Open sebastian-luna-valero opened 3 years ago
This issue has been mentioned on Jupyter Community Forum. There might be relevant details there:
https://discourse.jupyter.org/t/ldap3-core-exceptions-ldapstarttlserror/7935/3
@sebastian-luna-valero could you also report the installed versions of the ldap3 module for each JupyterHub version?
@1kastner sorry, could you please provide steps to get that info?
@sebastian-luna-valero You need to launch the very same Python the JupyterHub is running with. Then you can simply import the library and check its version number. Just the first google hit: https://stackoverflow.com/questions/20180543/how-to-check-version-of-python-modules
Thanks. I am deploying JupyterHub on kubernetes, how can I check it in that case?
Please check that yourself, I have no access to a kubernetes setup.
Hi,
I think these are the answers:
For future reference, here are the commands to check:
# log into the hub pod
kubectl exec -it pod/hub-69fdcf79b7-xr946 /bin/bash
# check ldap3 version
cat /usr/local/lib/python3.8/dist-packages/ldap3/version.py
I hope that helps.
Best regards, Sebastian
Maybe you can have a look at https://github.com/jupyterhub/ldapauthenticator/issues/186 which looks very similar. Check whether your ldap server uses SSL or START_TLS. Maybe you can just play with use_ssl: true
?
Hi,
Our LDAP server uses START_TLS and when I add use_ssl:true
with JupyterHub-0.11.1
, ldapauthenticator-1.3.2
, ldap3-2.8.1
:
hub:
config:
JupyterHub:
authenticator_class: ldapauthenticator.LDAPAuthenticator
LDAPAuthenticator:
bind_dn_template:
- uid={username},ou=People,dc=example,dc=org
server_address: ldap.example.org #or ldaps://ldap.example.org
use_ssl: true
I get:
ldap3.core.exceptions.LDAPSocketOpenError: socket connection error while opening: [Errno 111] Connection refused
On the other hand, adding use_ssl: true
to the JupyterHub 0.10.6 configuration seems to have no effect so it returns:
ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)',)
Best regards, Sebastian
Sorry then I can't help you. Maybe you can have a look at https://github.com/cannatag/ldap3/issues/855 and the applied changes as described in https://github.com/jupyterhub/ldapauthenticator/issues/186#issuecomment-739680599. It seems like the ldapauthanticator library needs some changes so that it uses the ldap3 library correctly.
Hi,
I tried applying the patch and I got the same exception.
Best regards, Sebastian
Hi,
I have reported this issue and got feedback here https://github.com/cannatag/ldap3/issues/925#issuecomment-790005828
Could I ask where is the relevant JupyterHub config to negotiate secure connection with the LDAP server?
I couldn't find an answer in https://zero-to-jupyterhub.readthedocs.io or https://github.com/jupyterhub/ldapauthenticator/blob/master/README.md
Best regards, Sebastian
Check https://github.com/jupyterhub/ldapauthenticator/blob/31d70f8420b3c0ffd96d61164e0921bfe2ae431a/ldapauthenticator/ldapauthenticator.py#L307-L317 and in case also the remaining file. The code is not that complex.
Hi,
Following steps here:
https://ldap3.readthedocs.io/en/latest/tutorial_intro.html#establishing-a-secure-connection
The following commands work on both:
import ldap3
server = ldap3.Server('<server>', port=389, use_ssl=True)
conn = ldap3.Connection(server, user='<user>', password='<password>')
print(conn)
command returns:
ldaps://<server>389 - ssl - user: <user> - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder
Does this help troubleshoot our issue?
Best regards, Sebastian
I am not sure who to include into this discussion who has deeper insights into the specifica of ldap3 and their underlying libraries. This ldapauthenticator library is only scratching at the surface. Only little configuration is offered to the users.
I have heard of people who took another path: They used the default authenticator of JupyterHub and they configured the Linux login procedure in a way that it used LDAP for authentication. You could google ldap pam authentication linux
and then check which of the solutions might be applicable in your case. That would be an option of how to bypass this problem.
This issue has been mentioned on Jupyter Community Forum. There might be relevant details there:
https://discourse.jupyter.org/t/ldap3-core-exceptions-ldapstarttlserror/7935/5
I got the same issue solved by this https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available
yaml file like this:
hub:
extraEnv:
OPENSSL_CONF: '/data/tls1.cnf'
extraVolumes:
- name: openssl-1
hostPath:
path: /data/tls1.cnf
extraVolumeMounts:
- name: openssl-1
mountPath: /data/tls1.cnf
put the "tls1.cnf" into k8s node
in my case sloved, hope helpful.
Bug description
LDAP authentication works just fine with JupyterHub version 0.9.x and this configuration:
However, I found that versions 0.10+ of JupyterHub produce the following error in the hub’s pod:
with the equivalent LDAP configuration
Expected behaviour
Our LDAP server hasn't changed so we would expect
ldapauthenticator
version 1.3.2 to work like version 1.3.0.Actual behaviour
LDAP authentication with
ldapauthenticator
version 1.3.2 shouldn't produce the exception above.How to reproduce
values.yaml
with LDAP authenticationkubectl logs pod/hub-69fdcf79b7-xr946 | grep -i ldap
Your personal set up
OS: Kubernetes cluster deployed with Magnum on OpenStack Train OS: fedora-coreos-32.20200629.3.0
Version(s): JupyterHub 0.9 installs
ldapauthenticator
version 1.3.0 JupyterHub 0.10 installsldapauthenticator
version 1.3.2 JupyterHub 0.11 installsldapauthenticator
version 1.3.2I am always using
zero-to-jupyterhub
deployment.