using that setup. This is doubly important for things like user account removals, etc. I understand the desire to not add extra setup and fold it into this, but I think it'll be a bad addition for the default ldapauthenticator. It'll also require that the whole jupyterhub server run as root, which is a pretty big attack vector.
If you really want to not use pam_ldap + nss_ldap, I'd recommend creating a subclass of ldapauthenticator that does that as a separate project, but not as part of ldapauthenticator itself.
On Thu, Sep 1, 2016 at 11:23 AM, Ben Hosmer notifications@github.com wrote:
@yuvipanda https://github.com/yuvipanda You definitely bring up some good points, however I see a few disadvantages as well:
- The system that Jupyterhub is running on now needs additional packages and configuration this opens up another attack vector and adds complexity. For some enterprise environments, it isn't very simple to add additional packages.
- The possibility of conflicts with sudospawner
I modeled this implementation for ldapauthenticator after the oauthenticator https://github.com/jupyterhub/oauthenticator/tree/master/oauthenticator.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jupyterhub/ldapauthenticator/issues/19#issuecomment-244167372, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23sautOvBBlnLzT9iaSI2_G6fWUmdks5qlxgegaJpZM4Jx4M_ .
Yuvi Panda T http://yuvi.in/blog
yuvipanda
commented
8 years ago I can also write up a doc on how to setup pam_ldap + nss_ldap along with jupyterhub, if that would make this problem easier.
On Thu, Sep 1, 2016 at 11:52 AM, Yuvi Panda yuvipanda@gmail.com wrote:
Can you explain what you mean by possibility of conflict with sudospawner?
Securitywise, I'd be very tempted to just say 'no' in this context - nss_ldap and pam_ldap have seen far more audits and deployment scenarios than ldapauthenticator+jupyterhub ever will, so any security consciousness install should be using that setup. This is doubly important for things like user account removals, etc. I understand the desire to not add extra setup and fold it into this, but I think it'll be a bad addition for the default ldapauthenticator. It'll also require that the whole jupyterhub server run as root, which is a pretty big attack vector.
If you really want to not use pam_ldap + nss_ldap, I'd recommend creating a subclass of ldapauthenticator that does that as a separate project, but not as part of ldapauthenticator itself.
On Thu, Sep 1, 2016 at 11:23 AM, Ben Hosmer notifications@github.com wrote:
@yuvipanda https://github.com/yuvipanda You definitely bring up some good points, however I see a few disadvantages as well:
- The system that Jupyterhub is running on now needs additional packages and configuration this opens up another attack vector and adds complexity. For some enterprise environments, it isn't very simple to add additional packages.
- The possibility of conflicts with sudospawner
I modeled this implementation for ldapauthenticator after the oauthenticator https://github.com/jupyterhub/oauthenticator/tree/master/oauthenticator .
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jupyterhub/ldapauthenticator/issues/19#issuecomment-244167372, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23sautOvBBlnLzT9iaSI2_G6fWUmdks5qlxgegaJpZM4Jx4M_ .
Yuvi Panda T http://yuvi.in/blog
Yuvi Panda T http://yuvi.in/blog
benhosmer
commented
8 years ago It's not a matter of not knowing how to implement PAM, LDAP, and NSS, it's more of the added complexity.
Yeah, I certainly agree they're probably more secure than this smaller project will be.
ldapauthenticator could still be used even for a non-root user though if the user that is running hub has sudo privileges to useradd?
benhosmer
commented
8 years ago @yuvipanda before I go a create a separate module, I want to make sure this PR isn't going anywhere.
What about the oauthenticator? Even for the sake of uniformity across jupyterhub?
yuvipanda
commented
8 years ago I think it might make more sense in OAuthenticator, since there's no equivalent of nss_ldap for use there. I don't think we should have that functionality in the core ldapauthenticator module. I will work on a doc for using nss_ldap though. I'll also be happy to CR the separate module if you want me to.
