Add `tls_strategy` and deprecate `use_ssl`

consideRatio commented 2 months ago

With tls_strategy we have three choices on how to secure our connection to the LDAP server. B

"on_connect", it is "use_ssl=True" implied
"before_bind", it is what "use_ssl=False" implied
"insecure", this wasn't an option before, but has been requested by users.

closes #216, as introduction of tls_strategy="insecure" can disable SSL/TLS entirely, which was the purpose of the new config.
Thanks to tls_strategy="insecure" being available:
- Fixes #241
- Fixes #231
- Fixes #211
- Fixes #204
- Fixes #179

consideRatio commented 2 months ago

@loic-vial what do you think about this PR? I hope to resolve your issue with an alternative approach, deprecating use_ssl and introducing a config with multiple choices - among them being "insecure", instead of having both use_ssl and use_tls which felt a bit hard to understand.

loic-vial commented 2 months ago

Hi @consideRatio ! This seems perfect, nice and clean :smile: I did not test it but I'm pretty sure the "before_bind" option will fit our case :) I will confirm when I have some time but in the meantime I think it's safe to close my PR in favor of this one which is cleaner

consideRatio commented 2 months ago

Thank you for the feedback @loic-vial and working towards this in the first place!!

Did a self-review and fixed some docs formatting and added a docstring for get_connection -- going for a self-merge here to keep up the maintenance momentum

1kastner commented 2 months ago

Thank you @consideRatio for incorporating these changes!

ragul-inv commented 1 month ago

Hi,

Below is my Jupyterhub config. I have configured it in an AWS EC2 machine using TLJH. I have used the _tlsstrategy = "insecure".

I am using AWS AD (Without TLS). Getting the below error when I tried to log in as an AD user

`python3[3071]:     HTTPServerRequest(protocol='https', host='note.example.org.io', method='POST', uri='/hub/login?next=%2Fhub%2F', version='HTTP/1.1', remote_ip='223.185.24.125') Traceback (most recent call last):

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/tornado/web.py", line 1790, in _execute  result = await result

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/jupyterhub/handlers/login.py", line 163, in post user = await self.login_user(data)
python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/jupyterhub/handlers/base.py", line 928, in login_user authenticated = await self.authenticate(data)

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/jupyterhub/auth.py", line 493, in get_authenticated_user  authenticated = await maybe_future(self.authenticate(handler, data))

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldapauthenticator/ldapauthenticator.py", line 361, in authenticate username, resolved_dn = self.resolve_username(username)

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldapauthenticator/ldapauthenticator.py", line 236, in resolve_username conn = self.get_connection(

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldapauthenticator/ldapauthenticator.py", line 314, in get_connection  conn = ldap3.Connection(

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/connection.py", line 363, in __init__  self._do_auto_bind()

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/connection.py", line 391, in _do_auto_bind
if self.start_tls(read_server_info=False):

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/connection.py", line 1314, in start_tls

if self.server.tls.start_tls(self) and self.strategy.sync:  # for asynchronous connections _start_tls is run by the strategy

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/tls.py", line 277, in start_tls
raise LDAPStartTLSError(connection.last_error)

python3[3071]:     ldap3.core.exceptions.LDAPStartTLSError: startTLS failed - unavailable`

config.yaml `users: admin:

admin auth: type: ldapauthenticator.LDAPAuthenticator LDAPAuthenticator: server_address: ldap://example.org.io bind_dn_template: uid={username},ou=Users,ou=example,dc=example,dc=org,dc=io lookup_dn_search_filter: ({login_attr}={login}) lookup_dn_search_user: CN=admin,OU=Users,OU=example,DC=example,DC=org,DC=io lookup_dn_search_password: adminRFs1! lookup_dn: true server_port: 389 tls_strategy: insecure https: enabled: true letsencrypt: email: admin@org.io domains:
- note.example.org.io`
Am I missing anything?

Thanks

consideRatio commented 1 month ago

I think it could be a failure where the tljh config isnt propegating that properly, can you try to configure this kot using tljh's custom config, but instead using jupyterhub config directly? I'm on mobile and cant search and link you a documentation reference :/

jupyterhub / ldapauthenticator

Add `tls_strategy` and deprecate `use_ssl` #258