Note that use of search_filter clearly constrains which users pass authentication, because it only leads to either no action or a warning -> return None. This can happen if a search with search_filter returned no matches, or if it returned multiple matches.
Issue 3: The warning for no search results doesn't mention search_filter, and instead sais there isn't a user even though the user was already authenticated/bound to in a step above.
The
LDAPAuthenticator.search_filterconfig is available, but it looks a bit problematic. It has been around since #24. I'm listing four issues below.Documentation
It has has a help string like below.
https://github.com/jupyterhub/ldapauthenticator/blob/686983c5cd3d9a96c7473bf245daa1e038b9d2af/ldapauthenticator/ldapauthenticator.py#L237-L239
{userattr}and{username}will get expanded.Implementation
Its implementation looks like this in
authenticate, after having authenticated/bound to auser recognized via provided username/password:https://github.com/jupyterhub/ldapauthenticator/blob/686983c5cd3d9a96c7473bf245daa1e038b9d2af/ldapauthenticator/ldapauthenticator.py#L408-L429
Note that use of
search_filterclearly constrains which users pass authentication, because it only leads to either no action or a warning ->return None. This can happen if a search withsearch_filterreturned no matches, or if it returned multiple matches.search_filter, and instead sais there isn't a user even though the user was already authenticated/bound to in a step above.https://github.com/jupyterhub/ldapauthenticator/blob/686983c5cd3d9a96c7473bf245daa1e038b9d2af/ldapauthenticator/ldapauthenticator.py#L419-L422
search_filterhits leads to rejecting the user, does that really make sense? I'm not sure.