To recap,
Thank you for talking it through, and I hope I have been able to communicate my reasons clearly. Looking forward to helping out the new module in any way I can :)
On Thu, Sep 1, 2016 at 12:58 PM, Ben Hosmer notifications@github.com wrote:
@yuvipanda https://github.com/yuvipanda before I go a create a separate module, I want to make sure this PR isn't going anywhere.
What about the oauthenticator? Even for the sake of uniformity across jupyterhub?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jupyterhub/ldapauthenticator/issues/19#issuecomment-244193922, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23pme2mzFRgipd6Mh9qclBQf_P6rqks5qly5agaJpZM4Jx4M_ .
Yuvi Panda T http://yuvi.in/blog
benhosmer
commented
8 years ago Your reasoning is sound. Thanks for the engagement on this. I'll likely create a small module that extends the ldapauthenticator initially.
yuvipanda
commented
8 years ago yw! I wonder if you can just do this in your jupyterhub_config file itself. The Oauthenticator ones just seem to be including a mixin and nothing else...
On Thu, Sep 1, 2016 at 5:14 PM, Ben Hosmer notifications@github.com wrote:
Your reasoning is sound. Thanks for the engagement on this. I'll likely create a small module that extends the ldapauthenticator initially.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jupyterhub/ldapauthenticator/issues/19#issuecomment-244249630, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23qfNUf5ad0r81yn-g-GtR5dxFTbeks5ql2pZgaJpZM4Jx4M_ .
Yuvi Panda T http://yuvi.in/blog
benhosmer
commented
8 years ago I'm curious, what would this look like in the config file?
tredence123
commented
8 years ago @benhosmer, @yuvipanda please share the config file
benhosmer
commented
8 years ago I never got it to work in the config file. I imagine you could just do something similar to this:
from jupyterhub.auth import Authenticator, LocalAuthenticator
from ldapauthenticator import LDAPAuthenticator
class LocalLDAPCreateUsers(LocalAuthenticator, LDAPAuthenticator):
"""Create local user accounts based on LDAP authentication"""
passc.JupyterHub.authenticator_class = 'ldapcreateusers.LocalLDAPCreateUsers'
c.LocalLDAPCreateUsers.server_address = 'some.ldap.server'
c.LocalLDAPCreateUsers.server_port = 389
c.LocalLDAPCreateUsers.use_ssl = False
c.LocalLDAPCreateUsers.bind_dn_template = 'uid={username},dc=yourdomain,dc=com'
c.LocalLDAPCreateUsers.create_system_users = TrueOr just $ pip install jupyterhub-ldapcreateusers: https://github.com/benhosmer/jupyterhub-ldapcreateusers
willingc
commented
7 years ago @venkatchetkuri You may wish to look at https://github.com/bloomberg/jupyterhub-kdcauthenticator to see if it would fulfill your requirements.
venkatchetkuri
commented
7 years ago @willingc Here is my use case: Run spark jobs in JupyterHub notebooks against a Kerborised (YARN/Spark) cluster. I don't want LDAP users to have Kerberos principals. I am allowed to create service principals.
What i did so far on a single machine is :
Installed Jupyterhub - Success. https://github.com/jupyterhub/jupyterhub
Installed LIvy - Success. https://github.com/cloudera/livy
Added this node as a gateway node to the Cloudera cluster - Success.
configured LDAP authenticator -Success. https://github.com/jupyterhub/ldapauthenticator
Sparkmagic - cannot start the pyspark and spark kernals for LDAP users. https://github.com/jupyter-incubator/sparkmagic
Kerberos Authentication - installed requests-kerberos package and KDC authenticator. https://github.com/bloomberg/jupyterhub-kdcauthenticator
Error message when I'm trying to run :
[C 2017-06-27 21:10:31.135 JupyterHub application:90] Bad config encountered during initialization: [C 2017-06-27 21:10:31.135 JupyterHub application:91] The 'authenticator_class' trait of <jupyterhub.app.JupyterHub object at 0x7f03e8070c88> instance must be a type, but 'kdcauthenticator.kdcauthenticator.KDCAuthenticator' could not be imported
Being a newbie to Jupyter/Spark and Kerberos, I'm not able figure out what I'm missing.
