This pull request adds the boolean option use_search_user_to_check_groups which allows to switch the ldap user that is used to verify the membership of the user being authenticated with the allowed_groups. Its default value is False so that the behavior of the ldap authenticator is not changed.
Thus, if use_search_user_to_check_groups is:
False: the user being authenticated is used to check if she/he is member of one of the allowed_groups (current behavior)
True: the configured search user is used to check if the user being authenticated is member of one of the allowed_groups
This PR adresses #183.
Addressed Behavior
The plugin uses a so called search user to lookup the dn of the user to be authenticated. By doing so one connection is established to the ldap server. The authentication is done using an ldap bind which creates another connection to the server. Thus two connections to the ldap server are established with two different users: the search user and the user being authenticated.
Current Behavior
All subsequent ldap searches are performed with the connection of the authenticated user and not with the connection of the configured search user. Thus, the ldap query to check the allowed_groups is performed with the authenticated user instead of the search user.
Behavior with this PR
As the default value of the option use_search_user_to_check_groups is False the current behavior is not changed. If set to True the connection of the search user is used to check the allowed_groups for the user being authenticated.
Background
Our organization follows a consequent security approach where ldap groups are used for authorization by member check. But there is no need that the groups are itself accessible by the members. The users just don't have the permission to look up the ldap groups. In such a setting only the configured ldap search user has such permissions.
Outline of Changes
add option use_search_user_to_check_groups
add parameter connection to method signature of resolve_username
moved the implementation to establish the connection with the search user from the method resolve_username into method authenticate to have the connection object with the search user available in method authenticate
add some comments in authenticate to outline whats going on
use either the object connectIon_user or connection_search to separate the connections of both users
Unfortunately I am not an ldap admin and couldn't provide an ldap server setup with such permissions set on an ldap test server. Instead to test the introduced ldap authenticator option I opted to mock the ldap connection objects and check if they are called appropriately.
I can confirm that it works with juypterhub 2.1.1.
Summary
This pull request adds the boolean option
use_search_user_to_check_groupswhich allows to switch the ldap user that is used to verify the membership of the user being authenticated with theallowed_groups. Its default value isFalseso that the behavior of the ldap authenticator is not changed.Thus, if
use_search_user_to_check_groupsis:False: the user being authenticated is used to check if she/he is member of one of theallowed_groups(current behavior)True: the configured search user is used to check if the user being authenticated is member of one of theallowed_groupsThis PR adresses #183.
Addressed Behavior
The plugin uses a so called search user to lookup the dn of the user to be authenticated. By doing so one connection is established to the ldap server. The authentication is done using an ldap bind which creates another connection to the server. Thus two connections to the ldap server are established with two different users: the search user and the user being authenticated.
Current Behavior
All subsequent ldap searches are performed with the connection of the authenticated user and not with the connection of the configured search user. Thus, the ldap query to check the
allowed_groupsis performed with the authenticated user instead of the search user.Behavior with this PR
As the default value of the option
use_search_user_to_check_groupsisFalsethe current behavior is not changed. If set toTruethe connection of the search user is used to check theallowed_groupsfor the user being authenticated.Background
Our organization follows a consequent security approach where ldap groups are used for authorization by member check. But there is no need that the groups are itself accessible by the members. The users just don't have the permission to look up the ldap groups. In such a setting only the configured ldap search user has such permissions.
Outline of Changes
use_search_user_to_check_groupsconnectionto method signature ofresolve_usernameresolve_usernameinto methodauthenticateto have the connection object with the search user available in methodauthenticateauthenticateto outline whats going onconnectIon_userorconnection_searchto separate the connections of both usersUnfortunately I am not an ldap admin and couldn't provide an ldap server setup with such permissions set on an ldap test server. Instead to test the introduced ldap authenticator option I opted to mock the ldap connection objects and check if they are called appropriately.
I can confirm that it works with juypterhub 2.1.1.