search

jupyterhub / ldapauthenticator

LDAP Authenticator Plugin for Jupyter
BSD 3-Clause "New" or "Revised" License
206 stars 178 forks source link

Recommended Active Directory config is not correct: invalidCredentials #199

Closed MakarovDi closed 2 months ago

MakarovDi commented 3 years ago

The recommended configuration for Active Directory integration:

c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'ldap_search_user_technical_account'
c.LDAPAuthenticator.lookup_dn_search_password = 'secret'
c.LDAPAuthenticator.user_search_base = 'ou=people,dc=wikimedia,dc=org'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'cn'
c.LDAPAuthenticator.escape_userdn = False
c.LDAPAuthenticator.bind_dn_template = '{username}'

This config will result in 

LDAPBindError: automatic bind not successful - invalidCredentials

The problem is the last row of the config:

c.LDAPAuthenticator.bind_dn_template = '{username}'

Because of this row the resolved dn will never be used (link to the code):

...
        if self.lookup_dn:
            username, resolved_dn = self.resolve_username(username)
            if not username:
                return None
            if str(self.lookup_dn_user_dn_attribute).upper() == "CN":
                # Only escape commas if the lookup attribute is CN
                username = re.subn(r"([^\\]),", r"\1\,", username)[0]
            if not bind_dn_template:                     # <------- bind_dn_template =  '{username}'
                bind_dn_template = [resolved_dn]         # <------- resolved_dn will never be used!

        is_bound = False
        for dn in bind_dn_template:
            if not dn:
...

So the working configuration is:

c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'ldap_search_user_technical_account'
c.LDAPAuthenticator.lookup_dn_search_password = 'secret'
c.LDAPAuthenticator.user_search_base = 'ou=people,dc=wikimedia,dc=org'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'cn'
c.LDAPAuthenticator.escape_userdn = False

Related issues

Issues #101, #144, #125 are probably related.

welcome[bot] commented 3 years ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

cprivitere commented 3 years ago

Can confirm, following the above advice fixed our issues with being told the users were not in any of the allowed groups no matter what groups we put in there. So the config as presented on the readme seems to enable auth to work, but not group lookups. The config suggested above enables both.

mluds commented 2 years ago

Removing c.LDAPAuthenticator.bind_dn_template = '{username}' also fixed AD authentication for me.

felipempda commented 10 months ago

It worked for me as well. Also use_lookup_dn_username = false was important to make Unix usernames consistent with login (instead of LDAP's CN) as pointed out on documentation.

consideRatio commented 2 months ago

@MakarovDi amazing writeup, and I'm super thankful for that you have also linked possibly related issues - THANK YOU!!