search

jupyterhub / ldapauthenticator

LDAP Authenticator Plugin for Jupyter
BSD 3-Clause "New" or "Revised" License
206 stars 178 forks source link

LDAPAuthenticator.use_ssl configuration issue #204

Closed alexdongli0829 closed 2 months ago

alexdongli0829 commented 2 years ago

Bug description

I tried to use ldapauthenticator to connect to openldap server, as my server has no ssl and I want to connect it to 389, so I set it this parameter to False according to README(https://github.com/jupyterhub/ldapauthenticator)

However, I keep facing the SSL issue from ldap3:

HTTPServerRequest(protocol='https', host='dongaws.test.com:9443', method='POST', uri='/hub/login?next=%2Fhub%2F', version='HTTP/1.1', remote_ip='::ffff:10.0.0.xxx')
    Traceback (most recent call last):
      File "/opt/conda/lib/python3.9/site-packages/tornado/web.py", line 1704, in _execute
        result = await result
      File "/opt/conda/lib/python3.9/site-packages/jupyterhub/handlers/login.py", line 151, in post
        user = await self.login_user(data)
      File "/opt/conda/lib/python3.9/site-packages/jupyterhub/handlers/base.py", line 754, in login_user
        authenticated = await self.authenticate(data)
      File "/opt/conda/lib/python3.9/site-packages/jupyterhub/auth.py", line 469, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/opt/conda/lib/python3.9/site-packages/ldapauthenticator/ldapauthenticator.py", line 382, in authenticate
        conn = self.get_connection(userdn, password)
      File "/opt/conda/lib/python3.9/site-packages/ldapauthenticator/ldapauthenticator.py", line 314, in get_connection
        conn = ldap3.Connection(
      File "/opt/conda/lib/python3.9/site-packages/ldap3/core/connection.py", line 363, in __init__
        self._do_auto_bind()
      File "/opt/conda/lib/python3.9/site-packages/ldap3/core/connection.py", line 391, in _do_auto_bind
        if self.start_tls(read_server_info=False):
      File "/opt/conda/lib/python3.9/site-packages/ldap3/core/connection.py", line 1314, in start_tls
        if self.server.tls.start_tls(self) and self.strategy.sync:  # for asynchronous connections _start_tls is run by the strategy
      File "/opt/conda/lib/python3.9/site-packages/ldap3/core/tls.py", line 280, in start_tls
        return self._start_tls(connection)
      File "/opt/conda/lib/python3.9/site-packages/ldap3/core/tls.py", line 289, in _start_tls
        raise start_tls_exception_factory(e)(connection.last_error)
    ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: EOF occurred in violation of protocol (_ssl.c:1129)',)

Expected behaviour

If I set the use_ssl to False, it will not use SSL, otherwise, it will use SSL

Actual behaviour

According to the source code:

        auto_bind = (
            ldap3.AUTO_BIND_NO_TLS if self.use_ssl else ldap3.AUTO_BIND_TLS_BEFORE_BIND
        )

It looks like if I set False, it will use AUTO_BIND_TLS_BEFORE_BIND but if I set True, it will be AUTO_BIND_NO_TLS with no TLS? Whats the logic here? I think its wrong, I believe it should be:

        auto_bind = (
            ldap3.AUTO_BIND_TLS_BEFORE_BIND if self.use_ssl else ldap3.AUTO_BIND_NO_TLS
        )

Do I make any mistake or misunderstanding about the document and code? If yes, could we make the document more clearly?

How to reproduce

  1. Setup a openldap top without ssl and listen on port 389
  2. ON jupyterhub, configure the jutpyerhub to use LDAPAuthenticator:
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.server_address = 'host' 
c.LDAPAuthenticator.bind_dn_template = 'cn={username},ou=people,dc=example,dc=org'
  1. When try to login, we will see this error mentioned in the beginning.

its on all the OS with ldapauthenticator 1.3.2

welcome[bot] commented 2 years ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

necrophcodr commented 1 year ago

@alexdongli0829 The expected behavior you mention is incorrect. According to the README (as of writing, at least), the expected behavior is to use StartTLS with set to False, and normal SSL when set to True. However, I do find it slightly problematic, that disabling TLS entirely is not possible. That is not the subject matter here though.