Here I am attaching the overall architecture and the configuration files of livy and jupyterhub.
jupyterhub_config.txt livy_conf.txt
olegbliaher
commented
6 years ago I can also write up a doc on how to setup pam_ldap + nss_ldap along with jupyterhub, if that would make this problem easier.
Hi, I hope this isn't an off-topic, but I would really appreciate such a guide, or a push in the right direction, and this issue seems to be exactly about the problem I am experiencing. I've managed to get nslcd to work, and I am even able to log in to JupyterHub via PAM+LDAP, but as soon as I'm in, I get the following error:
[I 2018-10-16 14:29:39.676 JupyterHub spawner:1100] Spawning jupyterhub-singleuser --port=53828
[E 2018-10-16 14:29:39.791 JupyterHub user:477] Unhandled error starting olbl's server: Exception occurred in preexec_fn.
[E 2018-10-16 14:29:39.874 JupyterHub web:1670] Uncaught exception GET /hub/user/olbl/ (10.84.55.155)
HTTPServerRequest(protocol='https', host='jupyter.internal.bluetest.se', method='GET', uri='/hub/user/olbl/', version='HTTP/1.1', remote_ip='10.xxx.xxx.xxx')I had the same issue even when I had used the LDAP-plugin for JupyterHub, but since the user in question is in the right group, that has access to the Anaconda folder, I am assuming this has to do with PAM-configuration? There I am truly lost, so any suggestions would be welcome. Almost all users simply get an error that their home folder does not exist...
Thanks in advance!
epignatelli
commented
5 years ago Can you explain what you mean by possibility of conflict with sudospawner?
Securitywise, I'd be very tempted to just say 'no' in this context - nss_ldap and pam_ldap have seen far more audits and deployment scenarios than ldapauthenticator+jupyterhub ever will, so any security consciousness install should be using that setup. This is doubly important for things like user account removals, etc. I understand the desire to not add extra setup and fold it into this, but I think it'll be a bad addition for the default ldapauthenticator. It'll also require that the whole jupyterhub server run as root, which is a pretty big attack vector.
If you really want to not use pam_ldap + nss_ldap, I'd recommend creating a subclass of ldapauthenticator that does that as a separate project, but not as part of ldapauthenticator itself.
On Thu, Sep 1, 2016 at 11:23 AM, Ben Hosmer notifications@github.com wrote:
@yuvipanda https://github.com/yuvipanda You definitely bring up some good points, however I see a few disadvantages as well:
- The system that Jupyterhub is running on now needs additional packages and configuration this opens up another attack vector and adds complexity. For some enterprise environments, it isn't very simple to add additional packages.
- The possibility of conflicts with sudospawner
I modeled this implementation for ldapauthenticator after the oauthenticator https://github.com/jupyterhub/oauthenticator/tree/master/oauthenticator. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub #19 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23sautOvBBlnLzT9iaSI2_G6fWUmdks5qlxgegaJpZM4Jx4M_ .
Yuvi Panda T http://yuvi.in/blog
@yuvipanda does this apply to windows platform as well?
blodone
commented
1 year ago There is an alternative ldap authenticator with user home creation support, but a little bit outdated: https://github.com/hansohn/jupyterhub-ldap-authenticator
Using the LDAP authenticator, I'm able to authenticate users.
For example, the user exists in the LDAP server and also has a linux user account on the hub server. Login and authentication works fine.
If a user exists in the LDAP server though but does not have a corresponding linux system account on the hub, I get the following error:
Can the LDAP authenticator be used with the PAM/LocalAuthenticator capabalities and create this user if they don't exist?