search

jupyterhub / ldapauthenticator

LDAP Authenticator Plugin for Jupyter
BSD 3-Clause "New" or "Revised" License
202 stars 175 forks source link

use_ssl set to False, cannot connect to ldap server with plaintext #231

Open fansongfs opened 4 months ago

fansongfs commented 4 months ago

Bug description

with configuration of :

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator' c.LDAPAuthenticator.lookup_dn = False c.LDAPAuthenticator.use_ssl = False c.LDAPAuthenticator.server_address = 'localhost'

I expect jupyterhub will authenticate user with ldap server through plaintext communication. but it will get ldap3.core.exceptions.LDAPStartTLSError: startTLS failed - protocolError.

How to reproduce

  1. set up sldap and jupyterhub in the same server
  2. configure jupyterhub use LDAPAuthenticator with use_ssl = False

Expected behaviour

Authentication works

Actual behaviour

get exception ldap3.core.exceptions.LDAPStartTLSError: startTLS failed - protocolError.

Your personal set up

I check source code, it seems following line of code(line 307~309) causing issue: auto_bind = ( ldap3.AUTO_BIND_NO_TLS if self.use_ssl else ldap3.AUTO_BIND_TLS_BEFORE_BIND ) when I use ldap3.AUTO_BIND_NO_TLS if use_ssl is false, the binding works.

Does LDAPAuthenticator support plaintext communication?

welcome[bot] commented 4 months ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

wsuzume commented 1 month ago

I encountered the same problem and was able to resolve it using the same method. Thank you very much @fansongfs !

I'm using docker and the details are as follows.

Host: RHEL8 Docker: 26.1.3 Image: jupyterhub/jupyterhub:4.1.5 Python: 3.10.12

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'our-ldap-server.com'
c.LDAPAuthenticator.server_port = 389
c.LDAPAuthenticator.bind_dn_template = ['uid={username},ou=people,o=our-company,c=jp']
c.LDAPAuthenticator.lookup_dn = False
c.LDAPAuthenticator.use_ssl = False

The patch I applied is as follows.

307         auto_bind = (
308             ldap3.AUTO_BIND_NO_TLS if self.use_ssl is False else ldap3.AUTO_BIND_TLS_BEFORE_BIND
309         )
wsuzume commented 1 month ago

When I tried to create a pull request with this patch, it resulted in errors during tests from Python 3.7 to 3.11.

Applying the changes proposed in pull request #216 and specifying use_tls=False might be a more fundamental solution.

wsuzume commented 1 month ago

Applying #216, that is, cloning and installing from https://github.com/loic-vial/ldapauthenticator and specifying use_tls=False instead of use_ssl=False resolved this issue.

Therefore, I believe this issue will be resolved in the next scheduled release.